Upstream has released [1] versions 4.0.5, 4.2 to correct a CSRF vulnerability Due to a lack of validation of the enctype form attribute when making POST requests to xmlrpc.cgi, a possible CSRF vulnerability was discovered. If a user visits an HTML page with some malicious HTML code in it, an attacker could make changes to a remote Bugzilla installation on behalf of the victim's account by using the XML-RPC API on a site running mod_perl. Sites running under mod_cgi are not affected. Also the user would have had to be already logged in to the target site for the vulnerability to work. References: https://bugzilla.mozilla.org/show_bug.cgi?id=725663 [1] http://www.bugzilla.org/security/4.0.4/
Created bugzilla tracking bugs for this issue Affects: fedora-all [bug 796985]
bugzilla-4.0.5-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.