Bug 256461 - New release of Bugzilla fixes several security flaws
Summary: New release of Bugzilla fixes several security flaws
Status: CLOSED DUPLICATE of bug 256021
Alias: None
Product: Fedora
Classification: Fedora
Component: bugzilla   
(Show other bugs)
Version: 7
Hardware: All All
Target Milestone: ---
Assignee: John Berninger
QA Contact: Fedora Extras Quality Assurance
URL: http://www.bugzilla.org/security/2.20.4/
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2007-08-27 14:03 UTC by Lubomir Kundrak
Modified: 2007-11-30 22:12 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-08-27 15:25:22 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Lubomir Kundrak 2007-08-27 14:03:42 UTC
The upstream advisory reads:

Issue 1
Class:       Cross-Site Scripting
Versions:    2.17.1 and above
Description: Bugzilla does not properly escape the 'buildid' field in
             the guided form when filing bugs. From 2.17.1 till 2.23.3,
             this field was based exclusively on the User-Agent string
             returned by your web browser. Since 2.23.4, this parameter
             can be defined in the URL passed to enter_bug.cgi, overwriting
             the User-Agent string and may lead to cross-site scripting.
             The guided form is not usually used by Bugzilla installations,
             as it is shipped only as an example to be modified for their
             own use.
Reference:   https://bugzilla.mozilla.org/show_bug.cgi?id=386942

Issue 2
Class:       Command Injection
Versions:    2.23.4 and above
Description: Bugzilla 2.23.4 and newer use the Email:: modules instead
             of the Mail:: and MIME:: ones. The argument passed to the -f
             option of Email::Send::Sendmail() is insufficiently escaped
             and may lead to limited command injection when called from
             email_in.pl, a script which was also introduced in 2.23.4.
Reference:   https://bugzilla.mozilla.org/show_bug.cgi?id=386860

Issue 3
Class:       Information Leak
Versions:    2.23.3 and above
Description: Bugzilla's WebService (XML-RPC) interface allows you to access
             the time-tracking fields (such as Deadline, Estimated Time, etc.)
             on all bugs, even if you normally cannot access time-tracking
Reference:   https://bugzilla.mozilla.org/show_bug.cgi?id=382056

Comment 1 Lubomir Kundrak 2007-08-27 14:08:01 UTC
CVE identifiers for each of these bugs were requested.

Comment 2 Lubomir Kundrak 2007-08-27 15:25:22 UTC

*** This bug has been marked as a duplicate of 256021 ***

Note You need to log in before you can comment on or make changes to this bug.