Security advisory for Bugzilla 4.5.3, 4.4.3, 4.2.8, and 4.0.12

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Summary
=======

Bugzilla is a Web-based bug-tracking system used by a large number of
software projects. The following security issues have been discovered
in Bugzilla:

* The login form had no CSRF protection, meaning that an attacker could
  force the victim to log in using the attacker's credentials.

* Dangerous control characters can be inserted into Bugzilla, notably
  into bug comments, which can then be used to execute local commands.

All affected installations are encouraged to upgrade as soon as
possible.


Vulnerability Details
=====================

Class:       Cross-Site Request Forgery
Versions:    Bugzilla 2.0 to 4.4.2, 4.5.1 to 4.5.2
Fixed In:    4.4.3, 4.5.3
Description: The login form had no CSRF protection, meaning that
             an attacker could force the victim to log in using the
             attacker's credentials. If the victim then reports a new
             security sensitive bug, the attacker would get immediate
             access to this bug.
             Due to changes involved in the Bugzilla API, this fix is
             not backported to the 4.0 and 4.2 branches, meaning that
             Bugzilla 4.0.12 and older, and 4.2.8 and older, will
             remain vulnerable to this issue.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=713926
CVE Number:  CVE-2014-1517

Class:       Social Engineering
Versions:    Bugzilla 2.0 to 4.0.11, 4.1.1 to 4.2.7, 4.3.1 to 4.4.2,
             4.5.1 to 4.5.2
Fixed In:    4.0.12, 4.2.8, 4.4.3, 4.5.3
Description: Dangerous control characters can be inserted into
             Bugzilla, notably into bug comments. If the text, which
             may look safe, is copied into a terminal such as xterm or
             gnome-terminal, then unexpected commands could be executed
             on the local machine.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=968576
CVE Number:  none


Vulnerability Solutions
=======================

The fixes for these issues are included in the 4.0.12, 4.2.8, 4.4.3
and 4.5.3 releases. Upgrading to a release with the relevant fixes will
protect your installation from possible exploits of these issues.

If you are unable to upgrade but would like to patch just the
individual security vulnerabilities, there are patches available for
each issue at the "References" URL for each vulnerability.

Full release downloads, patches to upgrade Bugzilla from previous
versions, and bzr upgrade instructions are available at:

  http://www.bugzilla.org/download/


Credits
=======

The Bugzilla team wish to thank the following people for their
assistance in locating, advising us of, and assisting us to fix these
issues:

Manish Goregaokar
Fr�d�ric Buclin
David Lawrence
Byron Jones
Reed Loden

General information about the Bugzilla bug-tracking system can be found
at:

  http://www.bugzilla.org/

Comments and follow-ups can be directed to the mozilla.support.bugzilla
newsgroup or the support-bugzilla mailing list.
http://www.bugzilla.org/support/ has directions for accessing these
forums.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTUFbvAAoJEJZXZhv5X1hqLa0P/AueV1FtlFcNqez6BaFLHIHr
XOkY7qDsMRxyH6/75UoTicxqYtRuft24nrWdYMXPYTrXNj/koGkm8i0D4ELgRoUF
KmIAZGJWtIP4K6vVSpImAnR5Xg9RGB1yeknLmp7yyvVH8SOpkRW8QoeMG1IoUeYS
Bn+AY0WYbuZcdZ2XN/JlMgRnexXHhEe106dKYQquSPJuXsGV+QtpRVUZYYjScbY1
LWk8aqhgSIFti/jiFL7vlBC6fiNLPb1CyQSs7r8WXWWab8HAcjEtwDpbIpwD69qQ
bqpgz+hk+bb0DCpBiRpIdie/LVydh1WcnLZ4Ctd3gwFHf9cbmSYjIoqVeLB8lBf9
NFNWKx0i1aZQl6lUm8/apj0ZQBVr2PHC63TrkaxLCnLwIKTw86eOCu1XSyWW7mXq
zOrFfrOxI33ehZQuGp67VmUETb8YTUi4sgZXp1zMdVfOTgvA6jhZuxPA9xf4eJdS
F2gFnmHcvi9IeGVLh/w1ORgipdwEBqL4VCDr4dm2OyRZuJIuWIJNCcWUyVwanLGO
zqBCAiT6H6gVVN4Gtkiu9k/pbFdDG/0qlyAFYUgY86KfE26djmgqNYl42Ht4ylmu
21pwBMBxj2qslSsYb6GTcyZ1VCJLiPqv0wCpgBixkPYRNZYxaB+nK71Lrm55dEkP
qnrAXW7lar7cYO+d61pD
=lwV4
-----END PGP SIGNATURE-----
0
ISO
4/17/2014 10:34:23 PM
mozilla.support.bugzilla 10182 articles. 0 followers. Post Follow

