Red Hat Bugzilla – Bug 484813
CVE-2009-0486 bugzilla: CSRF protection bypass when running under mod_perl
Last modified: 2016-03-04 06:56:42 EST
Reference: CONFIRM: http://www.bugzilla.org/security/3.0.7/
Bugzilla 3.2.1, 3.0.7, and 3.3.2, when running under mod_perl, calls
the srand function at startup time, which causes Apache children to
have the same seed and produce insufficiently random numbers for
random tokens, which allows remote attackers to bypass cross-site
request forgery (CSRF) protection mechanisms and conduct unauthorized
activities as other users.
bugzilla-3.2.2-2.fc9 has been submitted as an update for Fedora 9.
bugzilla-3.2.2-2.fc10 has been submitted as an update for Fedora 10.
bugzilla-3.2.2-2.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
bugzilla-3.2.2-2.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.