Security advisory for Bugzilla 4.5.5, 4.4.5, 4.2.10, and 4.0.14

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Summary
=======

Bugzilla is a Web-based bug-tracking system used by a large number of
software projects. The following security issue has been discovered
in Bugzilla:

* An attacker can get access to some bug information using
  the victim's credentials using a specially crafted HTML page.

All affected installations are encouraged to upgrade as soon as
possible.


Vulnerability Details
=====================

Class:       Cross Site Request Forgery
Versions:    3.7.1 to 4.0.13, 4.1.1 to 4.2.9, 4.3.1 to 4.4.4, 4.5.1 to 4.5.4
Fixed In:    4.0.14, 4.2.10, 4.4.5, 4.5.5
Description: Adobe does not properly restrict the SWF file format,
             which allows remote attackers to conduct cross-site
             request forgery (CSRF) attacks against Bugzilla's JSONP
             endpoint, possibly obtaining sensitive bug information,
             via a crafted OBJECT element with SWF content satisfying
             the character-set requirements of a callback API.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=1036213
CVE Number:  CVE-2014-1546


Vulnerability Solutions
=======================

The fixes for these issues are included in the 4.0.14, 4.2.10, 4.4.5, and 4.5.5
releases. Upgrading to a release with the relevant fixes will protect your
installation from possible exploits of this issue.

If you are unable to upgrade but would like to patch just these
individual security vulnerabilities, there are patches available for
the issues at the "References" URL for each vulnerability.

Full release downloads, patches to upgrade Bugzilla from previous
versions, and CVS/bzr upgrade instructions are available at:

  http://www.bugzilla.org/download/


Credits
=======

The Bugzilla team wish to thank the following people/organizations for
their assistance in locating, advising us of, and assisting us in fixing
these issues:

Mario Gomes
Reed Loden
Simon Green
Byron Jones

General information about the Bugzilla bug-tracking system can be found
at:

  http://www.bugzilla.org/

Comments and follow-ups can be directed to the mozilla.support.bugzilla
newsgroup or the support-bugzilla mailing list.
http://www.bugzilla.org/support/ has directions for accessing these
forums.


- -- 
David Lawrence
dkl@mozilla.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJT0Xr/AAoJEAtNfRpsX1hDf4YIAI0oYFav2cnHZY1MDyUxGJz1
X8A6TRwVxVyW1szW0vMmDe76JlZVJRvIxkKTrHQ/1cCtZzxc4EehvXXUuWdOCPip
Xwtl9PHMsJr+ts/9EKR86TuFmE8EIYm40Fdw6wEpcRzQRVLeSTOQStW5OFzK7aSN
hw1QGu/fr5QmldXu0c8ShFc9dBtFpP1Y2kG85VUEldP0e0V3ph8zf+IIXu44v736
UCyJP0u+UBOyy/rWlFD/9OgYniATH4ekIVQQ8L9IGAypx8eQsGtqA1pZ4JhO7Lsi
NiGVnDHTv9U5B/ZHOnpC+WWS31RXXeKMsjaxHnVlop65wBgc7plJHiwZgxYmp+c=
=9rNO
-----END PGP SIGNATURE-----
0
David
7/24/2014 9:30:39 PM
mozilla.support.bugzilla 10182 articles. 0 followers. Post Follow

0 Replies
1557 Views

Similar Articles

[PageSpeed] 24
Get it on Google Play
Get it on Apple App Store

Reply:

Similar Artilces:

[ANN] Release of Bugzilla 4.5.5, 4.4.5, 4.2.10, and 4.0.14
Today we are releasing 4.4.5, 4.2.10, 4.0.14, and the unstable development snapshot 4.5.5. All releases fix a security issue found since the last release. Bugzilla 4.4.5 is our latest stable release. Bugzilla 4.4.5, 4.2.10 and 4.0.14 are security updates for the 4.4, 4.2, and the 4.0 branches, respectively. Note that 4.5.5 is an unstable development release and should not be used in production environments. We are not yet feature-frozen at this time so the features you see in 4.5.5 might not accurately represent the behavior that 5.0 will have. Note that when Bugzilla 5...

