[ANN] Security Advisory for Bugzilla 2.20.3, 2.22.1, and 2.23.3

Summary
=3D=3D=3D=3D=3D=3D=3D

Bugzilla is a Web-based bug-tracking system, used by a large number of
software projects.

This advisory covers two security issues that have recently been
fixed in the Bugzilla code:

+ A possible cross-site scripting (XSS) vulnerability in Atom feeds
  produced by Bugzilla.

+ Web server settings given by Bugzilla which provide security settings
  to protect data files from access via the web are overridden by the
  mod_perl startup script when running under mod_perl (development
  snapshot only).

We strongly advise that 2.20.x users should upgrade to 2.20.4. 2.22
users, and users of 2.16.x or below, should upgrade to 2.22.2. Versions
2.18.x are not affected by either of these vulnerabilities.

Development snapshots of 2.23 before 2.23.4 are also vulnerable to all
of these issues. If you are using a development snapshot, you should
upgrade to 2.23.4, use CVS to update, or apply the patches from the
specific bugs listed below.

Vulnerability Details
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Issue 1
-------
Class:       Cross-Site Scripting
Versions:    2.20.1 and above
Description: Bugzilla does not properly escape some fields in generated
             Atom feeds, which leads to the potential for cross-site
             scripting in feed readers that support javascript and
             properly implement the Atom feed specification.
Reference:   https://bugzilla.mozilla.org/show_bug.cgi?id=3D367674

Issue 2
-------
Class:       Database password disclosure
Versions:    2.23.3 only
Description: Bugzilla development snapshot version 2.23.3 introduced
             the ability to run Bugzilla under mod_perl on Apache.
             The mod_perl initialization script included with Bugzilla
             defines a new <Directory> block in the Apache configuration
             for the directory containing Bugzilla. This block fails to
             include permission for .htaccess files to override file
             access permissions.  The .htaccess file shipped with
             Bugzilla prohibits access by web browsers to read the
             localconfig file, which contains the username and password
             for connecting to the database server.
             If you are not running Bugzilla under mod_perl, then this
             does not affect you.
Reference:   https://bugzilla.mozilla.org/show_bug.cgi?id=3D367071


Vulnerability Solutions
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

The fixes for all of the security bugs mentioned in this advisory are
included in the 2.20.4, 2.22.2, and 2.23.4 releases. Upgrading to these
releases will protect installations from possible exploits of these
issues.

Full release downloads, patches to upgrade Bugzilla from previous
versions, and CVS upgrade instructions are available at:

  http://www.bugzilla.org/download/

Specific patches for each of the individual issues can be found on the
corresponding bug reports for each issue, at the URL given in the
reference for that issue in the list above.


Credits
=3D=3D=3D=3D=3D=3D=3D

The Bugzilla team wish to thank the following people for their
assistance in locating, advising us of, and assisting us to fix these
situations:

Fr=C3=A9d=C3=A9ric Buclin
Dave Miller
Olav Vitters
Max Kanat-Alexander

General information about the Bugzilla bug-tracking system can be found
at:

  http://www.bugzilla.org/

Comments and follow-ups can be directed to the mozilla.support.bugzilla
newsgroup or the support-bugzilla mailing list.
http://www.bugzilla.org/support/ has directions for accessing these
forums.
0
Max
2/3/2007 12:56:58 AM
mozilla.support.bugzilla 10120 articles. 0 followers. Post Follow

0 Replies
842 Views

Similar Articles

[PageSpeed] 54

Reply:

Similar Artilces:

Security Advisory for Bugzilla 3.0.3, 3.1.3, 2.22.3, and 2.20.5
--Sig_/7+QS=YT68me2o8pI2lL1LPd Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Summary =3D=3D=3D=3D=3D=3D=3D Bugzilla is a Web-based bug-tracking system, used by a large number of software projects. This advisory covers three security issues that have recently been fixed in the Bugzilla code: * Users without the "canconfirm" privilege could enter a bug as NEW or ASSIGNED by using the XML-RPC interface. * When viewing several bugs at once, there was a Cross-Site Scripting hole. * The inbound email interface allowed you t...

Release of Bugzilla 2.18.6, 2.20.3, 2.22.1, and 2.23.3
We have many releases for you, today! Bugzilla 2.18.6 and 2.20.3 are security-fix releases for our older branches. Bugzilla 2.22.1 is our first bugfix release in the 2.22 series, and contains many useful fixes that improve the experience of using Bugzilla. Finally, we are releasing an unstable development snapshot, Bugzilla 2.23.3. This snapshot has both custom fields and mod_perl support, but has not been tested as thoroughly as our other releases. The 2.23 series will eventually culminate in Bugzilla 3.0. Users of the 2.18.x series should note that 2.18.x will r...

