[ANN] Security Advisory for Bugzilla 3.4.3 and 3.5.1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Summary
=======

Bugzilla is a Web-based bug-tracking system used by a large number of
software projects.

* Aliases of hidden bugs would show up in the "Depends On" and "Blocks"
  list of other bugs, even if you didn't have permission to see the
  hidden bugs.

All affected installations are encouraged to upgrade as soon as
possible.

Vulnerability Details
=====================

Class:       Information Leak
Versions:    3.3.2 to 3.4.3, 3.5 to 3.5.1
Fixed In:    3.4.4, 3.5.2
Description: When a bug is in a group, none of its information
             (other than its status and resolution) should be visible
             to users outside that group. It was discovered that
             as of 3.3.2, Bugzilla was showing the alias of the bug
             (a very short string used as a shortcut for looking up
             the bug) to users outside of the group, if the protected
             bug ended up in the "Depends On" or "Blocks" list of any
             other bug.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=529416
CVE Number:  CVE-2009-3386

Vulnerability Solutions
=======================

The fix for this issue is included in the 3.4.4 and 3.5.2
releases. Upgrading to a release with the relevant fix will protect
your installation from possible exploits of this issue.

If you are unable to upgrade but would like to patch just the
individual security vulnerability, there is a patch available for
the issue in the Reference URL of the advisory.

Full release downloads, patches to upgrade Bugzilla from previous
versions, and CVS upgrade instructions are available at:

  http://www.bugzilla.org/download/


Credits
=======

The Bugzilla team wish to thank the following people/organizations for
their assistance in locating, advising us of, and assisting us to fix
this issue:

Dave Miller
Frédéric Buclin
Max Kanat-Alexander
Jesse Ruderman

General information about the Bugzilla bug-tracking system can be found
at:

  http://www.bugzilla.org/

Comments and follow-ups can be directed to the mozilla.support.bugzilla
newsgroup or the support-bugzilla mailing list.
http://www.bugzilla.org/support/ has directions for accessing these
forums.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAksE0IUACgkQaL2D/aEJPK4TcACgrN60uROvj1n1kXq2bx9g0RrT
5HsAnjtGwHYuRxDz91tq/Nrf+Wk4vcSv
=AAlT
-----END PGP SIGNATURE-----
0
Max
11/19/2009 4:58:45 AM
mozilla.support.bugzilla 10162 articles. 0 followers. Post Follow

0 Replies
594 Views

Similar Articles

[PageSpeed] 27

Reply:

Similar Artilces:

[ANN] Security Advisory for Bugzilla 3.0.10, 3.2.5, 3.4.4, and 3.5.2
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system, used by a large number of software projects. This advisory covers two security issues that have recently been fixed in the Bugzilla code: + Some files stored on the web server are not correctly protected against external access and can be viewed from a web browser. + Restricting a bug to a group while moving the bug to another product has no effect if the group is not used by both products. The bug may become public if no other group restriction applies. All...

[ANN] Security Advisory for Bugzilla 3.4.1, 3.2.4, and 3.0.8
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system, used by a large number of software projects. * Two SQL injection attacks have been discovered in Bugzilla. One only affects the 3.4 series, while the other affects the 3.0, 3.2, and 3.4 series. These are extremely serious vulnerabilities that must be patched immediately. * When a user would change his password, his new password would be exposed in the URL field of the browser if he logged in right after changing his password. All affected installations are...

[ANN] Security Advisory for Bugzilla Versions Prior to 3.4.12, 3.6.6, 4.0.2, and 4.1.3
Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * Internet Explorer 8 and older, and Safari before 5.0.6 do content sniffing when viewing a patch in "Raw Unified" mode, which could trigger a cross-site scripting attack due to the execution of malicious code in the attachment. * It is possible to determine whether or not certain group names exist while creating or updating bugs; and in Bugzilla 4.1.1 and 4.1.2, also by using custom se...

[ANN] Security Advisory for Bugzilla 3.2.7, 3.4.7, 3.6.1, and 3.7.2
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * It was possible to (at least partially) determine the membership of any group using the Search interface. * It was possible to use the 'sudo' feature without sending a notification to the user being impersonated. * The 'Reports' and 'Duplicates' pages let you guess the name of products you could not see, due to the error message ...

[ANN] Security Advisory for Bugzilla 3.2.9, 3.4.9, 3.6.3, and 4.0rc1
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. Recently, Mozilla expanded its security bug bounty program to include web applications (http://www.mozilla.org/security/bug-bounty.html). As a result, several new security issues affecting Bugzilla were discovered: * A weakness in Bugzilla could allow a user to gain unauthorized access to another Bugzilla account. * A weakness in the Perl CGI.pm module allows injecting HTTP headers and content to users via several pages...

Security Advisory for Bugzilla 3.0.3, 3.1.3, 2.22.3, and 2.20.5
--Sig_/7+QS=YT68me2o8pI2lL1LPd Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Summary =3D=3D=3D=3D=3D=3D=3D Bugzilla is a Web-based bug-tracking system, used by a large number of software projects. This advisory covers three security issues that have recently been fixed in the Bugzilla code: * Users without the "canconfirm" privilege could enter a bug as NEW or ASSIGNED by using the XML-RPC interface. * When viewing several bugs at once, there was a Cross-Site Scripting hole. * The inbound email interface allowed you t...

[ANN] Security Advisory for Bugzilla 3.2.8, 3.4.8, 3.6.2, and 3.7.3
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * There is a way to inject both headers and content to users, causing a serious Cross-Site Scripting vulnerability. * It was possible to see graphs from Old Charts even if you did not have access to a particular product, and you could browse a particular URL to see all product names. * YUI 2.8.1, which shipped with Bugzilla starting with 3.7.x, contain...

