Upstream has released  versions 4.0.5, 4.2 to correct a CSRF vulnerability
Due to a lack of validation of the enctype form attribute when making POST requests to xmlrpc.cgi, a possible CSRF vulnerability was discovered. If a user visits an HTML page with some malicious HTML code in it, an attacker could make changes to a remote Bugzilla installation on behalf of the victim's account by using the XML-RPC API on a site running mod_perl. Sites running under mod_cgi are not affected. Also the user would have had to be already logged in to the target site for the vulnerability to work.
Created bugzilla tracking bugs for this issue
Affects: fedora-all [bug 796985]
bugzilla-4.0.5-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.