Bug 1150091 (CVE-2014-1571, CVE-2014-1572, CVE-2014-1573)

Summary: CVE-2014-1571 CVE-2014-1572 CVE-2014-1573 bugzilla: security fixes release
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: astrand, itamar, perl-devel
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: bugzilla 4.0.15, bugzilla 4.2.11, bugzilla 4.4.6, bugzilla 4.5.6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:35:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1150092, 1150096    
Bug Blocks:    

Description Vasyl Kaigorodov 2014-10-07 12:19:05 UTC
Upstream has issued an advisory today (October 6):
http://www.bugzilla.org/security/4.0.14/

Class:       Unauthorized Account Creation
Versions:    2.23.3 to 4.0.14, 4.1.1 to 4.2.10, 4.3.1 to 4.4.5, 4.5.1 to 4.5.5
Fixed In:    4.0.15, 4.2.11, 4.4.6, 4.5.6
Description: An attacker creating a new Bugzilla account can override certain
             parameters when finalizing the account creation that can lead to the
             user being created with a different email address than originally
             requested. The overridden login name could be automatically added
             to groups based on the group's regular expression setting.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=1074812
CVE Number:  CVE-2014-1572

Class:       Cross-Site Scripting
Versions:    2.17.1 to 4.0.14, 4.1.1 to 4.2.10, 4.3.1 to 4.4.5, 4.5.1 to 4.5.5
Fixed In:    4.0.15, 4.2.11, 4.4.6, 4.5.6
Description: During an audit of the Bugzilla code base, several places
             were found where cross-site scripting exploits could occur which
             could allow an attacker to access sensitive information.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=1075578
CVE Number:  CVE-2014-1573

Class:       Information Leak
Versions:    2.17.1 to 4.0.14, 4.1.1 to 4.2.10, 4.3.1 to 4.4.5, 4.5.1 to 4.5.5
Fixed In:    4.0.15, 4.2.11, 4.4.6, 4.5.6
Description: If a new comment was marked private to the insider group, and a flag
             was set in the same transaction, the comment would be visible to
             flag recipients even if they were not in the insider group.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=1064140
CVE Number:  CVE-2014-1571

Class:       Social Engineering
Versions:    2.17.1 to 4.0.14, 4.1.1 to 4.2.10, 4.3.1 to 4.4.5, 4.5.1 to 4.5.5
Fixed In:    4.0.15, 4.2.11, 4.4.6, 4.5.6
Description: Search results can be exported as a CSV file which can then be
             imported into external spreadsheet programs. Specially formatted
             field values can be interpreted as formulas which can be executed
             and used to attack a user's computer.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=1054702

Comment 1 Vasyl Kaigorodov 2014-10-07 12:19:21 UTC
Created bugzilla tracking bugs for this issue:

Affects: fedora-all [bug 1150092]

Comment 2 Vasyl Kaigorodov 2014-10-07 12:28:44 UTC
Created bugzilla tracking bugs for this issue:

Affects: epel-all [bug 1150096]

Comment 3 Tomas Hoger 2014-10-07 12:46:49 UTC
Further details of the CVE-2014-1572 issue:

http://blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/

Comment 4 Fedora Update System 2014-10-22 08:50:42 UTC
bugzilla-4.2.11-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2014-10-22 08:51:54 UTC
bugzilla-4.2.11-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2014-11-01 17:09:57 UTC
bugzilla-4.4.6-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Product Security DevOps Team 2019-06-08 02:35:10 UTC
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.