Bug 561796 (CVE-2009-3387, CVE-2009-3989)

Summary: CVE-2009-3387 CVE-2009-3989 bugzilla: Sensitive information disclosure via various attack vectors
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: itamar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-22 15:56:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Lieskovsky 2010-02-04 10:44:30 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-3387 to
the following vulnerability:

Bugzilla 3.3.1 through 3.4.4, 3.5.1, and 3.5.2 does not allow group
restrictions to be preserved throughout the process of moving a bug to
a different product category, which allows remote attackers to obtain
sensitive information via a request for a bug in opportunistic
circumstances.

References:
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3387
  http://www.securityfocus.com/archive/1/archive/1/509282/100/0/threaded
  https://bugzilla.mozilla.org/show_bug.cgi?id=532493
  http://www.securityfocus.com/bid/38026
  http://secunia.com/advisories/38443
  http://www.vupen.com/english/advisories/2010/0261
  http://xforce.iss.net/xforce/xfdb/56004

--

Common Vulnerabilities and Exposures assigned an identifier CVE-2009-3989 to
the following vulnerability:

Bugzilla before 3.0.11, 3.2.x before 3.2.6, 3.4.x before 3.4.5, and
3.5.x before 3.5.3 does not block access to files and directories that
are used by custom installations, which allows remote attackers to
obtain sensitive information via requests for (1) CVS/, (2) contrib/,
(3) docs/en/xml/, (4) t/, or (5) old-params.txt.

References:
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3989
  http://www.securityfocus.com/archive/1/archive/1/509282/100/0/threaded
  https://bugzilla.mozilla.org/show_bug.cgi?id=314871
  https://bugzilla.mozilla.org/show_bug.cgi?id=434801
  http://www.securityfocus.com/bid/38025
  http://secunia.com/advisories/38443
  http://www.vupen.com/english/advisories/2010/0261
  http://xforce.iss.net/xforce/xfdb/56003
Comment 1 Jan Lieskovsky 2010-02-04 10:54:59 UTC 
These issues have been already addressed for the versions, of the
bugzilla package, as shipped with Fedora release of 11 (version
fixing the issue was bugzilla-3.2.6-1.fc11) and 12 (version fixing
the issue was bugzilla-3.4.5-1.fc12).

But these flaws are still present in the versions of bugzilla 
package, as shipped with Extra Packages for Enterprise Linux --
EPEL-4 and EPEL-5 Fedora projects. Though versions bugzilla-3.2.4-1.el4
and bugzilla-3.2.4-2.el5 seem to already contain fix for CVE-2009-3387
(patch from  https://bugzilla.mozilla.org/attachment.cgi?id=415719
seems to be already included), they are missing fix for CVE-2009-3989
(patch from https://bugzilla.mozilla.org/show_bug.cgi?id=434801:

   https://bugzilla.mozilla.org/attachment.cgi?id=419687

). 

Please collect the patches for CVE-2009-3387 and CVE-2009-3989 flaws
(see above References part) and update versions of the bugzilla
package as shipped in EPEL with them.

Thanks.