0 Replies
1593 Views

Similar Articles

[PageSpeed] 46
Get it on Google Play
Get it on Apple App Store

Reply:

Similar Artilces:

[ANN] Release of Bugzilla 4.5.3, 4.4.3, 4.2.8, and 4.0.12
Today we are releasing 4.4.3, 4.2.8, 4.0.12, and the unstable development snapshot 4.5.3. All of today's releases contain security fixes. We recommend all Bugzilla administrators to read the Security Advisory linked below. Bugzilla 4.4.3 is our latest stable release. It contains various useful bug fixes, performance improvements and security fixes for the 4.4 branch. Bugzilla 4.2.8 and 4.0.12 are security updates for the 4.2 branch and the 4.0 branches, respectively. 4.2.8 also contains several bug fixes. Note that 4.5.3 is an unstable development release a...

Security advisory for Bugzilla 4.3.3, 4.2.3, 4.0.8 and 3.6.11
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * When the user logs in using LDAP, the username is not escaped before being passed to LDAP which could potentially lead to LDAP injection. * Extensions are not protected against directory browsing by default and users can view the source code of templates used by the extensions. These templates may contain sensitive data. All affected installations ar...

Security advisory for Bugzilla 4.2rc2, 4.0.4, 3.6.8 and 3.4.14
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * When a user creates a new account, Bugzilla doesn't correctly reject email addresses containing non-ASCII characters, which could be used to impersonate another user account. * A CSRF vulnerability in the implementation of the JSON-RPC API could be used to make changes to bugs or execute some admin tasks without the victim's knowledge. All af...

[ANN] Security Advisory for Bugzilla 3.0.10, 3.2.5, 3.4.4, and 3.5.2
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system, used by a large number of software projects. This advisory covers two security issues that have recently been fixed in the Bugzilla code: + Some files stored on the web server are not correctly protected against external access and can be viewed from a web browser. + Restricting a bug to a group while moving the bug to another product has no effect if the group is not used by both products. The bug may become public if no other group restriction applies. All...

Security advisory for Bugzilla 4.4rc1, 4.2.4, 4.0.9 and 3.6.12
Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * Confidential product and component names can be disclosed to unauthorized users if they are used to control the visibility of a custom field. * When calling the 'User.get' WebService method with a 'groups' argument, it is possible to check if the given group names exist or not. * Due to incorrectly filtered field values in tabular reports, it is possible to inject code which can l...

[ANN] Security Advisory for Bugzilla Versions Prior to 3.4.12, 3.6.6, 4.0.2, and 4.1.3
Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * Internet Explorer 8 and older, and Safari before 5.0.6 do content sniffing when viewing a patch in "Raw Unified" mode, which could trigger a cross-site scripting attack due to the execution of malicious code in the attachment. * It is possible to determine whether or not certain group names exist while creating or updating bugs; and in Bugzilla 4.1.1 and 4.1.2, also by using custom se...

Security advisory for Bugzilla 4.5.5, 4.4.5, 4.2.10, and 4.0.14
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issue has been discovered in Bugzilla: * An attacker can get access to some bug information using the victim's credentials using a specially crafted HTML page. All affected installations are encouraged to upgrade as soon as possible. Vulnerability Details ===================== Class: Cross Site Request Forgery Versions: 3.7.1 to 4.0.13, 4.1.1 to 4.2.9, 4.3.1 to 4.4.4, 4.5.1 to 4.5...

Security advisory for Bugzilla 4.3.2, 4.2.2, 4.0.7 and 3.6.10
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * In HTML bugmails, an improper validation of the permissions of the addressee can lead to confidential information about bugs and attachments to be visible to the addressee. * The description of a private attachment can be visible to a user who hasn't permissions to access this attachment if the attachment ID is mentioned in a comment in a bug. Al...

