[ANN] Security Advisory for Bugzilla 3.2.6, 3.4.6, 3.6, and 3.7

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Summary
=======

Bugzilla is a Web-based bug-tracking system used by a large number of
software projects. The following security issues have been discovered
in Bugzilla:

* Everybody could search for time-tracking information, not just
  members of the timetrackinggroup.

* Under suexec, "localconfig" was world-readable, meaning that
  local users with shell access to the Bugzilla server may have
  been able to see the database password and the site_wide_secret.

All affected installations are encouraged to upgrade as soon as
possible.

Vulnerability Details
=====================

Class:       Remote Information Disclosure
Versions:    2.17.1 to 3.2.6, 3.3.1 to 3.4.6, 3.5.1 to 3.6, 3.7
Fixed In:    3.2.7, 3.4.7, 3.6.1, 3.7.1
Description: Normally, information about time-tracking (estimated
             hours, actual hours, hours worked, and deadlines) is
             restricted to users in the "time-tracking group".
             However, any user was able, by crafting their own
             search URL, to search for bugs based using those
             fields as criteria, thus possibly exposing sensitive
             time-tracking information by a user seeing that a bug
             matched their search.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=309952
CVE Number:  CVE-2010-1204


Class:       Local Information Disclosure
Versions:    3.5.1 to 3.6, 3.7
Fixed In:    3.6.1, 3.7.1
Description: If $use_suexec was set to "1" in the localconfig file,
             then the localconfig file's permissions were set as
             world-readable by checksetup.pl. This allowed any user
             with local shell access to see the contents of the file,
             including the database password and the site_wide_secret
             variable used for CSRF protection.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=561797
CVE Number:  CVE-2010-0180

Vulnerability Solutions
=======================

The fix for these issues are included in the 3.2.7, 3.4.7, 3.6.1, and
3.7.1 releases. Upgrading to a release with the relevant fix will
protect your installation from possible exploits of this issue.

If you are unable to upgrade but would like to patch just the
individual security vulnerabilities, there are patches available for
each issue at the "References" URL for each vulnerability.

Full release downloads, patches to upgrade Bugzilla from previous
versions, and CVS/bzr upgrade instructions are available at:

  http://www.bugzilla.org/download/


Credits
=======

The Bugzilla team wish to thank the following people/organizations for
their assistance in locating, advising us of, and assisting us to fix
this issue:

Daniel Piddock
Teemu Mannermaa
Max Kanat-Alexander
Frédéric Buclin
Dave Miller
Tiago Mello

General information about the Bugzilla bug-tracking system can be found
at:

  http://www.bugzilla.org/

Comments and follow-ups can be directed to the mozilla.support.bugzilla
newsgroup or the support-bugzilla mailing list.
http://www.bugzilla.org/support/ has directions for accessing these
forums.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkwj4ZQACgkQaL2D/aEJPK55cgCgvvTqOgELXb3u9Dx938RPzwla
vn0AoKqwtd/f/7JIWD2+v95hYJHrEiVe
=DWll
-----END PGP SIGNATURE-----
0
Max
6/24/2010 10:52:04 PM
mozilla.support.bugzilla 10104 articles. 0 followers. Post Follow

0 Replies
948 Views

Similar Articles

[PageSpeed] 47

Reply:

Similar Artilces:

[ANN] Security Advisory for Bugzilla 3.2.7, 3.4.7, 3.6.1, and 3.7.2
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * It was possible to (at least partially) determine the membership of any group using the Search interface. * It was possible to use the 'sudo' feature without sending a notification to the user being impersonated. * The 'Reports' and 'Duplicates' pages let you guess the name of products you could not see, due to the error message ...

[ANN] Security Advisory for Bugzilla 3.2.8, 3.4.8, 3.6.2, and 3.7.3
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * There is a way to inject both headers and content to users, causing a serious Cross-Site Scripting vulnerability. * It was possible to see graphs from Old Charts even if you did not have access to a particular product, and you could browse a particular URL to see all product names. * YUI 2.8.1, which shipped with Bugzilla starting with 3.7.x, contain...

