Bugzilla will be upgraded to version 5.0 on December 2, 2018. The outage period for the upgrade will start at 0:00 UTC and have a duration of 12 hours
First Last Prev Next    This bug is not in your last search results.
Bug 212355 - CVE-2006-5453, CVE-2006-5454, CVE-2006-5455 bugzilla vulnerabilities
CVE-2006-5453, CVE-2006-5454, CVE-2006-5455 bugzilla vulnerabilities
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: bugzilla (Show other bugs)
6
All Linux
medium Severity medium
: ---
: ---
Assigned To: John Berninger
Fedora Extras Quality Assurance
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-10-26 10:46 EDT by Ville Skyttä
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-11-09 20:08:53 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Ville Skyttä 2006-10-26 10:46:55 EDT 
According to CVE descriptions, Bugzilla in FE-4 and later is vulnerable to:

CVE-2006-5453 (unauthorized write access)
CVE-2006-5454 (unauthorized information access)
CVE-2006-5455 (unauthorized write access)
Comment 1 Ville Skyttä 2006-11-08 15:42:15 EST 
ping
Comment 2 John Berninger 2006-11-08 17:30:33 EST 
Sorry, haven't had time to look at this with my travel schedule.  I'll try to
get it taken care of soon.
Comment 3 Ville Skyttä 2006-11-09 11:50:38 EST 
Hm, I see devel was updated to 2.22.1.  But FC-5 and FC-6 were patched with a
patch that is the complete diff between 2.22 and 2.22.1 except for some CVS
cruft in the tarball and a PDF doc - yet they're labeled as 2.22.  Was that on
purpose?
Comment 4 John Berninger 2006-11-09 19:57:07 EST 
Yes.  I'm trying to follow the RHEL example of keeping versions the same and
backporting patches for any distros already released.  FE-4 is also about to get
the same treatment as 5 and 6.
Comment 5 Ville Skyttä 2006-11-10 01:51:49 EST 
Yes, I understand that part of the intention.

But the patch contains *everything* between 2.22 and 2.22.1, not just a subset
of selected fixes, eg. security ones.  So, the patched version is actually
2.22.1, but its Version tag says 2.22 - the same effect would have been achieved
by using the upstream 2.22.1 tarball and labeling it as 2.22.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.