Bug 913647 (CVE-2013-0785, CVE-2013-0786)
Summary: | CVE-2013-0785 CVE-2013-0786 bugzilla: XSS and information leak flaws fixed in 3.6.13/4.0.10/4.2.5/4.4rc2 | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | itamar, xavier |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | bugzilla 3.6.13, bugzilla 4.0.10, bugzilla 4.2.5, bugzilla 4.4rc2 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-10-19 22:00:27 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 913649 | ||
Bug Blocks: |
Description
Vincent Danen
2013-02-21 17:56:57 UTC
External References: http://www.bugzilla.org/security/3.6.12/ Created bugzilla tracking bugs for this issue Affects: epel-all [bug 913649] (In reply to comment #0) > recommend that EPEL gets bugzilla updated to the latest 3.6.13 for both > versions so that it can continue to receive security fixes from upstream in > a more timely fashion I honestly wouldn't recommend to jump to another branch in older distros as the DB schema and the codebase are different in Bugzilla 3.2, 3.4 and 3.6. If someone made some customizations, it's very likely that they will break during the major upgrade. Also, upgrading to the 3.6 branch to get new security fixes won't help much as we don't expect any other release on this branch. Bugzilla 4.4 is almost there, and this means the EOL for Bugzilla 3.6. So you think it is better to keep older/insecure packages? Because current EPEL packages are also missing CVE-2012-1969, CVE-2012-3981, and CVE-2012-4747 fixes (in addition to these). They've not been touched in almost a year. |