[ANN] Security Advisory for Bugzilla 3.2.8, 3.4.8, 3.6.2, and 3.7.3-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Summary
=======
Bugzilla is a Web-based bug-tracking system used by a large number of
software projects. The following security issues have been discovered
in Bugzilla:
* There is a way to inject both headers and content to users, causing
a serious Cross-Site Scripting vulnerability.
* It was possible to see graphs from Old Charts even if you did not
have access to a particular product, and you could browse a
particular URL to see all product names.
* YUI 2.8.1, which shipped with Bugzilla starting with 3.7.x,
contain...
[ANN] Release of Bugzilla 3.2.2, 3.0.8, and 3.3.3 Bugzilla 3.2.1, 3.0.7, and 3.3.2 contained a bug that was critical
for any installation running under mod_perl, due to an unintentional
interaction between the various security fixes in those releases. We
are releasing three new releases today to fix the critical issue:
3.2.2, 3.0.8, and 3.3.3. They are identical to the previous release
except that they have this one fix for installations running under
mod_perl.
Download
--------
Bugzilla is available at:
http://www.bugzilla.org/download/
Security Advisory
-----------------
Details of the fix are in the Security Adviso...
[ANN] Release of Bugzilla 4.3.3, 4.2.3, 4.0.8, and 3.6.11 Today we are releasing 4.2.3, 4.0.8, 3.6.11, and the unstable
development snapshot 4.3.3.
All of today's releases contain security fixes. We recommend
all Bugzilla administrators to read the Security Advisory linked below.
Bugzilla 4.2.3 is our latest stable release. It contains various
useful bug fixes and security fixes for the 4.2 branch.
Bugzilla 4.0.8 and 3.6.11 are security updates for the 4.0
branch and the 3.6 branch, respectively. Both also contain
one bug fix.
Note that 4.3.3 is an unstable development release and should not
be used in production envir...
[ANN] Release of Bugzilla 3.2.7, 3.4.7, 3.6.1, and 3.7.1 Today we have four new releases! One new development snapshot
(3.7.1), two new stable releases (3.6.1 and 3.4.7) and one update for
the legacy 3.2 branch (3.2.7).
Bugzilla 3.6.1 is our latest stable release. It contains some
significant bug fixes for the 3.6 branch.
Bugzilla 3.4.7 is the last bug-fix release for the 3.4 series.
After this, there will only be additional 3.4 releases if there
are security issues discovered in the 3.4 series.
Bugzilla 3.2.7 is a security update for the 3.2 branch.
Bugzilla 3.7.1 is our first unstable development release on the
road to ...
[ANN] Security Advisory for Bugzilla 3.2.7, 3.4.7, 3.6.1, and 3.7.2-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Summary
=======
Bugzilla is a Web-based bug-tracking system used by a large number of
software projects. The following security issues have been discovered
in Bugzilla:
* It was possible to (at least partially) determine the membership
of any group using the Search interface.
* It was possible to use the 'sudo' feature without sending
a notification to the user being impersonated.
* The 'Reports' and 'Duplicates' pages let you guess the name of
products you could not see, due to the error message ...
[ANN] Release of Bugzilla 3.2.1, 3.0.7, 2.22.7, and 3.3.2 Today we have some major security improvements for Bugzilla in the
form of four releases. We strongly recommend that all Bugzilla
administrators read the Security Advisory for these releases, which is
linked below in this email.
Bugzilla 3.2.1 is our latest stable release. It contains various
useful bug fixes in addition to major security improvements.
Bugzilla 3.0.7 and Bugzilla 2.22.7 are security updates for their
branches.
Bugzilla 3.3.2 is an unstable development release. In addition to the
security fixes that all the other releases contain, this release
contains n...
[ANN] Security Advisory for Bugzilla 3.2.6, 3.4.6, 3.6, and 3.7-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Summary
=======
Bugzilla is a Web-based bug-tracking system used by a large number of
software projects. The following security issues have been discovered
in Bugzilla:
* Everybody could search for time-tracking information, not just
members of the timetrackinggroup.
* Under suexec, "localconfig" was world-readable, meaning that
local users with shell access to the Bugzilla server may have
been able to see the database password and the site_wide_secret.
