Bug 672856 - bugzilla: multiple security issues [epel-all]
Summary: bugzilla: multiple security issues [epel-all]
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: bugzilla
Version: el6
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Itamar Reis Peixoto
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords: Security, SecurityTracking
Depends On:
Blocks: CVE-2010-4411, CVE-2010-4567, CVE-2010-4568, CVE-2010-4569, CVE-2010-4570, CVE-2010-4572, CVE-2011-0046, CVE-2011-0048
TreeView+ depends on / blocked
 
Reported: 2011-01-26 15:45 UTC by Tomas Hoger
Modified: 2011-12-30 20:05 UTC (History)
4 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2011-12-30 20:04:27 UTC


Attachments (Terms of Use)
0001-Update-to-3.2.5.patch (2.16 KB, patch)
2011-05-02 22:49 UTC, Xavier Bachelot
no flags Details | Diff
0002-Fix-typo-that-causes-a-failure-to-update-the-common-.patch (1.02 KB, patch)
2011-05-02 22:49 UTC, Xavier Bachelot
no flags Details | Diff
0003-Fix-typo-that-causes-a-failure-to-update-the-common-.patch (1.12 KB, patch)
2011-05-02 22:49 UTC, Xavier Bachelot
no flags Details | Diff
0004-Update-to-3.2.6.patch (2.39 KB, patch)
2011-05-02 22:50 UTC, Xavier Bachelot
no flags Details | Diff
0005-Correct-the-specfile-s-changelog.patch (1.18 KB, patch)
2011-05-02 22:50 UTC, Xavier Bachelot
no flags Details | Diff
0006-Use-Linux-requirements-not-Windows.patch (1.57 KB, patch)
2011-05-02 22:51 UTC, Xavier Bachelot
no flags Details | Diff
0007-dist-git-conversion.patch (2.24 KB, patch)
2011-05-02 22:51 UTC, Xavier Bachelot
no flags Details | Diff
0008-dist-git-conversion.patch (2.27 KB, patch)
2011-05-02 22:51 UTC, Xavier Bachelot
no flags Details | Diff
0009-update-to-3.2.10.patch (3.31 KB, patch)
2011-05-02 22:52 UTC, Xavier Bachelot
no flags Details | Diff

Description Tomas Hoger 2011-01-26 15:45:39 UTC
This is an automatically created tracking bug!  It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.

For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.

For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs

When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.

Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=672853

Please note: this issue affects multiple supported versions of Fedora EPEL.
Only one tracking bug has been filed; please only close it when all
affected versions are fixed.


[bug automatically created by: add-tracking-bugs]

Comment 1 Tomas Hoger 2011-01-26 15:47:22 UTC
EPEL-4 and EPEL-5 have 3.2.4 currently, EPEL-6 has 3.4.5.

Comment 2 Xavier Bachelot 2011-05-02 22:48:36 UTC
Please find attached a patch serie for the EL5 branch that merges F11 branch (update up to 3.2.6) then updates to 3.2.10, which fixes all of the above CVEs. This has been build tested but not run tested yet.

Something similar can be done for EL6, let me know if there is any interest in this. I currently can't test this until Centos 6 is out.

Comment 3 Xavier Bachelot 2011-05-02 22:49:16 UTC
Created attachment 496397 [details]
0001-Update-to-3.2.5.patch

Comment 4 Xavier Bachelot 2011-05-02 22:49:37 UTC
Created attachment 496398 [details]
0002-Fix-typo-that-causes-a-failure-to-update-the-common-.patch

Comment 5 Xavier Bachelot 2011-05-02 22:49:57 UTC
Created attachment 496399 [details]
0003-Fix-typo-that-causes-a-failure-to-update-the-common-.patch

Comment 6 Xavier Bachelot 2011-05-02 22:50:18 UTC
Created attachment 496400 [details]
0004-Update-to-3.2.6.patch

Comment 7 Xavier Bachelot 2011-05-02 22:50:49 UTC
Created attachment 496401 [details]
0005-Correct-the-specfile-s-changelog.patch

Comment 8 Xavier Bachelot 2011-05-02 22:51:10 UTC
Created attachment 496402 [details]
0006-Use-Linux-requirements-not-Windows.patch

Comment 9 Xavier Bachelot 2011-05-02 22:51:28 UTC
Created attachment 496403 [details]
0007-dist-git-conversion.patch

Comment 10 Xavier Bachelot 2011-05-02 22:51:52 UTC
Created attachment 496404 [details]
0008-dist-git-conversion.patch

Comment 11 Xavier Bachelot 2011-05-02 22:52:17 UTC
Created attachment 496405 [details]
0009-update-to-3.2.10.patch

Comment 12 Vincent Danen 2011-05-16 21:01:12 UTC
Why do you want to do all this patching?  Better to upgrade to the latest upstream 3.2.x and 3.4.x.  EPEL is sorely out-dated and vulnerable to a _lot_ of things with those old versions.

