Common Vulnerabilities and Exposures assigned an identifier CVE-2008-2105 to the following vulnerability: email_in.pl in Bugzilla 2.23.4, and later versions before 3.0, allows remote authenticated users to more easily spoof the changer of a bug via a @reporter command in the body of an e-mail message, which overrides the e-mail address as normally obtained from the From e-mail header. NOTE: since From headers are easily spoofed, this only crosses privilege boundaries in environments that provide additional verification of e-mail addresses. Fixed upstream in: 3.0.4, 3.1.4, 2.22.4, and 2.20.6 Refences: http://www.bugzilla.org/security/2.20.5/ https://bugzilla.mozilla.org/show_bug.cgi?id=419188 http://www.securityfocus.com/bid/29038 http://www.frsirt.com/english/advisories/2008/1428/references http://www.securitytracker.com/id?1019969 http://secunia.com/advisories/30064
bugzilla-3.0.4-1.fc7 has been submitted as an update for Fedora 7
bugzilla-3.0.4-1.fc8 has been submitted as an update for Fedora 8
bugzilla-3.0.4-1.fc9 has been submitted as an update for Fedora 9
bugzilla-3.0.4-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
bugzilla-3.0.4-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: Fedora: https://admin.fedoraproject.org/updates/F7/FEDORA-2008-3488 https://admin.fedoraproject.org/updates/F8/FEDORA-2008-3442 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-3668
bugzilla-3.0.4-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.