[ANN] Release of Bugzilla 3.0.1, 3.1.1, 2.22.3, and 2.20.5
--Sig_nEH4Ypdt2vWEVOYyO6=XaoK Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Today the Bugzilla project has four releases! 3.0.1 is the first bug-fix release for the 3.0 series. 3.0 was very stable, but 3.0.1 adds a lot of little polish fixes that greatly improve the experience of using Bugzilla. 3.1.1 is our first development release toward Bugzilla 3.2. It has a huge number of new features, but is EXTREMELY UNSTABLE. It has not been tested, and should not be used in a production environment. It may fail in critical ways, or destro...

[ANN] Security Advisory for Bugzilla 3.2.1, 3.3.2, and 3.0.7
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system, used by a large number of software projects. Bugzilla 3.2.1, 3.0.7, and 3.3.2, when running under mod_perl, generated insufficiently random numbers, resulting in all random tokens being the same, all CSRF protection being defeated, and the new attachment_base functionality being compromised. Only these releases were affected--earlier releases are not affected. All affected installations are encouraged to upgrade as soon as possible. Vulnerability Details =========...

[ANN] Release of Bugzilla 3.2.1, 3.0.7, 2.22.7, and 3.3.2
Today we have some major security improvements for Bugzilla in the form of four releases. We strongly recommend that all Bugzilla administrators read the Security Advisory for these releases, which is linked below in this email. Bugzilla 3.2.1 is our latest stable release. It contains various useful bug fixes in addition to major security improvements. Bugzilla 3.0.7 and Bugzilla 2.22.7 are security updates for their branches. Bugzilla 3.3.2 is an unstable development release. In addition to the security fixes that all the other releases contain, this release contains n...

[ANN] Security Advisory for Bugzilla 3.2.7, 3.4.7, 3.6.1, and 3.7.2
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * It was possible to (at least partially) determine the membership of any group using the Search interface. * It was possible to use the 'sudo' feature without sending a notification to the user being impersonated. * The 'Reports' and 'Duplicates' pages let you guess the name of products you could not see, due to the error message ...

Security Advisory for Bugzilla 2.18.5, 2.20.2, 2.22, and 2.23.2
Summary ======= Bugzilla is a Web-based bug-tracking system, used by a large number of software projects. This advisory covers six security issues that have recently been fixed in the Bugzilla code: + Sometimes the information put into the <h1> and <h2> tags in Bugzilla was not properly escaped, leading to a possible XSS vulnerability. + Bugzilla administrators were allowed to put raw, unfiltered HTML into many fields in Bugzilla, leading to a possible XSS vulnerability. Now, the HTML allowed in those fields is limited. + attachment.cgi could leak the n...

Testopia 1.3 (Bugzilla 3.0) and Testopia 1.2.2 (Bugzilla 2.22.x) Released
Testopia 1.3 has been released.=20 This Testopia is compatible with Bugzilla 3.0 and mod_perl and provides Postgres support. For those of you still running Bugzilla 2.22.x, I am also releasing 1.2.2 which is a (major) bug fix release. They are available from the project home page at http://www.mozilla.org/projects/testopia Thanks for all the feedback. Keep it coming. Greg Hendricks ...

[ANN] Security Advisory for Bugzilla 3.2.8, 3.4.8, 3.6.2, and 3.7.3
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * There is a way to inject both headers and content to users, causing a serious Cross-Site Scripting vulnerability. * It was possible to see graphs from Old Charts even if you did not have access to a particular product, and you could browse a particular URL to see all product names. * YUI 2.8.1, which shipped with Bugzilla starting with 3.7.x, contain...

[ANN] Release of Bugzilla 2.22 (also 2.20.2 and 2.23.1)
The Bugzilla Project is proud to announce the official release of Bugzilla 2.22. Bugzilla 2.22 is a major new feature release for Bugzilla, containing a large number of bug fixes and enhancements, including complete PostgreSQL support, UTF-8 support, user-impersonation capabilities, and more. You can see a description of all the new features in Bugzilla 2.22 at: http://www.bugzilla.org/releases/2.22/new-features.html The Bugzilla Project is also releasing 2.20.2, a bug-fix release for the 2.20 branch recommended for all 2.20 branch users. We also have a development snapshot, B...

