Security advisory for Bugzilla 4.5.3, 4.4.3, 4.2.8, and 4.0.12-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Summary
=======
Bugzilla is a Web-based bug-tracking system used by a large number of
software projects. The following security issues have been discovered
in Bugzilla:
* The login form had no CSRF protection, meaning that an attacker could
force the victim to log in using the attacker's credentials.
* Dangerous control characters can be inserted into Bugzilla, notably
into bug comments, which can then be used to execute local commands.
All affected installations are encouraged to upgrade as soon as
possible.
Vuln...
[ANN] Release of Bugzilla 4.3.3, 4.2.3, 4.0.8, and 3.6.11 Today we are releasing 4.2.3, 4.0.8, 3.6.11, and the unstable
development snapshot 4.3.3.
All of today's releases contain security fixes. We recommend
all Bugzilla administrators to read the Security Advisory linked below.
Bugzilla 4.2.3 is our latest stable release. It contains various
useful bug fixes and security fixes for the 4.2 branch.
Bugzilla 4.0.8 and 3.6.11 are security updates for the 4.0
branch and the 3.6 branch, respectively. Both also contain
one bug fix.
Note that 4.3.3 is an unstable development release and should not
be used in production envir...
[ANN] Release of Bugzilla 4.1.3, 4.0.2, 3.6.6, and 3.4.12 Today we are releasing 4.0.2, 3.6.6, 3.4.12, and the unstable
development snapshot 4.1.3.
All of today's releases contain security fixes. We recommend
all Bugzilla administrators read the Security Advisory linked below.
4.0.2 is our latest stable release, containing various useful
bug fixes and performance improvements.
3.6.6 and 3.4.12 are security updates for those series.
Note that 4.1.3 is an unstable development release and should not
be used in production environments. We are feature-frozen at this
point, however, so the features you see in 4.1.3 shoul...
[ANN] Release of Bugzilla 4.5.4, 4.4.4, 4.2.9, and 4.0.13 Today we are releasing 4.4.4, 4.2.9, 4.0.13, and the unstable
development snapshot 4.5.4. All releases fix a regression discovered
since the last release.
Bugzilla 4.4.4 is our latest stable release. Bugzilla 4.4.4,
4.2.9 and 4.0.13 are bug fix updates for the 4.4, 4.2, and the
4.0 branches, respectively.
Note that 4.5.4 is an unstable development release and should not
be used in production environments. We are not yet feature-frozen at
this time so the features you see in 4.5.4 might not accurately
represent the behavior that 5.0 will have.
Note that when Bugzilla...
[ANN] Release of Bugzilla 4.2rc2, 4.0.4, 3.6.8, and 3.4.14Today we are announcing the second Release Candidate for Bugzilla 4.2,
in addition to one new stable release and two security-only updates for
the 3.4.x and 3.6.x series.
Bugzilla 4.2rc2 is our second Release Candidate for Bugzilla 4.2.
This release has received QA testing, and should be considerably
more stable than the development releases before it. It is still not
considered fully stable, and so you should understand that if you use
it, you use it at your own risk. This will most likely be the last
release candidate before 4.2 final.
Bugzilla 4.0.4 is our latest stable r...
[ANN] Release of Bugzilla 4.4rc1, 4.2.4, 4.0.9, and 3.6.12 Today we are releasing 4.2.4, 4.0.9, 3.6.12, and the release
candidate 4.4rc1.
All of today's releases contain security fixes. We recommend
all Bugzilla administrators to read the Security Advisory linked below.
Bugzilla 4.2.4 is our latest stable release. It contains various
useful bug fixes and security fixes for the 4.2 branch.
Bugzilla 4.0.9 and 3.6.12 are security updates for the 4.0
branch and the 3.6 branch, respectively. 4.0.9 contains several
useful bug fixes and 3.6.12 contains one as well.
Bugzilla 4.4rc1 is our first Release Candidate for Bugzilla 4.4...
[ANN] Release of Bugzilla 4.5.5, 4.4.5, 4.2.10, and 4.0.14 Today we are releasing 4.4.5, 4.2.10, 4.0.14, and the unstable
development snapshot 4.5.5. All releases fix a security issue found
since the last release.
Bugzilla 4.4.5 is our latest stable release. Bugzilla 4.4.5,
4.2.10 and 4.0.14 are security updates for the 4.4, 4.2, and the
4.0 branches, respectively.
