Bug 212355 - CVE-2006-5453, CVE-2006-5454, CVE-2006-5455 bugzilla vulnerabilities
Summary: CVE-2006-5453, CVE-2006-5454, CVE-2006-5455 bugzilla vulnerabilities
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: bugzilla
Version: 6
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: John Berninger
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-10-26 14:46 UTC by Ville Skyttä
Modified: 2007-11-30 22:11 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2006-11-10 01:08:53 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Ville Skyttä 2006-10-26 14:46:55 UTC
According to CVE descriptions, Bugzilla in FE-4 and later is vulnerable to:

CVE-2006-5453 (unauthorized write access)
CVE-2006-5454 (unauthorized information access)
CVE-2006-5455 (unauthorized write access)

Comment 1 Ville Skyttä 2006-11-08 20:42:15 UTC
ping

Comment 2 John Berninger 2006-11-08 22:30:33 UTC
Sorry, haven't had time to look at this with my travel schedule.  I'll try to
get it taken care of soon.

Comment 3 Ville Skyttä 2006-11-09 16:50:38 UTC
Hm, I see devel was updated to 2.22.1.  But FC-5 and FC-6 were patched with a
patch that is the complete diff between 2.22 and 2.22.1 except for some CVS
cruft in the tarball and a PDF doc - yet they're labeled as 2.22.  Was that on
purpose?

Comment 4 John Berninger 2006-11-10 00:57:07 UTC
Yes.  I'm trying to follow the RHEL example of keeping versions the same and
backporting patches for any distros already released.  FE-4 is also about to get
the same treatment as 5 and 6.

Comment 5 Ville Skyttä 2006-11-10 06:51:49 UTC
Yes, I understand that part of the intention.

But the patch contains *everything* between 2.22 and 2.22.1, not just a subset
of selected fixes, eg. security ones.  So, the patched version is actually
2.22.1, but its Version tag says 2.22 - the same effect would have been achieved
by using the upstream 2.22.1 tarball and labeling it as 2.22.


Note You need to log in before you can comment on or make changes to this bug.