Security advisory for Bugzilla 4.5.6, 4.4.6, 4.2.11, and 4.0.15 #2
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * The 'realname' parameter is not correctly filtered on user account creation, which could lead to user data override. * Several places were found in the Bugzilla code where cross-site scripting attacks could be used to access sensitive information. * Private comments can be shown to flagmail recipients who aren't in the insider group * Specially...

Security advisory for Bugzilla 4.4rc2, 4.2.5, 4.0.10 and 3.6.13 #2
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * When viewing a bug report, a bug ID containing random code is not correctly sanitized in the HTML page if the specified page format is invalid. This can lead to XSS. * When running a query in debug mode, it is possible to determine if a given confidential field value (such as a product name) exists. Bugzilla 4.1 and newer are not affected by this issue....

Security advisory for Bugzilla 5.0rc1, 4.4.7, 4.2.12, and 4.0.16
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * A user with editcomponents permissions could possibly inject system commands in product names and possibly other attributes. * Methods from imported modules could possibly be executed using the WebService API. All affected installations are encouraged to upgrade as soon as possible. Vulnerability Details ===================== Class: Command I...

Security advisory for Bugzilla 5.0rc1, 4.4.7, 4.2.12, and 4.0.16
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * A user with editcomponents permissions could possibly inject system commands in product names and possibly other attributes. * Methods from imported modules could possibly be executed using the WebService API. All affected installations are encouraged to upgrade as soon as possible. Vulnerability Details ===================== Class: Command I...

[ANN] Release of Bugzilla 4.3.3, 4.2.3, 4.0.8, and 3.6.11
Today we are releasing 4.2.3, 4.0.8, 3.6.11, and the unstable development snapshot 4.3.3. All of today's releases contain security fixes. We recommend all Bugzilla administrators to read the Security Advisory linked below. Bugzilla 4.2.3 is our latest stable release. It contains various useful bug fixes and security fixes for the 4.2 branch. Bugzilla 4.0.8 and 3.6.11 are security updates for the 4.0 branch and the 3.6 branch, respectively. Both also contain one bug fix. Note that 4.3.3 is an unstable development release and should not be used in production envir...

[ANN] Security Advisory for Bugzilla 3.4.1, 3.2.4, and 3.0.8
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system, used by a large number of software projects. * Two SQL injection attacks have been discovered in Bugzilla. One only affects the 3.4 series, while the other affects the 3.0, 3.2, and 3.4 series. These are extremely serious vulnerabilities that must be patched immediately. * When a user would change his password, his new password would be exposed in the URL field of the browser if he logged in right after changing his password. All affected installations are...

Web resources about - Security advisory for Bugzilla 4.5.3, 4.4.3, 4.2.8, and 4.0.12 - mozilla.support.bugzilla

Krebs on Security
The House Financial Services Committee is slated to hold a hearing this Friday on the impact of cyber heists against small- to mid-sized businesses. ...

Security Middle East - Latest news from the Middle East.
Security Middle East is a news portal for the entire security industry, focussed specifically on latest security news from the Middle East. Security ...

Information Security News, IT Security News & Expert Insights: SecurityWeek.Com
IT Security News and Information Security News, Cyber Security, Network Security, Enterprise Security Threats, Cybercrime News and more. Information ...

Security (finance) - Wikipedia, the free encyclopedia
equity securities, e.g., common stocks ; and, The company or other entity issuing the security is called the issuer . A country's regulatory ...

Google slams AVG for exposing Chrome user data with “security” plugin
Safer browsing... except someone can watch everything you search? A free plugin installed by AVG AntiVirus bypassed the security of Google's ...

Samsung adds SmartThings and security to IoT TVs
... compatible cameras, and control your connected devices–all from the TV", the company states. Also being unwrapped for the new year is a security ...

Rubio-Bush War Intensifies With Ad Hitting Marco’s Choice To Fundraise While Skipping Security Briefings ...
Rubio-Bush War Intensifies With Ad Hitting Marco’s Choice To Fundraise While Skipping Security Briefings

New Year's holiday threats prompt more security
Federal and local security officials are tightening security in high-profile locations tied to New Year's celebrations, including New York's ...

TSA Stepping Up Random Security Screenings For Airport Workers
There’s a good chance you’ve been waiting (patiently) in the airport security line, preparing to take off your shoes, your belt, remove your ...

New Security Laws Have Built-In Conflicts
The U.S., UK, and EU all have new privacy regimes that don't mesh

Resources last updated: 12/31/2015 8:37:28 AM