From the upstream advisory [1]: Vulnerability Details ===================== Class: Cross-Site Scripting Versions: 2.4 to 3.4.11, 3.5.1 to 3.6.5, 3.7.1 to 4.0.1, 4.1.1 to 4.1.2 Fixed In: 3.4.12, 3.6.6, 4.0.2, 4.1.3 Description: Bugzilla uses an alternate host for attachments when viewing them in raw format to prevent cross-site scripting attacks. This alternate host is now also used when viewing patches in "Raw Unified" mode because Internet Explorer 8 and older, and Safari before 5.0.6 do content sniffing, which could lead to the execution of malicious code. References: https://bugzilla.mozilla.org/show_bug.cgi?id=637981 CVE Number: CVE-2011-2379 Class: Information Leak Versions: 2.23.3 to 3.4.11, 3.5.1 to 3.6.5, 3.7.1 to 4.0.1, 4.1.1 to 4.1.2 Fixed In: 3.4.12, 3.6.6, 4.0.2, 4.1.3 Description: Normally, a group name is confidential and is only visible to members of the group, and to non-members if the group is used in bugs. By crafting the URL when creating or editing a bug, it was possible to guess if a group existed or not, even for groups which weren't used in bugs and so which were supposed to remain confidential. Moreover, in Bugzilla 4.1.1 and 4.1.2, custom searches also let you determine if a group exists or not, even for groups which should remain confidential. References: https://bugzilla.mozilla.org/show_bug.cgi?id=653477 https://bugzilla.mozilla.org/show_bug.cgi?id=674497 CVE Number: CVE-2011-2380, CVE-2011-2979 Class: Email Header Injection Versions: 2.17.1 to 3.4.11, 3.5.1 to 3.6.5, 3.7.1 to 4.0.1, 4.1.1 to 4.1.2 Fixed In: 3.4.12, 3.6.6, 4.0.2, 4.1.3 Description: Bugzilla mostly sends two types of email notifications: bugmails and flagmails. A bugmail is the standard email users get when a change is made to a bug. A flagmail is only sent to the requestee or requester of a flag. For flagmails only, attachment descriptions with a newline in them could lead to the injection of crafted headers in email notifications when an attachment flag is edited. Other users only receiving a bugmail are not affected. References: https://bugzilla.mozilla.org/show_bug.cgi?id=657158 CVE Number: CVE-2011-2381 Class: Unnotified Account Change Versions: 2.16rc1 to 3.4.11, 3.5.1 to 3.6.5, 3.7.1 to 4.0.1, 4.1.1 to 4.1.2 Fixed In: 3.4.12, 3.6.6, 4.0.2, 4.1.3 Description: When a user changes his email address, Bugzilla trusts a user-modifiable field for obtaining the current e-mail address to send a confirmation message to. If an attacker has access to the session of another user (for example, if that user left their browser window open in a public place), the attacker could alter this field to cause the email-change notification to go to their own address. This means that the user would not be notified that his account had its email address changed by the attacker. References: https://bugzilla.mozilla.org/show_bug.cgi?id=670868 CVE Number: CVE-2011-2978 Class: Local Information Disclosure Versions: 3.6 to 3.6.5, 3.7.1 to 4.0.1, 4.1.1 to 4.1.2 Fixed In: 3.6.6, 4.0.2, 4.1.3 Description: Temporary files for uploaded attachments are not deleted on Windows. A user with local access to the server could read these attachments even if he wouldn't normally be allowed to view them from Bugzilla. References: https://bugzilla.mozilla.org/show_bug.cgi?id=660502 CVE Number: CVE-2011-2977 Class: Cross-Site Scripting Versions: 2.16rc1 to 3.4.11 Fixed In: 3.4.12 Description: If a BUGLIST cookie is compromised (which is not possible except via a vulnerability outside of Bugzilla), it can be used to inject HTML code when viewing a bug report, leading to a cross-site scripting attack. Bugzilla 3.5.1 and above are not affected by this issue. References: https://bugzilla.mozilla.org/show_bug.cgi?id=660053 CVE Number: CVE-2011-2976 [1] http://www.bugzilla.org/security/3.4.11/ Fedora has 3.6.6 currently in testing, but EPEL6 has 3.4.11 in testing and EPEL4/5 are shipping old versions (3.2.4); they should all be updated to 3.4.12 to correct these flaws.
Created bugzilla tracking bugs for this issue Affects: epel-all [bug 729158]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.