Security Advisory for Bugzilla 3.0.3, 3.1.3, 2.22.3, and 2.20.5

--Sig_/7+QS=YT68me2o8pI2lL1LPd
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Summary
=3D=3D=3D=3D=3D=3D=3D

Bugzilla is a Web-based bug-tracking system, used by a large number of
software projects.

This advisory covers three security issues that have recently been
fixed in the Bugzilla code:

* Users without the "canconfirm" privilege could enter a bug as NEW
  or ASSIGNED by using the XML-RPC interface.

* When viewing several bugs at once, there was a Cross-Site Scripting
  hole.

* The inbound email interface allowed you to set the Reporter via the
  text of the email, instead of just using the From header.

All affected installations are encouraged to upgrade as soon as
possible.

Vulnerability Details
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Class:       Unauthorized Bug Change
Versions:    3.1.3
Description: Users normally need the "canconfirm" privilege to put bugs
             in the NEW or ASSIGNED state. However, users were being=20
             allowed to create bugs in the NEW or ASSIGNED state if they
             were creating the bug through the XML-RPC interface.
Reference:   https://bugzilla.mozilla.org/show_bug.cgi?id=3D415471


Class:       Cross-Site Scripting
Versions:    2.17.2 and higher
Description: When using the "Format for Printing" view of a bug (or
             the "Long Format" of a bug list, which is the same thing),
             there was a cross-site scripting hole--arbitrary text
             from a particular URL parameter could be injected into the
             page without filtering.
Reference:   https://bugzilla.mozilla.org/show_bug.cgi?id=3D425665


Class:       Account Impersonation (Minor)
Versions:    2.23.4 and higher
Description: By design, email_in.pl always believes the "From" header as
             the user making changes or uses that as the reporter of the
             bug. However, you could also specify the changer/reporter
             in the body of the email and override the "From" header,
             possibly bypassing some security checks set up by
             administrators against the "From" header.
             For most installations this is a minor or inconsequential
             issue, as the documentation of email_in.pl already explains
             that it does not do any user authentication (it just
             believes the "From" header), so installations using it
             should not have been expecting user account security
             (though they may have had checks against the "From"
             header--that is what makes this a security issue).
Reference:   https://bugzilla.mozilla.org/show_bug.cgi?id=3D419188


Vulnerability Solutions
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

The fixes for the security bugs mentioned in this advisory are
included in the 3.0.4, 3.1.4, 2.22.4, and 2.20.6 releases. Upgrading
to these releases will protect installations from possible exploits of
these issues.

Full release downloads, patches to upgrade Bugzilla from previous
versions, and CVS upgrade instructions are available at:

  http://www.bugzilla.org/download/


Credits
=3D=3D=3D=3D=3D=3D=3D

The Bugzilla team wish to thank the following people for their
assistance in locating, advising us of, and assisting us to fix
these issues:

Fr=C3=A9d=C3=A9ric Buclin
Max Kanat-Alexander
Bradley Baetz
Loren Butler
Marc Schumann

General information about the Bugzilla bug-tracking system can be found
at:

  http://www.bugzilla.org/

Comments and follow-ups can be directed to the mozilla.support.bugzilla
newsgroup or the support-bugzilla mailing list.
http://www.bugzilla.org/support/ has directions for accessing these
forums.

--Sig_/7+QS=YT68me2o8pI2lL1LPd
Content-Type: application/pgp-signature; name=signature.asc
Content-Disposition: attachment; filename=signature.asc

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFIH4AYaL2D/aEJPK4RAtQ6AKCSYkZJgEUvHT7dWh3uFa7uZM3RfgCg7FQL
S/tm7aSolrucFvpj7XWxezE=
=7m/h
-----END PGP SIGNATURE-----

--Sig_/7+QS=YT68me2o8pI2lL1LPd--
0
Max
5/5/2008 9:46:00 PM
mozilla.support.bugzilla 10119 articles. 0 followers. Post Follow

0 Replies
898 Views

Similar Articles

[PageSpeed] 50

Reply:

Similar Artilces:

[ANN] Release of Bugzilla 3.0.1, 3.1.1, 2.22.3, and 2.20.5
--Sig_nEH4Ypdt2vWEVOYyO6=XaoK Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Today the Bugzilla project has four releases! 3.0.1 is the first bug-fix release for the 3.0 series. 3.0 was very stable, but 3.0.1 adds a lot of little polish fixes that greatly improve the experience of using Bugzilla. 3.1.1 is our first development release toward Bugzilla 3.2. It has a huge number of new features, but is EXTREMELY UNSTABLE. It has not been tested, and should not be used in a production environment. It may fail in critical ways, or destro...

