Bug 1478587
Summary: | Bodhi: Javascript injection in detail view | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Marcel <emarci1993> |
Component: | bodhi | Assignee: | Randy Barlow <randy> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 27 | CC: | jeremy, lewk, puiterwijk, randy |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | bodhi-2.9.1-1.fc27 bodhi-2.9.1-1.fc26 bodhi-2.9.1-1.el7 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-08-20 18:28:21 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Marcel
2017-08-04 21:18:04 UTC
This issue has been assigned CVE-2017-1002152. In order to take advantage of this, someone would need to set a Bugzilla subject field to text that contains JavaScript and get a packager to create an update that references that bug. Thus, it's more complex than simply typing the JS into Bugzilla's interface directly, and requires a user with elevated privileges (a packager) to perform an action. Certainly not impossible, but not simple either. Thanks for the report! Since this is filed publicly here, I have filed this upstream and we will track work on it there. This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle. Changing version to '27'. bodhi-2.9.1-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-48f0384090 bodhi-2.9.1-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-5344219d81 bodhi-2.9.1-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-5344219d81 bodhi-2.9.1-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-48f0384090 bodhi-2.9.1-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report. bodhi-2.9.1-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report. |