Security advisory for Bugzilla 4.5.6, 4.4.6, 4.2.11, and 4.0.15 #2
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * The 'realname' parameter is not correctly filtered on user account creation, which could lead to user data override. * Several places were found in the Bugzilla code where cross-site scripting attacks could be used to access sensitive information. * Private comments can be shown to flagmail recipients who aren't in the insider group * Specially...

Security advisory for Bugzilla 4.5.6, 4.4.6, 4.2.11, and 4.0.15
Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * The 'realname' parameter is not correctly filtered on user account creation, which could lead to user data override. * Several places were found in the Bugzilla code where cross-site scripting attacks could be used to access sensitive information. * Private comments can be shown to flagmail recipients who aren't in the insider group * Specially formatted values in a CSV search results export c...

Security advisory for Bugzilla 4.5.3, 4.4.3, 4.2.8, and 4.0.12
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * The login form had no CSRF protection, meaning that an attacker could force the victim to log in using the attacker's credentials. * Dangerous control characters can be inserted into Bugzilla, notably into bug comments, which can then be used to execute local commands. All affected installations are encouraged to upgrade as soon as possible. Vuln...

Security advisory for Bugzilla 5.0, 4.4.9, and 4.2.14
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issue has been discovered in Bugzilla: * Login names longer than 127 characters can be corrupted, which could lead to the creation of a user account with an unexpected email address. All affected installations are encouraged to upgrade as soon as possible. Vulnerability Details ===================== Class: Unauthorized Account Creation Versions: Bugzilla 2.0 to 4.2.14, 4.3.1 to 4.4...

[ANN] Release of Bugzilla 4.5.4, 4.4.4, 4.2.9, and 4.0.13
Today we are releasing 4.4.4, 4.2.9, 4.0.13, and the unstable development snapshot 4.5.4. All releases fix a regression discovered since the last release. Bugzilla 4.4.4 is our latest stable release. Bugzilla 4.4.4, 4.2.9 and 4.0.13 are bug fix updates for the 4.4, 4.2, and the 4.0 branches, respectively. Note that 4.5.4 is an unstable development release and should not be used in production environments. We are not yet feature-frozen at this time so the features you see in 4.5.4 might not accurately represent the behavior that 5.0 will have. Note that when Bugzilla...

Security advisory for Bugzilla 4.4rc2, 4.2.5, 4.0.10 and 3.6.13 #2
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * When viewing a bug report, a bug ID containing random code is not correctly sanitized in the HTML page if the specified page format is invalid. This can lead to XSS. * When running a query in debug mode, it is possible to determine if a given confidential field value (such as a product name) exists. Bugzilla 4.1 and newer are not affected by this issue....

Security advisory for Bugzilla 5.0rc1, 4.4.7, 4.2.12, and 4.0.16
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * A user with editcomponents permissions could possibly inject system commands in product names and possibly other attributes. * Methods from imported modules could possibly be executed using the WebService API. All affected installations are encouraged to upgrade as soon as possible. Vulnerability Details ===================== Class: Command I...

Security advisory for Bugzilla 5.0rc1, 4.4.7, 4.2.12, and 4.0.16
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * A user with editcomponents permissions could possibly inject system commands in product names and possibly other attributes. * Methods from imported modules could possibly be executed using the WebService API. All affected installations are encouraged to upgrade as soon as possible. Vulnerability Details ===================== Class: Command I...

[ANN] Security Advisory for Bugzilla 3.0.10, 3.2.5, 3.4.4, and 3.5.2
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system, used by a large number of software projects. This advisory covers two security issues that have recently been fixed in the Bugzilla code: + Some files stored on the web server are not correctly protected against external access and can be viewed from a web browser. + Restricting a bug to a group while moving the bug to another product has no effect if the group is not used by both products. The bug may become public if no other group restriction applies. All...

