Bug 561796 (CVE-2009-3387, CVE-2009-3989) - CVE-2009-3387 CVE-2009-3989 bugzilla: Sensitive information disclosure via various attack vectors
Summary: CVE-2009-3387 CVE-2009-3989 bugzilla: Sensitive information disclosure via va...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2009-3387, CVE-2009-3989
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-02-04 10:44 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:34 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2015-08-22 15:56:19 UTC
Embargoed:

Attachments (Terms of Use)

Description Jan Lieskovsky 2010-02-04 10:44:30 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-3387 to
the following vulnerability:

Bugzilla 3.3.1 through 3.4.4, 3.5.1, and 3.5.2 does not allow group
restrictions to be preserved throughout the process of moving a bug to
a different product category, which allows remote attackers to obtain
sensitive information via a request for a bug in opportunistic
circumstances.

References:
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3387
  http://www.securityfocus.com/archive/1/archive/1/509282/100/0/threaded
  https://bugzilla.mozilla.org/show_bug.cgi?id=532493
  http://www.securityfocus.com/bid/38026
  http://secunia.com/advisories/38443
  http://www.vupen.com/english/advisories/2010/0261
  http://xforce.iss.net/xforce/xfdb/56004

--

Common Vulnerabilities and Exposures assigned an identifier CVE-2009-3989 to
the following vulnerability:

Bugzilla before 3.0.11, 3.2.x before 3.2.6, 3.4.x before 3.4.5, and
3.5.x before 3.5.3 does not block access to files and directories that
are used by custom installations, which allows remote attackers to
obtain sensitive information via requests for (1) CVS/, (2) contrib/,
(3) docs/en/xml/, (4) t/, or (5) old-params.txt.

References:
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3989
  http://www.securityfocus.com/archive/1/archive/1/509282/100/0/threaded
  https://bugzilla.mozilla.org/show_bug.cgi?id=314871
  https://bugzilla.mozilla.org/show_bug.cgi?id=434801
  http://www.securityfocus.com/bid/38025
  http://secunia.com/advisories/38443
  http://www.vupen.com/english/advisories/2010/0261
  http://xforce.iss.net/xforce/xfdb/56003
Comment 1 Jan Lieskovsky 2010-02-04 10:54:59 UTC 
These issues have been already addressed for the versions, of the
bugzilla package, as shipped with Fedora release of 11 (version
fixing the issue was bugzilla-3.2.6-1.fc11) and 12 (version fixing
the issue was bugzilla-3.4.5-1.fc12).

But these flaws are still present in the versions of bugzilla 
package, as shipped with Extra Packages for Enterprise Linux --
EPEL-4 and EPEL-5 Fedora projects. Though versions bugzilla-3.2.4-1.el4
and bugzilla-3.2.4-2.el5 seem to already contain fix for CVE-2009-3387
(patch from  https://bugzilla.mozilla.org/attachment.cgi?id=415719
seems to be already included), they are missing fix for CVE-2009-3989
(patch from https://bugzilla.mozilla.org/show_bug.cgi?id=434801:

   https://bugzilla.mozilla.org/attachment.cgi?id=419687

). 

Please collect the patches for CVE-2009-3387 and CVE-2009-3989 flaws
(see above References part) and update versions of the bugzilla
package as shipped in EPEL with them.

Thanks.
Note You need to log in before you can comment on or make changes to this bug.