New bugzilla releases were made available [1] that fix a number of security issues: Class: Information Leak Versions: 3.3.4 to 3.6.11, 3.7.1 to 4.0.8, 4.1.1 to 4.2.3, 4.3.1 to 4.3.3 Fixed In: 3.6.12, 4.0.9, 4.2.4, 4.4rc1 Description: If the visibility of a custom field is controlled by a product or a component of a product you cannot see, their names are disclosed in the JavaScript code generated for this custom field despite they should remain confidential. References: https://bugzilla.mozilla.org/show_bug.cgi?id=731178 CVE Number: CVE-2012-4199 Class: Information Leak Versions: 3.7.1 to 4.0.8, 4.1.1 to 4.2.3, 4.3.1 to 4.3.3 Fixed In: 4.0.9, 4.2.4, 4.4rc1 Description: Calling the User.get method with a 'groups' argument leaks the existence of the groups depending on whether an error is thrown or not. This method now also throws an error if the user calling this method does not belong to these groups (independently of whether the groups exist or not). References: https://bugzilla.mozilla.org/show_bug.cgi?id=781850 CVE Number: CVE-2012-4198 Class: Cross-Site Scripting Versions: 4.1.1 to 4.2.3, 4.3.1 to 4.3.3 Fixed In: 4.2.4, 4.4rc1 Description: Due to incorrectly filtered field values in tabular reports, it is possible to inject code leading to XSS. References: https://bugzilla.mozilla.org/show_bug.cgi?id=790296 CVE Number: CVE-2012-4189 Class: Information Leak Versions: 2.16 to 3.6.11, 3.7.1 to 4.0.8, 4.1.1 to 4.2.3, 4.3.1 to 4.3.3 Fixed In: 3.6.12, 4.0.9, 4.2.4, 4.4rc1 Description: Trying to mark an attachment in a bug you cannot see as obsolete discloses its description in the error message. The description of the attachment is now removed from the error message. References: https://bugzilla.mozilla.org/show_bug.cgi?id=802204 CVE Number: CVE-2012-4197 Class: Cross-Site Scripting Versions: 3.7.1 to 4.0.8, 4.1.1 to 4.2.3, 4.3.1 to 4.3.3 Fixed In: 4.0.9, 4.2.4, 4.4rc1 Description: A vulnerability in swfstore.swf from YUI2 allows JavaScript injection exploits to be created against domains that host this affected YUI .swf file. References: https://bugzilla.mozilla.org/show_bug.cgi?id=808845 http://yuilibrary.com/support/20121030-vulnerability/ CVE Number: CVE-2012-5475 Upstream has released versions 3.6.12, 4.0.9, 4.2.4, and 4.4rc1 to correct these flaws. Patches are available for each issue from the bugzilla links noted in the references above. [1] http://www.bugzilla.org/security/3.6.11/
== Common Vulnerabilities and Exposures has rejected the CVE-2012-5475 identifier: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2012-5881, CVE-2012-5882, CVE-2012-5883. Reason: This candidate is a duplicate of CVE-2012-5881, CVE-2012-5882, and CVE-2012-5883. Notes: All CVE users should reference one or more of CVE-2012-5881, CVE-2012-5882, and CVE-2012-5883 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5475 == The description for CVE-2012-5881, CVE-2012-5882, and CVE-2012-5883 identifiers is as follows: 1) CVE-2012-5881: Cross-site scripting (XSS) vulnerability in the Flash component infrastructure in YUI 2.4.0 through 2.9.0 allows remote attackers to inject arbitrary web script or HTML via vectors related to charts.swf, a similar issue to CVE-2010-4207. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5881 http://www.yuiblog.com/blog/2012/10/30/security-announcement-swf-vulnerability-in-yui-2/ http://www.yuiblog.com/blog/2012/11/05/post-mortem-swf-vulnerability-in-yui-2/ http://yuilibrary.com/support/20121030-vulnerability/ 2) CVE-2012-5882: Cross-site scripting (XSS) vulnerability in the Flash component infrastructure in YUI 2.5.0 through 2.9.0 allows remote attackers to inject arbitrary web script or HTML via vectors related to uploader.swf, a similar issue to CVE-2010-4208. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5882 http://www.yuiblog.com/blog/2012/10/30/security-announcement-swf-vulnerability-in-yui-2/ http://www.yuiblog.com/blog/2012/11/05/post-mortem-swf-vulnerability-in-yui-2/ http://yuilibrary.com/support/20121030-vulnerability/ 3) CVE-2012-5883: Cross-site scripting (XSS) vulnerability in the Flash component infrastructure in YUI 2.8.0 through 2.9.0, as used in Bugzilla 3.7.x and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x and 4.4.x before 4.4rc1, allows remote attackers to inject arbitrary web script or HTML via vectors related to swfstore.swf, a similar issue to CVE-2010-4209. References: http://www.bugzilla.org/security/3.6.11/ http://www.yuiblog.com/blog/2012/10/30/security-announcement-swf-vulnerability-in-yui-2/ http://www.yuiblog.com/blog/2012/11/05/post-mortem-swf-vulnerability-in-yui-2/ http://yuilibrary.com/support/20121030-vulnerability/ https://bugzilla.mozilla.org/show_bug.cgi?id=808845
Common Vulnerabilities and Exposures assigned an identifier CVE-2012-5884 to the following vulnerability: The User.get method in Bugzilla/WebService/User.pm in Bugzilla 4.3.2 allows remote attackers to obtain sensitive information about the saved searches of arbitrary users via an XMLRPC request or a JSONRPC request, a different vulnerability than CVE-2012-4198. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5884 https://bugzilla.mozilla.org/show_bug.cgi?id=697224 https://bugzilla.mozilla.org/show_bug.cgi?id=781850
Just to note, CVE-2012-5881 and CVE-2012-5882 do not affect our shipped versions of Bugzilla in Fedora as they do not contain the vulnerable files. Current Fedora also has version 4.2.6 which has these fixes. Current EPEL is shipping versions of Bugzilla that are no longer supported upstream so it's difficult to say whether or not they are affected.