Security advisory for Bugzilla 4.4rc2, 4.2.5, 4.0.10 and 3.6.13
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * When viewing a bug report, a bug ID containing random code is not correctly sanitized in the HTML page if the specified page format is invalid. This can lead to XSS. * When running a query in debug mode, it is possible to determine if a given confidential field value (such as a product name) exists. Bugzilla 4.1 and newer are not affected by this issue....

bugzilla upgrade from bugzilla 4.0.2 to 4.4.5
Hi When i ugrade bugzilla from 4.0.2 to 4.4.5 i am getin the below error Not a reference at Bugzilla/DB/Schema.pm line 2786. How to resolve this. i have few custom fields in my bugzilla 4.0.2 New parameter: default_search_limit The following parameters are no longer used in Bugzilla, and so have been moved from your parameters file into ./data/old-params.txt: usebugaliases, allow_attach_url, specific_search_allow_empty_words Removing existing compiled templates... Precompiling templates...done. Fixing file permissions... Populating new field_visibility table... Deleting...

[ANN] Release of Bugzilla 5.0rc3, 4.4.9, 4.2.14, and 4.0.18
Today we are announcing the third Release Candidate for Bugzilla 5.0, in addition to one new stable release and two bug fix updates for the 4.2.x and 4.0.x series. Bugzilla 5.0rc3 is our third Release Candidate for Bugzilla 5.0. This release has received QA testing, and should be considerably more stable than the development releases before it. It is still not considered fully stable, and so you should understand that if you use it, you use it at your own risk. If feedback from this release candidate indicates that it is mostly stable, then Bugzilla 5.0 will be released in a...

KDE upgrade from 4.3.5 to 4.4.4 (or 4.5.4)
Hello, I wish to upgrade my desktop, KDE 4.3.5, mainly because of some limitations in AmaroK. Upgrading just Amarok through the KDE update app repo is no good as I loose the scrobbling Last.fm option. So, I just wonder if Last.fm works fine with KDE 4.4.4 on OpenSuSE 11.2? And when I am on to it, if there are some general reasons to upgrade further, 4.5 or perhaps 4.6? Cheers -- OpenSuSE 11.2, KDE 4.3.5, x86_64 rt-kernel. Gigabyte P43-ES3G, Intel Core 2 Quad Q9400, MSI NX8600GT NVIDIA Geforce, RME HDSP9632, 8GB DDR2 RAM ---------------------------------------------------...

Web resources about - Security advisory for Bugzilla 4.5.5, 4.4.5, 4.2.10, and 4.0.14 - mozilla.support.bugzilla

Krebs on Security
The House Financial Services Committee is slated to hold a hearing this Friday on the impact of cyber heists against small- to mid-sized businesses. ...

Security Middle East - Latest news from the Middle East.
Security Middle East is a news portal for the entire security industry, focussed specifically on latest security news from the Middle East. Security ...

Information Security News, IT Security News & Expert Insights: SecurityWeek.Com
IT Security News and Information Security News, Cyber Security, Network Security, Enterprise Security Threats, Cybercrime News and more. Information ...

Committee on National Security Systems - Wikipedia, the free encyclopedia
The National Security Telecommunications and Information Systems Security Committee (NSTISSC) was established under National Security Directive ...

Melbourne Airport worker suspended for Julie Bishop security screening
A MELBOURNE Airport worker has been reprimanded after reportedly singling out Foreign Minister Julie Bishop for a security screening.

Turing Pharmaceuticals’ Martin Shkreli arrested for security fraud
(credit: NEPA Scene/Flickr ) Martin Shkreli, the reviled CEO and founder of Turing Pharmaceuticals , has been arrested by the FBI amid a security ...

Hillstone adds extra security layer for AWS customers
When moving applications to the cloud it's easy to fall into the trap of believing that security can safely be left to the provider. For Amazon ...

Azealia Banks reportedly arrested in NYC after attacking a security guard
photo: Azealia Banks at Coachella 2015 (more by Samantha Saturday) Azealia Banks was recently under investigation for allegedly punching a security ...

Azealia Banks was arrested for assault in NYC after biting a security guard
... on Rihanna’s new album, was arrested outside Meatpacking club Up&Down on Wednesday after she allegedly went berserk and attacked a female security ...

Theme parks boost security screenings
Major U.S. theme parks in Florida and California are implementing additional security measures to screen visitors.

Resources last updated: 12/17/2015 6:08:21 PM