Upstream Bugzilla has released 3.4.8 and 3.6.2 to address four security flaws [1]: Vulnerability Details ===================== Class: Remote Information Disclosure Versions: 2.19.1 to 3.2.7, 3.3.1 to 3.4.7, 3.5.1 to 3.6.1, 3.7 to 3.7.2 Fixed In: 3.2.8, 3.4.8, 3.6.2, 3.7.3 Description: An unprivileged user is normally not allowed to view other users' group membership. But boolean charts let the user use group-based pronouns, indirectly disclosing group membership. This security fix restricts the use of pronouns to groups the user belongs to. References: https://bugzilla.mozilla.org/show_bug.cgi?id=417048 CVE Number: CVE-2010-2756 Class: Notification Bypass Versions: 2.22rc1 to 3.2.7, 3.3.1 to 3.4.7, 3.5.1 to 3.6.1, 3.7 to 3.7.2 Fixed In: 3.2.8, 3.4.8, 3.6.2, 3.7.3 Description: Normally, when a user is impersonated, he receives an email informing him that he is being impersonated, containing the identity of the impersonator. However, it was possible to impersonate a user without this notification being sent. References: https://bugzilla.mozilla.org/show_bug.cgi?id=450013 CVE Number: CVE-2010-2757 Class: Remote Information Disclosure Versions: 2.17.1 to 3.2.7, 3.3.1 to 3.4.7, 3.5.1 to 3.6.1, 3.7 to 3.7.2 Fixed In: 3.2.8, 3.4.8, 3.6.2, 3.7.3 Description: An error message thrown by the "Reports" and "Duplicates" page confirmed the non-existence of products, thus allowing users to guess confidential product names. (Note that the "Duplicates" page was not vulnerable in Bugzilla 3.6rc1 and above though.) References: https://bugzilla.mozilla.org/show_bug.cgi?id=577139 https://bugzilla.mozilla.org/show_bug.cgi?id=519835 CVE Number: CVE-2010-2758 Class: Denial of Service Versions: 2.23.1 to 3.2.7, 3.3.1 to 3.4.7, 3.5.1 to 3.6.1, 3.7 to 3.7.2 Fixed In: 3.2.8, 3.4.8, 3.6.2, 3.7.3 Description: If a comment contained the phrases "bug X" or "attachment X", where X was an integer larger than the maximum 32-bit signed integer size, PostgreSQL would throw an error, and any page containing that comment would not be viewable. On most Bugzillas, any user can enter a comment on any bug, so any user could have used this to deny access to one or all bugs. Bugzillas running on databases other than PostgreSQL are not affected. References: https://bugzilla.mozilla.org/show_bug.cgi?id=583690 CVE Number: CVE-2010-2759 [1] http://www.bugzilla.org/security/3.2.7/
Created bugzilla tracking bugs for this issue Affects: fedora-all [bug 623426]
Errata has been released.