All affected installations are encouraged to upgrade as so...
[ANN] Release of Bugzilla 3.0.10, 3.2.6, 3.4.5, and 3.5.3-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Today we have four new releases:
Bugzilla 3.4.5 is our latest stable release. It contains various
useful bug fixes and security improvements.
Bugzilla 3.2.6 is a security update for the 3.2 branch, and
Bugzilla 3.0.11 is a security update for the 3.0 branch.
Bugzilla 3.5.3 is our latest unstable development release. We are now
feature-frozen for 3.6, so though there will be a few functional
changes between now and the final release, this is mostly what 3.6
will look like when it comes out. As usual with development release...
Security advisory for Bugzilla 4.3.3, 4.2.3, 4.0.8 and 3.6.11-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Summary
=======
Bugzilla is a Web-based bug-tracking system used by a large number of
software projects. The following security issues have been discovered
in Bugzilla:
* When the user logs in using LDAP, the username is not escaped
before being passed to LDAP which could potentially lead to LDAP
injection.
* Extensions are not protected against directory browsing by default
and users can view the source code of templates used by the
extensions. These templates may contain sensitive data.
All affected installations ar...
[ANN] Release of Bugzilla 3.2.3 and 3.3.4 Today we have two new versions of Bugzilla for you.
Bugzilla 3.2.3 is our latest stable release. It contains various
useful bug fixes and security improvements.
Bugzilla 3.3.4 is an unstable development release. This release has
not received QA testing from the Bugzilla Project, and should not be
used in production environments. If you find a bug in this development
release (or you don't like how some feature works) please tell us by
filing a bug.
Both of today's releases contain a security fix. Please see our
latest Security Advisory for details. Note that old...
[ANN] Release of Bugzilla 3.2.9, 3.4.9, 3.6.3, and 4.0rc1 Today we are announcing the first Release Candidate for Bugzilla 4.0,
in addition to one new stable release and two security-only updates for
the 3.2.x and 3.4.x series.
Bugzilla 4.0rc1 is our first Release Candidate for Bugzilla 4.0.
This release has received QA testing, and should be considerably
more stable than the development releases before it. It is still not
considered fully stable, and so you should understand that if you use
it, you use it at your own risk. In particular, certain aspects of the
WebServices have not yet been tested as part of this Release Candidate,
so ...
[ANN] Release of Bugzilla 4.3.2, 4.2.2, 4.0.7, and 3.6.10 Today we are releasing 4.2.2, 4.0.7, 3.6.10, and the unstable
development snapshot 4.3.2.
All of today's releases contain security fixes. We recommend
all Bugzilla administrators to read the Security Advisory linked below.
Bugzilla 4.2.2 is our latest stable release. It contains various
useful bug fixes and security fixes for the 4.2 branch.
Bugzilla 4.0.7 and 3.6.10 are security updates for the 4.0
branch and the 3.6 branch, respectively. 4.0.7 also contains
several bug fixes.
Note that 4.3.2 is an unstable development release and should not
be used in producti...
[ANN] Release of Bugzilla 4.1.3, 4.0.2, 3.6.6, and 3.4.12 Today we are releasing 4.0.2, 3.6.6, 3.4.12, and the unstable
development snapshot 4.1.3.
All of today's releases contain security fixes. We recommend
all Bugzilla administrators read the Security Advisory linked below.
4.0.2 is our latest stable release, containing various useful
bug fixes and performance improvements.
3.6.6 and 3.4.12 are security updates for those series.
Note that 4.1.3 is an unstable development release and should not
be used in production environments. We are feature-frozen at this
point, however, so the features you see in 4.1.3 shoul...
[ANN] Release of Bugzilla 3.2.10, 3.4.10, 3.6.4, and 4.0rc2 Some serious security issues were discovered in Bugzilla, and as a
result we have four security releases for you today. We recommend that
all Bugzilla administrators read the Security Advisory that was
published along with these releases, and we also recommend that you
update as soon as possible.
Bugzilla 4.0rc2 is our second Release Candidate for Bugzilla 4.0.
This release has received QA testing and should be considerably more
stable than the development releases before it. It is still not
considered fully stable, and so you should understand that if you use
it, you use it at ...