Comment 13 Xavier Bachelot 2011-05-16 22:15:59 UTC
(In reply to comment #12)
> Why do you want to do all this patching?  Better to upgrade to the latest
> upstream 3.2.x and 3.4.x.  EPEL is sorely out-dated and vulnerable to a _lot_
> of things with those old versions.

Because EPEL is tied to the same rules as RHEL, that is no major update during the lifetime of the release (if at all possible indeed). Also, bugzilla updates to a later point releases are not transparent, you have to manually run some scripts and that is not desirable either. AFAIU, 3.2.10 is the latest in the still maintained 3.2 serie and closes all known security issues. All the patches are because I've taken all the changesets from another Fedora branch, there's no major surgery to the bugzilla code in there. Anyway, I'm not the maintainer for bugzilla, I just thought it might help him bite the bullet and fix all those nasty CVEs.

Comment 14 Vincent Danen 2011-05-20 15:50:56 UTC
Ahhh, ok.  Fair enough.  That makes sense (although I think for web apps, running the latest version would be best, but who am I to argue with policy?).  Thanks for the assistance then.

Comment 15 Xavier Bachelot 2011-07-17 21:43:48 UTC
Itamar, I've requested commit rights to the EPEL branches in order to fix this issues myself (xavierb).

Comment 16 Fedora Update System 2011-07-18 20:42:19 UTC
bugzilla-3.4.11-1.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/bugzilla-3.4.11-1.el6

Comment 17 Fedora Update System 2011-07-18 20:42:27 UTC
bugzilla-3.2.10-1.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/bugzilla-3.2.10-1.el5

Comment 18 Fedora Update System 2011-07-20 15:32:34 UTC
Package bugzilla-3.4.11-1.el6:
* should fix your issue,
* was pushed to the Fedora EPEL 6 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing bugzilla-3.4.11-1.el6'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/bugzilla-3.4.11-1.el6
then log in and leave karma (feedback).

Comment 19 Bill McGonigle 2011-11-06 06:09:09 UTC
As of today this update is still in pending, not in testing yet.  What needs to be done to get it into testing?

I downloaded the rpm from koji, and a checksetup/smoketest looks fine.

Comment 20 Xavier Bachelot 2011-11-06 10:23:59 UTC
(In reply to comment #19)
> As of today this update is still in pending, not in testing yet.  What needs to
> be done to get it into testing?
> 
> I downloaded the rpm from koji, and a checksetup/smoketest looks fine.

I guess you are talking about the EL5 build, as the EL6 one is in testing already. As such I'm not sure which build you tested.
Anyway, it's not pushed to testing because I hadn't had time to do thorough testing. the 3.2 branch is not supported by upstream anymore and I had to backport a number of fixes. Actually, I think the build would rather be in testing than in koji, so I'm going to push it there.

Comment 21 Fedora Update System 2011-11-06 10:37:58 UTC
bugzilla-3.2.10-2.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/bugzilla-3.2.10-2.el5

Comment 22 Bill McGonigle 2011-11-06 17:16:31 UTC
Sorry, to be unclear.  I was talking about EL6 - this build, I think:

https://admin.fedoraproject.org/updates/FEDORA-EPEL-2011-3863?_csrf_token=869aab4e96b2058cbcd9cbe89aac19f0925fe568

It currently says it's 'pending' and not yet pushed to any repos.  If I enable only the updates-testing repo and do a 'yum list bugzilla' I don't get any hits either, so I think that's right.

It was this build I pulled from koji and smoke-tested.

The way I personally evaluate this is that there are /known/ problems (disclosed security ones at that). There may also be problems with your patches (thank you for backporting!) but we don't know that, so better to err on the side of getting the security updates out, and then fixing the unknown problems if reported.

Other people might reasonably take the more cautious approach, especially if their bugzilla isn't Internet-facing.  I don't know if Fedora offers guidance on which way to lean.

Comment 23 Xavier Bachelot 2011-11-06 22:27:26 UTC
Sorry about that, I thought I pushed at least the EL6 build but I did not. This is done now, fixed bugzilla builds are on their way to epel-testing for both EL5 and EL6.

Comment 24 Fedora Update System 2011-12-30 20:04:27 UTC
bugzilla-3.4.12-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 25 Fedora Update System 2011-12-30 20:05:53 UTC
bugzilla-3.2.10-2.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.