Two flaws were reported as fixed in upstream bugzilla [1]: Vulnerability Details ===================== Class: Cross-Site Scripting Versions: 2.0 to 3.6.12, 3.7.1 to 4.0.9, 4.1.1 to 4.2.4, 4.3.1 to 4.4rc1 Fixed In: 3.6.13, 4.0.10, 4.2.5, 4.4rc2 Description: When viewing a single bug report, which is the default, the bug ID is validated and rejected if it is invalid. But when viewing several bug reports at once, which is specified by the format=multiple parameter, invalid bug IDs can go through and are sanitized in the HTML page itself. But when an invalid page format is passed to the CGI script, the wrong HTML page is called and data are not correctly sanitized, which can lead to XSS. References: https://bugzilla.mozilla.org/show_bug.cgi?id=842038 CVE Number: CVE-2013-0785 Class: Information Leak Versions: 2.17.1 to 3.6.12, 3.7.1 to 4.0.9 Fixed In: 3.6.13, 4.0.10 Description: When running a query in debug mode, the generated SQL query used to collect the data is displayed. The way this SQL query is built permits the user to determine if some confidential field value (such as a product name) exists. This problem only affects Bugzilla 4.0.9 and older. Newer releases are not affected by this issue. References: https://bugzilla.mozilla.org/show_bug.cgi?id=824399 CVE Number: CVE-2013-0786 Currently 4.0.10 is in Fedora 17 testing and 4.2.5 is in Fedora 18 testing. The latest version of Bugzilla in EPEL6 is 3.4.14; the last build was 20120420 to fix a security flaw but was never pushed to stable. Likewise EPEL5 is shipping with 3.2.10 and a security fix is sitting in testing. I recommend that EPEL gets bugzilla updated to the latest 3.6.13 for both versions so that it can continue to receive security fixes from upstream in a more timely fashion (or drop it since the versions in EPEL are out-dated and have known security flaws).
External References: http://www.bugzilla.org/security/3.6.12/
Created bugzilla tracking bugs for this issue Affects: epel-all [bug 913649]
(In reply to comment #0) > recommend that EPEL gets bugzilla updated to the latest 3.6.13 for both > versions so that it can continue to receive security fixes from upstream in > a more timely fashion I honestly wouldn't recommend to jump to another branch in older distros as the DB schema and the codebase are different in Bugzilla 3.2, 3.4 and 3.6. If someone made some customizations, it's very likely that they will break during the major upgrade. Also, upgrading to the 3.6 branch to get new security fixes won't help much as we don't expect any other release on this branch. Bugzilla 4.4 is almost there, and this means the EOL for Bugzilla 3.6.
So you think it is better to keep older/insecure packages? Because current EPEL packages are also missing CVE-2012-1969, CVE-2012-3981, and CVE-2012-4747 fixes (in addition to these). They've not been touched in almost a year.