[ANN] Security Advisory for Bugzilla 3.0.10, 3.2.5, 3.4.4, and 3.5.2
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system, used by a large number of software projects. This advisory covers two security issues that have recently been fixed in the Bugzilla code: + Some files stored on the web server are not correctly protected against external access and can be viewed from a web browser. + Restricting a bug to a group while moving the bug to another product has no effect if the group is not used by both products. The bug may become public if no other group restriction applies. All...

[ANN] Release of Bugzilla 3.0.4, 3.1.4, 2.22.4, and 2.20.6
--Sig_/APAQZZ+qGwu.Hq/UgkhiOAo Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable The Bugzilla project has four releases today! Bugzilla 3.0.4 is the latest stable version of Bugzilla, containing several useful bug fixes over 3.0.3, particularly for the inbound email interface. Bugzilla 3.1.4 is our latest unstable development preview. It should be more stable than 3.1.3, though we still don't recommend it for production environments. Provided we don't find too many major issues in this release, our next release will be Bugzilla...

From 2.1.2 to 3.1 or 2.1.2 to 3.0.13 to 3.1
I'm checking back in after being away for a couple of months and I missed the 3.1 release. I can't seem to find any info on what's new in 3.1 and also what the upgrade path should be. So, is the recommended path for upgrading from v 2.1.2 to go directly to 3.1 or do I need to go to 3.0.13 first? Are there any big issues in 3.1 that make it a "gotta have it" version?I did a couple of 2.1.2 to 3.0.12 upgrades but haven't upgraded to or tested 3.1 yet. I have one 2.1.2 site that is commercial and I need it to be down as little time as possible. It also has a lot of third party modules...

[ANN] Release of Bugzilla 2.20.4, 2.22.2, and 2.23.4
--Sig_kEOxU8nT+82tg4POD=3FoiU Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Three Bugzilla releases today! They're mostly security-fix and=20 bug-fix updates. Bugzilla 2.22.2 is a bug-fix and security-fix release for the Bugzilla 2.22 series. Bugzilla 2.20.4 is a security-fix release for the Bugzilla 2.20 series. Bugzilla 2.23.4 is our unstable development release. However, it should be considerably more stable than 2.23.3, since it is currently running on https://bugzilla.mozilla.org/ and has received some "live tes...

Web resources about - [ANN] Security Advisory for Bugzilla 2.20.3, 2.22.1, and 2.23.3 - mozilla.support.bugzilla

Krebs on Security
The House Financial Services Committee is slated to hold a hearing this Friday on the impact of cyber heists against small- to mid-sized businesses. ...

Security Middle East - Latest news from the Middle East.
Security Middle East is a news portal for the entire security industry, focussed specifically on latest security news from the Middle East. Security ...

Information Security News, IT Security News & Expert Insights: SecurityWeek.Com
IT Security News and Information Security News, Cyber Security, Network Security, Enterprise Security Threats, Cybercrime News and more. Information ...

Security (finance) - Wikipedia, the free encyclopedia
equity securities, e.g., common stocks ; and, The company or other entity issuing the security is called the issuer . A country's regulatory ...

The security questions that every company should be asking in 2015
With more businesses operating online than ever before, security has moved from physical to virtual. Ensuring the safety of the details of your ...

Oracle settles with FTC over Java’s “deceptive” security patching
... desktop runtime for Java. The FTC announced today that it had reached a settlement with Oracle Corporation over a complaint not about the security ...

Panda Security: 2016 will be the year of Android of IoT attacks
Security experts from Panda Security warn that 2016 is set to be a bumper year of attacks and malware infections. The company says that malware ...

How a security director used a rootkit to rig the lottery and steal millions of dollars
Not too long ago, Eddie Tipton was convicted of hacking into the Multi-State Lottery Association's computer system in order to rig a nearly $17 ...

LG’s robotic vacuum cleaner doubles as a security guard
... Turbo+ cleans it. LG also took a note from the from China-based Jisiwei’s S+ robotic vacuum cleaner by turning the vacuum into a home security ...

LG’s Robot Vacuum Wants To Be Your Housekeeper And Security System
... it possible to remotely control the vacuum. LG did sneak in one other pretty cool feature here — the HOM-BOT Turbo+ can double as a home security ...

Resources last updated: 12/23/2015 10:17:28 AM