[ANN] Security Advisory for Bugzilla 3.2.1, 3.3.2, and 3.0.7
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system, used by a large number of software projects. Bugzilla 3.2.1, 3.0.7, and 3.3.2, when running under mod_perl, generated insufficiently random numbers, resulting in all random tokens being the same, all CSRF protection being defeated, and the new attachment_base functionality being compromised. Only these releases were affected--earlier releases are not affected. All affected installations are encouraged to upgrade as soon as possible. Vulnerability Details =========...

[ANN] Security Advisory for Bugzilla 3.0.10, 3.2.5, 3.4.4, and 3.5.2
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system, used by a large number of software projects. This advisory covers two security issues that have recently been fixed in the Bugzilla code: + Some files stored on the web server are not correctly protected against external access and can be viewed from a web browser. + Restricting a bug to a group while moving the bug to another product has no effect if the group is not used by both products. The bug may become public if no other group restriction applies. All...

[ANN] Release of Bugzilla 3.2.1, 3.0.7, 2.22.7, and 3.3.2
Today we have some major security improvements for Bugzilla in the form of four releases. We strongly recommend that all Bugzilla administrators read the Security Advisory for these releases, which is linked below in this email. Bugzilla 3.2.1 is our latest stable release. It contains various useful bug fixes in addition to major security improvements. Bugzilla 3.0.7 and Bugzilla 2.22.7 are security updates for their branches. Bugzilla 3.3.2 is an unstable development release. In addition to the security fixes that all the other releases contain, this release contains n...

[ANN] Security Advisory for Bugzilla 2.20.3, 2.22.1, and 2.23.3
Summary =3D=3D=3D=3D=3D=3D=3D Bugzilla is a Web-based bug-tracking system, used by a large number of software projects. This advisory covers two security issues that have recently been fixed in the Bugzilla code: + A possible cross-site scripting (XSS) vulnerability in Atom feeds produced by Bugzilla. + Web server settings given by Bugzilla which provide security settings to protect data files from access via the web are overridden by the mod_perl startup script when running under mod_perl (development snapshot only). We strongly advise that 2.20.x users should up...

[ANN] Release of Bugzilla 3.2.2, 3.0.8, and 3.3.3
Bugzilla 3.2.1, 3.0.7, and 3.3.2 contained a bug that was critical for any installation running under mod_perl, due to an unintentional interaction between the various security fixes in those releases. We are releasing three new releases today to fix the critical issue: 3.2.2, 3.0.8, and 3.3.3. They are identical to the previous release except that they have this one fix for installations running under mod_perl. Download -------- Bugzilla is available at: http://www.bugzilla.org/download/ Security Advisory ----------------- Details of the fix are in the Security Adviso...

[ANN] Security Advisory for Bugzilla 3.2.7, 3.4.7, 3.6.1, and 3.7.2
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * It was possible to (at least partially) determine the membership of any group using the Search interface. * It was possible to use the 'sudo' feature without sending a notification to the user being impersonated. * The 'Reports' and 'Duplicates' pages let you guess the name of products you could not see, due to the error message ...

[ANN] Security Advisory for Bugzilla 3.2.8, 3.4.8, 3.6.2, and 3.7.3
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * There is a way to inject both headers and content to users, causing a serious Cross-Site Scripting vulnerability. * It was possible to see graphs from Old Charts even if you did not have access to a particular product, and you could browse a particular URL to see all product names. * YUI 2.8.1, which shipped with Bugzilla starting with 3.7.x, contain...

Security Advisory for Bugzilla 3.2.3 and 3.3.4
Summary ======= Bugzilla is a Web-based bug-tracking system, used by a large number of software projects. This advisory covers one security issue that has recently been fixed in the Bugzilla code: * Bug reporters could confirm their bugs and change their bugs' statuses, even if they didn't have the appropriate permissions. All affected installations are encouraged to upgrade as soon as possible. Vulnerability Details ===================== Class: Unauthorized Bug Change Versions: 3.1.1 through 3.2.3, 3.3.1 through 3.3.4 Fixed In: 3.2.4, 3.4rc1 D...