[ANN] Release of Bugzilla 3.5.1, 3.4.3, and 3.0.10
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Today the Bugzilla Project is releasing Bugzilla 3.5.1, 3.4.3, and 3.0.10. Bugzilla 3.4.3 is our latest stable release, and contains various useful bug fixes and minor improvements. Bugzilla 3.0.10 fixes a bug introduced in 3.0.9 that made the Bug.create WebService function fail sometimes. Bugzilla 3.5.1 is our first development release toward Bugzilla 3.6. It contains many exciting new features, which you can read about in the Bugzilla Update linked below. This release has not received QA testing from the Bugzilla Projec...

[ANN] Security Advisory for Bugzilla 3.2.1, 3.3.2, and 3.0.7
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system, used by a large number of software projects. Bugzilla 3.2.1, 3.0.7, and 3.3.2, when running under mod_perl, generated insufficiently random numbers, resulting in all random tokens being the same, all CSRF protection being defeated, and the new attachment_base functionality being compromised. Only these releases were affected--earlier releases are not affected. All affected installations are encouraged to upgrade as soon as possible. Vulnerability Details =========...

[ANN] Release of Bugzilla 3.0.10, 3.2.6, 3.4.5, and 3.5.3
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Today we have four new releases: Bugzilla 3.4.5 is our latest stable release. It contains various useful bug fixes and security improvements. Bugzilla 3.2.6 is a security update for the 3.2 branch, and Bugzilla 3.0.11 is a security update for the 3.0 branch. Bugzilla 3.5.3 is our latest unstable development release. We are now feature-frozen for 3.6, so though there will be a few functional changes between now and the final release, this is mostly what 3.6 will look like when it comes out. As usual with development release...

Security Advisory for Bugzilla 3.2.3 and 3.3.4
Summary ======= Bugzilla is a Web-based bug-tracking system, used by a large number of software projects. This advisory covers one security issue that has recently been fixed in the Bugzilla code: * Bug reporters could confirm their bugs and change their bugs' statuses, even if they didn't have the appropriate permissions. All affected installations are encouraged to upgrade as soon as possible. Vulnerability Details ===================== Class: Unauthorized Bug Change Versions: 3.1.1 through 3.2.3, 3.3.1 through 3.3.4 Fixed In: 3.2.4, 3.4rc1 D...

[ANN] Security Advisory for Bugzilla 3.2.6, 3.4.6, 3.6, and 3.7
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * Everybody could search for time-tracking information, not just members of the timetrackinggroup. * Under suexec, "localconfig" was world-readable, meaning that local users with shell access to the Bugzilla server may have been able to see the database password and the site_wide_secret. All affected installations are encouraged to upgrade as so...

Security advisory for Bugzilla 4.3.3, 4.2.3, 4.0.8 and 3.6.11
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * When the user logs in using LDAP, the username is not escaped before being passed to LDAP which could potentially lead to LDAP injection. * Extensions are not protected against directory browsing by default and users can view the source code of templates used by the extensions. These templates may contain sensitive data. All affected installations ar...

[ANN] Release of Bugzilla 4.1.2, 4.0.1, 3.6.5, and 3.4.11
Today we are releasing 4.0.1, 3.6.5, 3.4.11, and the unstable development snapshot 4.1.2. Many users had difficulty installing Bugzilla 4.0, 3.6.4, and 3.4.10, due to a bug related to the "Math::Random::Secure" library. These releases fix that bug among other issues. Note that 4.1.2 is an unstable development release and should not be used in production environments. However, we are getting very close to feature freeze for 4.2, so now is the time to give us feedback on 4.1.2 if you want its behavior to change significantly before we release. Download -------...

Web resources about - [ANN] Security Advisory for Bugzilla 3.4.3 and 3.5.1 - mozilla.support.bugzilla

Krebs on Security
The House Financial Services Committee is slated to hold a hearing this Friday on the impact of cyber heists against small- to mid-sized businesses. ...

Security Middle East - Latest news from the Middle East.
Security Middle East is a news portal for the entire security industry, focussed specifically on latest security news from the Middle East. Security ...

Information Security News, IT Security News & Expert Insights: SecurityWeek.Com
IT Security News and Information Security News, Cyber Security, Network Security, Enterprise Security Threats, Cybercrime News and more. Information ...

Committee on National Security Systems - Wikipedia, the free encyclopedia
The National Security Telecommunications and Information Systems Security Committee (NSTISSC) was established under National Security Directive ...

Mali's security forces hunt down three suspects
President Keita announces 21 people killed in brazen attack on luxury hotel in Bamako with three suspects on the run. Malian security forces ...

​Republican candidates talk religion, security at Iowa forum
CBS News ​Republican candidates talk religion, security at Iowa forum CBS News DES MOINES, Iowa Republican presidential candidates gathered ...

Lord of the Paranoids: New Yahoo security exec on protecting a billion-plus accounts
Bob Lord, Yahoo's new security chief, will lead a team called the Paranoids. Like all security executives, he has a tough job.

‘Before I Fall’ Adds Liv Hewson; Gabriella Wright Joins ‘Security’
Liv Hewson has joined the cast of director Ry Russo-Young's young adult fantasy-drama Before I Fall , the adaptation of the YA novel by Lauren ...

After Math: That's it, we're calling security
It's been a heck of a week. With the world still reeling from the Paris attacks, more people than ever are concerned with their personal security. ...

The Russia’s North Caucasus Security: The Middle East Factor – Analysis
By Sergey Markedonov* Why does Russia so stubbornly support the Syrian regime of Bashar al-Assad? This question is frequently discussed in media ...

Resources last updated: 11/22/2015 11:13:33 PM