The upstream Bugzilla 4.0.14, 4.2.10, 4.4.5, 4.5.5 releases fix the following issue: "" Adobe does not properly restrict the SWF file format, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks against Bugzilla's JSONP endpoint, possibly obtaining sensitive bug information, via a crafted OBJECT element with SWF content satisfying the character-set requirements of a callback API. References: https://bugzilla.mozilla.org/show_bug.cgi?id=1036213 "" The 3.2.10 and 3.4.14 versions in EPEL 5 and 6 appear too old to be affected. Reference: http://www.bugzilla.org/security/4.0.13/
Created bugzilla tracking bugs for this issue: Affects: fedora-all [bug 1123173]
Note that the issue was fixed in Adobe Flash, see CVE-2014-4671 (bug 1117588). The fix in Flash should address the issue, with Bugzilla fix only providing protection to users running outdated Flash. Details of the attack are in the following blog post: http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/ Other links can be found in bug 1117588 comment 4.
bugzilla-4.2.10-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
bugzilla-4.2.10-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.