Directory traversal vulnerability in importxml.pl in Bugzilla before 2.22.5, and 3.x before 3.0.5, when --attach_path is enabled, allows remote attackers to read arbitrary files via an XML file with a .. (dot dot) in the data element. https://bugzilla.mozilla.org/show_bug.cgi?id=437169 http://www.bugzilla.org/security/2.22.4/ http://www.securityfocus.com/bid/30661 http://www.frsirt.com/english/advisories/2008/2344 http://secunia.com/advisories/31444
Created bugzilla tracking bugs for this issue CVE-2008-4437 Affects: F8 [bug #465957] CVE-2008-4437 Affects: F9 [bug #465958] CVE-2008-4437 Affects: Fdevel [bug #465959]
bugzilla-3.2.2-2.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/bugzilla-3.2.2-2.fc9
bugzilla-3.2.2-2.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/bugzilla-3.2.2-2.fc10
bugzilla-3.2.2-2.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
bugzilla-3.2.2-2.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.