This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected Fedora versions. For comments that are specific to the vulnerability please use bugs filed against "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When creating a Bodhi update request, please include the bug IDs of the respective parent bugs filed against the "Security Response" product. Please mention CVE ids in the RPM changelog when available. Bodhi update submission link: https://admin.fedoraproject.org/updates/new/?type_=security&bugs=672853 Please note: this issue affects multiple supported versions of Fedora EPEL. Only one tracking bug has been filed; please only close it when all affected versions are fixed. [bug automatically created by: add-tracking-bugs]
EPEL-4 and EPEL-5 have 3.2.4 currently, EPEL-6 has 3.4.5.
Please find attached a patch serie for the EL5 branch that merges F11 branch (update up to 3.2.6) then updates to 3.2.10, which fixes all of the above CVEs. This has been build tested but not run tested yet. Something similar can be done for EL6, let me know if there is any interest in this. I currently can't test this until Centos 6 is out.
Created attachment 496397 [details] 0001-Update-to-3.2.5.patch
Created attachment 496398 [details] 0002-Fix-typo-that-causes-a-failure-to-update-the-common-.patch
Created attachment 496399 [details] 0003-Fix-typo-that-causes-a-failure-to-update-the-common-.patch
Created attachment 496400 [details] 0004-Update-to-3.2.6.patch
Created attachment 496401 [details] 0005-Correct-the-specfile-s-changelog.patch
Created attachment 496402 [details] 0006-Use-Linux-requirements-not-Windows.patch
Created attachment 496403 [details] 0007-dist-git-conversion.patch
Created attachment 496404 [details] 0008-dist-git-conversion.patch
Created attachment 496405 [details] 0009-update-to-3.2.10.patch
Why do you want to do all this patching? Better to upgrade to the latest upstream 3.2.x and 3.4.x. EPEL is sorely out-dated and vulnerable to a _lot_ of things with those old versions.
(In reply to comment #12) > Why do you want to do all this patching? Better to upgrade to the latest > upstream 3.2.x and 3.4.x. EPEL is sorely out-dated and vulnerable to a _lot_ > of things with those old versions. Because EPEL is tied to the same rules as RHEL, that is no major update during the lifetime of the release (if at all possible indeed). Also, bugzilla updates to a later point releases are not transparent, you have to manually run some scripts and that is not desirable either. AFAIU, 3.2.10 is the latest in the still maintained 3.2 serie and closes all known security issues. All the patches are because I've taken all the changesets from another Fedora branch, there's no major surgery to the bugzilla code in there. Anyway, I'm not the maintainer for bugzilla, I just thought it might help him bite the bullet and fix all those nasty CVEs.
Ahhh, ok. Fair enough. That makes sense (although I think for web apps, running the latest version would be best, but who am I to argue with policy?). Thanks for the assistance then.
Itamar, I've requested commit rights to the EPEL branches in order to fix this issues myself (xavierb).
bugzilla-3.4.11-1.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/bugzilla-3.4.11-1.el6
bugzilla-3.2.10-1.el5 has been submitted as an update for Fedora EPEL 5. https://admin.fedoraproject.org/updates/bugzilla-3.2.10-1.el5
Package bugzilla-3.4.11-1.el6: * should fix your issue, * was pushed to the Fedora EPEL 6 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=epel-testing bugzilla-3.4.11-1.el6' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/bugzilla-3.4.11-1.el6 then log in and leave karma (feedback).
As of today this update is still in pending, not in testing yet. What needs to be done to get it into testing? I downloaded the rpm from koji, and a checksetup/smoketest looks fine.
(In reply to comment #19) > As of today this update is still in pending, not in testing yet. What needs to > be done to get it into testing? > > I downloaded the rpm from koji, and a checksetup/smoketest looks fine. I guess you are talking about the EL5 build, as the EL6 one is in testing already. As such I'm not sure which build you tested. Anyway, it's not pushed to testing because I hadn't had time to do thorough testing. the 3.2 branch is not supported by upstream anymore and I had to backport a number of fixes. Actually, I think the build would rather be in testing than in koji, so I'm going to push it there.
bugzilla-3.2.10-2.el5 has been submitted as an update for Fedora EPEL 5. https://admin.fedoraproject.org/updates/bugzilla-3.2.10-2.el5
Sorry, to be unclear. I was talking about EL6 - this build, I think: https://admin.fedoraproject.org/updates/FEDORA-EPEL-2011-3863?_csrf_token=869aab4e96b2058cbcd9cbe89aac19f0925fe568 It currently says it's 'pending' and not yet pushed to any repos. If I enable only the updates-testing repo and do a 'yum list bugzilla' I don't get any hits either, so I think that's right. It was this build I pulled from koji and smoke-tested. The way I personally evaluate this is that there are /known/ problems (disclosed security ones at that). There may also be problems with your patches (thank you for backporting!) but we don't know that, so better to err on the side of getting the security updates out, and then fixing the unknown problems if reported. Other people might reasonably take the more cautious approach, especially if their bugzilla isn't Internet-facing. I don't know if Fedora offers guidance on which way to lean.
Sorry about that, I thought I pushed at least the EL6 build but I did not. This is done now, fixed bugzilla builds are on their way to epel-testing for both EL5 and EL6.
bugzilla-3.4.12-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
bugzilla-3.2.10-2.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.