[ANN] Release of Bugzilla 3.0.10, 3.2.6, 3.4.5, and 3.5.3
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Today we have four new releases: Bugzilla 3.4.5 is our latest stable release. It contains various useful bug fixes and security improvements. Bugzilla 3.2.6 is a security update for the 3.2 branch, and Bugzilla 3.0.11 is a security update for the 3.0 branch. Bugzilla 3.5.3 is our latest unstable development release. We are now feature-frozen for 3.6, so though there will be a few functional changes between now and the final release, this is mostly what 3.6 will look like when it comes out. As usual with development release...

Testopia 1.3 (Bugzilla 3.0) and Testopia 1.2.2 (Bugzilla 2.22.x) Released
Testopia 1.3 has been released.=20 This Testopia is compatible with Bugzilla 3.0 and mod_perl and provides Postgres support. For those of you still running Bugzilla 2.22.x, I am also releasing 1.2.2 which is a (major) bug fix release. They are available from the project home page at http://www.mozilla.org/projects/testopia Thanks for all the feedback. Keep it coming. Greg Hendricks ...

[ANN] Security Advisory for Bugzilla 3.4.1, 3.2.4, and 3.0.8
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system, used by a large number of software projects. * Two SQL injection attacks have been discovered in Bugzilla. One only affects the 3.4 series, while the other affects the 3.0, 3.2, and 3.4 series. These are extremely serious vulnerabilities that must be patched immediately. * When a user would change his password, his new password would be exposed in the URL field of the browser if he logged in right after changing his password. All affected installations are...

Security advisory for Bugzilla 4.3.3, 4.2.3, 4.0.8 and 3.6.11
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * When the user logs in using LDAP, the username is not escaped before being passed to LDAP which could potentially lead to LDAP injection. * Extensions are not protected against directory browsing by default and users can view the source code of templates used by the extensions. These templates may contain sensitive data. All affected installations ar...

From 2.1.2 to 3.1 or 2.1.2 to 3.0.13 to 3.1
I'm checking back in after being away for a couple of months and I missed the 3.1 release. I can't seem to find any info on what's new in 3.1 and also what the upgrade path should be. So, is the recommended path for upgrading from v 2.1.2 to go directly to 3.1 or do I need to go to 3.0.13 first? Are there any big issues in 3.1 that make it a "gotta have it" version?I did a couple of 2.1.2 to 3.0.12 upgrades but haven't upgraded to or tested 3.1 yet. I have one 2.1.2 site that is commercial and I need it to be down as little time as possible. It also has a lot of third party modules...

Web resources about - Security Advisory for Bugzilla 3.0.3, 3.1.3, 2.22.3, and 2.20.5 - mozilla.support.bugzilla

Krebs on Security
The House Financial Services Committee is slated to hold a hearing this Friday on the impact of cyber heists against small- to mid-sized businesses. ...

Security Middle East - Latest news from the Middle East.
Security Middle East is a news portal for the entire security industry, focussed specifically on latest security news from the Middle East. Security ...

Information Security News, IT Security News & Expert Insights: SecurityWeek.Com
IT Security News and Information Security News, Cyber Security, Network Security, Enterprise Security Threats, Cybercrime News and more. Information ...

Committee on National Security Systems - Wikipedia, the free encyclopedia
The National Security Telecommunications and Information Systems Security Committee (NSTISSC) was established under National Security Directive ...

Chris Whipple on Spymasters and the ‘Sobering’ New Security Threats
It was wall-to-wall mavens, moguls and machers at Michael’s today. ‘Tis the season and all that. I was joined by media multi-hyphenate Chris ...

Steam tightens trading security amid 77,000 monthly account hijackings
(credit: Aurich Lawson) Account theft is a common and longstanding problem for all kinds of online gaming services, as I can personally attest ...

Cisco Looks to Acquisitions in Security, Says UBS
Cisco Systems ( CSCO ) will be looking to buy other companies to fill in its security portfolio as it attempts to boost growth, writes UBS ’s ...

All businesses share the same cloud security concerns
All organizations have the same key concerns regarding the security of their data in the cloud, according to a new report. The study by security-as-a-service ...

77,000 Steam accounts hacked every month, new security measures Deployed
"We're fully aware that this is a tradeoff with the potential for a large impact on trading."

NASA stays mum on its quantum computer security
... to academics. Engineers who showed the machine to the media on Tuesday were keen to talk about its capabilities, but less so about the security ...

Resources last updated: 12/11/2015 10:50:01 AM