[ANN] Security Advisory for Bugzilla Versions Prior to 3.4.12, 3.6.6, 4.0.2, and 4.1.3
Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * Internet Explorer 8 and older, and Safari before 5.0.6 do content sniffing when viewing a patch in "Raw Unified" mode, which could trigger a cross-site scripting attack due to the execution of malicious code in the attachment. * It is possible to determine whether or not certain group names exist while creating or updating bugs; and in Bugzilla 4.1.1 and 4.1.2, also by using custom se...

[ANN] Security Advisory for Bugzilla 3.2.9, 3.4.9, 3.6.3, and 4.0rc1
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. Recently, Mozilla expanded its security bug bounty program to include web applications (http://www.mozilla.org/security/bug-bounty.html). As a result, several new security issues affecting Bugzilla were discovered: * A weakness in Bugzilla could allow a user to gain unauthorized access to another Bugzilla account. * A weakness in the Perl CGI.pm module allows injecting HTTP headers and content to users via several pages...

[ANN] Release of Bugzilla 3.2.8, 3.4.8, 3.6.2, and 3.7.3
Today we have four new releases. One new development snapshot (3.7.3), one new stable release (3.6.2) and two security updates for the old stable releases (3.4.8 and 3.2.8). Bugzilla 3.6.2 is our latest stable release. It contains various useful bug fixes and security improvements for the 3.6 branch. Bugzilla 3.4.8 and 3.2.8 are security updates for the 3.4 branch and the 3.2 branch, respectively. Bugzilla 3.7.3 is our third unstable development release leading to Bugzilla 4.0. We have done a fair amount of QA on this release. However, QA found many bugs that have not ye...

Security advisory for Bugzilla 4.3.3, 4.2.3, 4.0.8 and 3.6.11
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * When the user logs in using LDAP, the username is not escaped before being passed to LDAP which could potentially lead to LDAP injection. * Extensions are not protected against directory browsing by default and users can view the source code of templates used by the extensions. These templates may contain sensitive data. All affected installations ar...

[ANN] Release of Bugzilla 3.2.7, 3.4.7, 3.6.1, and 3.7.1
Today we have four new releases! One new development snapshot (3.7.1), two new stable releases (3.6.1 and 3.4.7) and one update for the legacy 3.2 branch (3.2.7). Bugzilla 3.6.1 is our latest stable release. It contains some significant bug fixes for the 3.6 branch. Bugzilla 3.4.7 is the last bug-fix release for the 3.4 series. After this, there will only be additional 3.4 releases if there are security issues discovered in the 3.4 series. Bugzilla 3.2.7 is a security update for the 3.2 branch. Bugzilla 3.7.1 is our first unstable development release on the road to ...

[ANN] Release of Bugzilla 4.1.3, 4.0.2, 3.6.6, and 3.4.12
Today we are releasing 4.0.2, 3.6.6, 3.4.12, and the unstable development snapshot 4.1.3. All of today's releases contain security fixes. We recommend all Bugzilla administrators read the Security Advisory linked below. 4.0.2 is our latest stable release, containing various useful bug fixes and performance improvements. 3.6.6 and 3.4.12 are security updates for those series. Note that 4.1.3 is an unstable development release and should not be used in production environments. We are feature-frozen at this point, however, so the features you see in 4.1.3 shoul...

Security advisory for Bugzilla 4.3.2, 4.2.2, 4.0.7 and 3.6.10
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * In HTML bugmails, an improper validation of the permissions of the addressee can lead to confidential information about bugs and attachments to be visible to the addressee. * The description of a private attachment can be visible to a user who hasn't permissions to access this attachment if the attachment ID is mentioned in a comment in a bug. Al...

Security advisory for Bugzilla 4.2rc1, 4.0.3, 3.6.7 and 3.4.13
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * When viewing tabular or graphical reports as well as new charts, an XSS vulnerability is possible in debug mode. * The User.offer_account_by_email WebService method lets you create a new user account even if the active authentication method forbids users to create an account. * A CSRF vulnerability in post_bug.cgi and in attachment.cgi could lead to ...

