Red Hat Bugzilla – Bug 539598
CVE-2009-3386 bugzilla hidden bug alias disclosure
Last modified: 2010-03-29 06:03:59 EDT
Template.pm in Bugzilla 3.3.2 through 3.4.3 and 3.5 through 3.5.1
allows remote attackers to discover the alias of a private bug by
reading the (1) Depends On or (2) Blocks field of a related bug.
Created bugzilla tracking bugs for this issue
CVE-2009-3386 Affects: F11 [bug #539599]
CVE-2009-3386 Affects: F12 [bug #539600]
CVE-2009-3386 Affects: Fdevel [bug #539601]
Upstream advisory says it only affects 3.3.2 and later. As F11 is on 3.2.5 now, it should not be affected.
Rawhide already has 3.4.4 and F12 update was already submitted:
bugzilla-3.4.4-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.