Bugzilla will be upgraded to version 5.0 on December 2, 2018. The outage period for the upgrade will start at 0:00 UTC and have a duration of 12 hours
Bug 212355 - CVE-2006-5453, CVE-2006-5454, CVE-2006-5455 bugzilla vulnerabilities
CVE-2006-5453, CVE-2006-5454, CVE-2006-5455 bugzilla vulnerabilities
Product: Fedora
Classification: Fedora
Component: bugzilla (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: John Berninger
Fedora Extras Quality Assurance
: Security
Depends On:
  Show dependency treegraph
Reported: 2006-10-26 10:46 EDT by Ville Skyttä
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-11-09 20:08:53 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ville Skyttä 2006-10-26 10:46:55 EDT
According to CVE descriptions, Bugzilla in FE-4 and later is vulnerable to:

CVE-2006-5453 (unauthorized write access)
CVE-2006-5454 (unauthorized information access)
CVE-2006-5455 (unauthorized write access)
Comment 1 Ville Skyttä 2006-11-08 15:42:15 EST
Comment 2 John Berninger 2006-11-08 17:30:33 EST
Sorry, haven't had time to look at this with my travel schedule.  I'll try to
get it taken care of soon.
Comment 3 Ville Skyttä 2006-11-09 11:50:38 EST
Hm, I see devel was updated to 2.22.1.  But FC-5 and FC-6 were patched with a
patch that is the complete diff between 2.22 and 2.22.1 except for some CVS
cruft in the tarball and a PDF doc - yet they're labeled as 2.22.  Was that on
Comment 4 John Berninger 2006-11-09 19:57:07 EST
Yes.  I'm trying to follow the RHEL example of keeping versions the same and
backporting patches for any distros already released.  FE-4 is also about to get
the same treatment as 5 and 6.
Comment 5 Ville Skyttä 2006-11-10 01:51:49 EST
Yes, I understand that part of the intention.

But the patch contains *everything* between 2.22 and 2.22.1, not just a subset
of selected fixes, eg. security ones.  So, the patched version is actually
2.22.1, but its Version tag says 2.22 - the same effect would have been achieved
by using the upstream 2.22.1 tarball and labeling it as 2.22.

Note You need to log in before you can comment on or make changes to this bug.