[ANN] Release of Bugzilla 4.3.3, 4.2.3, 4.0.8, and 3.6.11
Today we are releasing 4.2.3, 4.0.8, 3.6.11, and the unstable development snapshot 4.3.3. All of today's releases contain security fixes. We recommend all Bugzilla administrators to read the Security Advisory linked below. Bugzilla 4.2.3 is our latest stable release. It contains various useful bug fixes and security fixes for the 4.2 branch. Bugzilla 4.0.8 and 3.6.11 are security updates for the 4.0 branch and the 3.6 branch, respectively. Both also contain one bug fix. Note that 4.3.3 is an unstable development release and should not be used in production envir...

[ANN] Release of Bugzilla 3.0.10, 3.2.6, 3.4.5, and 3.5.3
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Today we have four new releases: Bugzilla 3.4.5 is our latest stable release. It contains various useful bug fixes and security improvements. Bugzilla 3.2.6 is a security update for the 3.2 branch, and Bugzilla 3.0.11 is a security update for the 3.0 branch. Bugzilla 3.5.3 is our latest unstable development release. We are now feature-frozen for 3.6, so though there will be a few functional changes between now and the final release, this is mostly what 3.6 will look like when it comes out. As usual with development release...

[ANN] Release of Bugzilla 3.2.9, 3.4.9, 3.6.3, and 4.0rc1
Today we are announcing the first Release Candidate for Bugzilla 4.0, in addition to one new stable release and two security-only updates for the 3.2.x and 3.4.x series. Bugzilla 4.0rc1 is our first Release Candidate for Bugzilla 4.0. This release has received QA testing, and should be considerably more stable than the development releases before it. It is still not considered fully stable, and so you should understand that if you use it, you use it at your own risk. In particular, certain aspects of the WebServices have not yet been tested as part of this Release Candidate, so ...

[ANN] Release of Bugzilla 4.3.2, 4.2.2, 4.0.7, and 3.6.10
Today we are releasing 4.2.2, 4.0.7, 3.6.10, and the unstable development snapshot 4.3.2. All of today's releases contain security fixes. We recommend all Bugzilla administrators to read the Security Advisory linked below. Bugzilla 4.2.2 is our latest stable release. It contains various useful bug fixes and security fixes for the 4.2 branch. Bugzilla 4.0.7 and 3.6.10 are security updates for the 4.0 branch and the 3.6 branch, respectively. 4.0.7 also contains several bug fixes. Note that 4.3.2 is an unstable development release and should not be used in producti...

Web resources about - [ANN] Security Advisory for Bugzilla 3.2.6, 3.4.6, 3.6, and 3.7 - mozilla.support.bugzilla

Krebs on Security
The House Financial Services Committee is slated to hold a hearing this Friday on the impact of cyber heists against small- to mid-sized businesses. ...

Security Middle East - Latest news from the Middle East.
Security Middle East is a news portal for the entire security industry, focussed specifically on latest security news from the Middle East. Security ...

Information Security News, IT Security News & Expert Insights: SecurityWeek.Com
IT Security News and Information Security News, Cyber Security, Network Security, Enterprise Security Threats, Cybercrime News and more. Information ...

Security (finance) - Wikipedia, the free encyclopedia
equity securities, e.g., common stocks ; and, The company or other entity issuing the security is called the issuer . A country's regulatory ...

Qylatron Honeycomb Machine: Is this the future of airport security screening?
BAG screening at the airport can be a slow process, but unfortunately it’s a necessity.

Barbie says hello to more security flaws
Hot on the heels of last Friday's news of the potential of the Wi-Fi enabled Hello Barbie doll to be hacked , new research has uncovered security ...

The biggest security mistakes people make with online banking
Living in a technically advanced world leaves us vulnerable any time we go online. That's especially true with online banking. Adam Levin, author ...

Hello headaches: Barbie of the Internet age has even more security flaws
... manufacturer is racing to patch the toy's flaws as the holidays approach, while other Internet-connected toy manufacturers face similar security ...

No more security fixes coming for older OpenSSL branches
... released new patches for the popular open-source cryptographic library, but for two of its older branches they will likely be the last security ...

Toy Maker VTech Hires Cyber Forensic Team To Help Beef Up Security After Data Breach
... reportedly exposing many of their photos and chat logs, the Hong Kong-based company says it’s bringing in the pros to help shore up its security. ...

Resources last updated: 12/4/2015 2:51:03 PM