Note that 4.5.5 is an unstable development release and should not
be used in production environments. We are not yet feature-frozen at
this time so the features you see in 4.5.5 might not accurately
represent the behavior that 5.0 will have.
Note that when Bugzilla 5...
[ANN] Release of Bugzilla 4.1.2, 4.0.1, 3.6.5, and 3.4.11 Today we are releasing 4.0.1, 3.6.5, 3.4.11, and the unstable
development snapshot 4.1.2.
Many users had difficulty installing Bugzilla 4.0, 3.6.4, and 3.4.10,
due to a bug related to the "Math::Random::Secure" library. These
releases fix that bug among other issues.
Note that 4.1.2 is an unstable development release and should not
be used in production environments. However, we are getting very close
to feature freeze for 4.2, so now is the time to give us feedback on
4.1.2 if you want its behavior to change significantly before we
release.
Download
-------...
[ANN] Release of Bugzilla 4.3.2, 4.2.2, 4.0.7, and 3.6.10 Today we are releasing 4.2.2, 4.0.7, 3.6.10, and the unstable
development snapshot 4.3.2.
All of today's releases contain security fixes. We recommend
all Bugzilla administrators to read the Security Advisory linked below.
Bugzilla 4.2.2 is our latest stable release. It contains various
useful bug fixes and security fixes for the 4.2 branch.
Bugzilla 4.0.7 and 3.6.10 are security updates for the 4.0
branch and the 3.6 branch, respectively. 4.0.7 also contains
several bug fixes.
Note that 4.3.2 is an unstable development release and should not
be used in producti...
[ANN] Release of Bugzilla 3.0.4, 3.1.4, 2.22.4, and 2.20.6--Sig_/APAQZZ+qGwu.Hq/UgkhiOAo
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
The Bugzilla project has four releases today!
Bugzilla 3.0.4 is the latest stable version of Bugzilla, containing
several useful bug fixes over 3.0.3, particularly for the inbound email
interface.
Bugzilla 3.1.4 is our latest unstable development preview. It should
be more stable than 3.1.3, though we still don't recommend it for
production environments. Provided we don't find too many major issues
in this release, our next release will be Bugzilla...
[ANN] Security Advisory for Bugzilla 3.0.10, 3.2.5, 3.4.4, and 3.5.2-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Summary
=======
Bugzilla is a Web-based bug-tracking system, used by a large number of
software projects.
This advisory covers two security issues that have recently been
fixed in the Bugzilla code:
+ Some files stored on the web server are not correctly protected
against external access and can be viewed from a web browser.
+ Restricting a bug to a group while moving the bug to another product
has no effect if the group is not used by both products. The bug may
become public if no other group restriction applies.
All...
[ANN] Security Advisory for Bugzilla Versions Prior to 3.4.12, 3.6.6, 4.0.2, and 4.1.3Summary
=======
Bugzilla is a Web-based bug-tracking system used by a large number of
software projects. The following security issues have been discovered
in Bugzilla:
* Internet Explorer 8 and older, and Safari before 5.0.6 do content
sniffing when viewing a patch in "Raw Unified" mode, which could
trigger a cross-site scripting attack due to the execution of
malicious code in the attachment.
* It is possible to determine whether or not certain group names exist
while creating or updating bugs; and in Bugzilla 4.1.1 and 4.1.2,
also by using custom se...
[ANN] Release of Bugzilla 5.0rc1, 4.4.7, 4.2.12, and 4.0.16 Today we are announcing the first Release Candidate for Bugzilla 5.0,
in addition to one new stable release and two security-only updates for
the 4.2.x and 4.0.x series.
Bugzilla 5.0rc1 is our first Release Candidate for Bugzilla 5.0.
This release has received QA testing, and should be considerably
more stable than the development releases before it. It is still not
considered fully stable, and so you should understand that if you use
it, you use it at your own risk.
If feedback from this release candidate indicates that it is mostly
stable, then Bugzilla 5.0 will be release...
[ANN] Release of Bugzilla 5.0rc1, 4.4.7, 4.2.12, and 4.0.16 Today we are announcing the first Release Candidate for Bugzilla 5.0,
in addition to one new stable release and two security-only updates for
the 4.2.x and 4.0.x series.
Bugzilla 5.0rc1 is our first Release Candidate for Bugzilla 5.0.
This release has received QA testing, and should be considerably
more stable than the development releases before it. It is still not
considered fully stable, and so you should understand that if you use
it, you use it at your own risk.
If feedback from this release candidate indicates that it is mostly
stable, then Bugzilla 5.0 will be release...