Bugzilla upstream has released updates fixing multiple security issues: http://www.bugzilla.org/security/3.2.9/ Quoting upstream advisory: Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. Recently, Mozilla expanded its security bug bounty program to include web applications (http://www.mozilla.org/security/bug-bounty.html). As a result, several new security issues affecting Bugzilla were discovered: * A weakness in Bugzilla could allow a user to gain unauthorized access to another Bugzilla account. * A weakness in the Perl CGI.pm module allows injecting HTTP headers and content to users via several pages in Bugzilla. * The new user autocomplete functionality in Bugzilla 4.0 is vulnerable to a cross-site scripting attack. * The new automatic duplicate detection functionality in Bugzilla 4.0 is vulnerable to a cross-site scripting attack. * If you put a harmful "javascript:" or "data:" URL into Bugzilla's "URL" field, then there are multiple situations in which Bugzilla will unintentionally make that link clickable. * Various pages lack protection against cross-site request forgeries. All affected installations are encouraged to upgrade as soon as possible. Vulnerability Details ===================== Class: Account Compromise Versions: 2.14 to 3.2.9, 3.4.9, 3.6.3, 4.0rc1 Fixed In: 3.2.10, 3.4.10, 3.6.4, 4.0rc2 Description: It was possible for a user to gain unauthorized access to any Bugzilla account in a very short amount of time (short enough that the attack is highly effective). This is a critical vulnerability that should be patched immediately by all Bugzilla installations. References: https://bugzilla.mozilla.org/show_bug.cgi?id=621591 https://bugzilla.mozilla.org/show_bug.cgi?id=619594 CVE Number: CVE-2010-4568 Class: HTTP Response Splitting Versions: Every Version Before 3.2.10, 3.4.10, 3.6.4, 4.0rc2 Fixed In: 3.2.10, 3.4.10, 3.6.4, 4.0rc2 Description: By inserting particular strings into certain URLs, it was possible to inject both headers and content to any browser. References: https://bugzilla.mozilla.org/show_bug.cgi?id=591165 https://bugzilla.mozilla.org/show_bug.cgi?id=621572 http://avatraxiom.livejournal.com/104105.html http://cwe.mitre.org/data/definitions/113.html CVE Number: CVE-2010-2761, CVE-2010-4411, CVE-2010-4572 Class: Cross-Site Scripting Versions: 3.7.1 to 4.0rc1 Fixed In: 4.0rc2 Description: Bugzilla 3.7.x and 4.0rc1 have a new client-side autocomplete mechanism for all fields where a username is entered. This mechanism was vulnerable to a cross-site scripting attack. References: https://bugzilla.mozilla.org/show_bug.cgi?id=619637 CVE Number: CVE-2010-4569 Class: Cross-Site Scripting Versions: 3.7.1 to 4.0rc1 Fixed In: 4.0rc2 Description: Bugzilla 3.7.x and 4.0rc1 have a new mechanism on the bug entry page for automatically detecting if the bug you are filing is a duplicate of another existing bug. This mechanism was vulnerable to a cross-site scripting attack. References: https://bugzilla.mozilla.org/show_bug.cgi?id=619648 CVE Number: CVE-2010-4570 Class: Cross-Site Scripting Versions: Every Version Before 3.2.10, 3.4.10, 3.6.4, 4.0rc2 Fixed In: 3.2.10, 3.4.10, 3.6.4, 4.0rc2 Description: Bugzilla has a "URL" field that can contain several types of URL, including "javascript:" and "data:" URLs. However, it does not make "javascript:" and "data:" URLs into clickable links, to protect against cross-site scripting attacks or other attacks. It was possible to bypass this protection by adding spaces into the URL in places that Bugzilla did not expect them. Also, "javascript:" and "data:" links were *always* shown as clickable to logged-out users. References: https://bugzilla.mozilla.org/show_bug.cgi?id=619588 https://bugzilla.mozilla.org/show_bug.cgi?id=628034 CVE Number: CVE-2010-4567, CVE-2011-0048 Class: Cross-Site Request Forgery Versions: Every Version Before 3.2.10, 3.4.10, 3.6.4, 4.0rc2 Fixed In: 3.2.10, 3.4.10, 3.6.4, 4.0rc2 Description: Various pages were vulnerable to Cross-Site Request Forgery attacks. Most of these issues are not as serious as previous CSRF vulnerabilities. Some of these issues were only addressed on more recent branches of Bugzilla and not fixed in earlier branches, in order to avoid changing behavior that external applications may depend on. The links below in "References" describe which issues were fixed on which branches. References: https://bugzilla.mozilla.org/show_bug.cgi?id=621090 https://bugzilla.mozilla.org/show_bug.cgi?id=621105 https://bugzilla.mozilla.org/show_bug.cgi?id=621107 https://bugzilla.mozilla.org/show_bug.cgi?id=621108 https://bugzilla.mozilla.org/show_bug.cgi?id=621109 https://bugzilla.mozilla.org/show_bug.cgi?id=621110 CVE Number: CVE-2011-0046 Vulnerability Solutions ======================= The fixes for these issues are included in the 3.2.10, 3.4.10, 3.6.4, and 4.0rc2 releases. Upgrading to a release with the relevant fixes will protect your installation from possible exploits of these issues. If you are unable to upgrade but would like to patch just the individual security vulnerabilities, there are patches available for each issue at the bugzilla.mozilla.org "References" URLs for the vulnerabilities. Full release downloads, patches to upgrade Bugzilla from previous versions, and CVS/bzr upgrade instructions are available at: http://www.bugzilla.org/download/ Credits ======= The Bugzilla team wish to thank the following people/organizations for their assistance in locating, advising us of, and assisting us to fix this issue: Willem Pinckaers Anonymous ("mozilla11") Michal Zalewski Michael Brooks (Sitewatch) José A. Vázquez Reed Loden Frédéric Buclin Max Kanat-Alexander David Lawrence Mark Stosberg Byron Jones Guy Pyrzak We would especially like to thank Willem Pinckaers of Pine Digital Security for discovering--and providing a proof-of-concept exploit for--the rather complex but very serious Account Compromise issue. Some of these issues are not applicable to bugzilla packages currently in Fedora and EPEL. Additional, Fedora updates for F13 (bugzilla-3.4.10-1.fc13) and F14 (bugzilla-3.6.4-1.fc14) are already available in the testing repositories.
Created bugzilla tracking bugs for this issue Affects: epel-all [bug 672856]