Upstream has issued an advisory today (October 6): http://www.bugzilla.org/security/4.0.14/ Class: Unauthorized Account Creation Versions: 2.23.3 to 4.0.14, 4.1.1 to 4.2.10, 4.3.1 to 4.4.5, 4.5.1 to 4.5.5 Fixed In: 4.0.15, 4.2.11, 4.4.6, 4.5.6 Description: An attacker creating a new Bugzilla account can override certain parameters when finalizing the account creation that can lead to the user being created with a different email address than originally requested. The overridden login name could be automatically added to groups based on the group's regular expression setting. References: https://bugzilla.mozilla.org/show_bug.cgi?id=1074812 CVE Number: CVE-2014-1572 Class: Cross-Site Scripting Versions: 2.17.1 to 4.0.14, 4.1.1 to 4.2.10, 4.3.1 to 4.4.5, 4.5.1 to 4.5.5 Fixed In: 4.0.15, 4.2.11, 4.4.6, 4.5.6 Description: During an audit of the Bugzilla code base, several places were found where cross-site scripting exploits could occur which could allow an attacker to access sensitive information. References: https://bugzilla.mozilla.org/show_bug.cgi?id=1075578 CVE Number: CVE-2014-1573 Class: Information Leak Versions: 2.17.1 to 4.0.14, 4.1.1 to 4.2.10, 4.3.1 to 4.4.5, 4.5.1 to 4.5.5 Fixed In: 4.0.15, 4.2.11, 4.4.6, 4.5.6 Description: If a new comment was marked private to the insider group, and a flag was set in the same transaction, the comment would be visible to flag recipients even if they were not in the insider group. References: https://bugzilla.mozilla.org/show_bug.cgi?id=1064140 CVE Number: CVE-2014-1571 Class: Social Engineering Versions: 2.17.1 to 4.0.14, 4.1.1 to 4.2.10, 4.3.1 to 4.4.5, 4.5.1 to 4.5.5 Fixed In: 4.0.15, 4.2.11, 4.4.6, 4.5.6 Description: Search results can be exported as a CSV file which can then be imported into external spreadsheet programs. Specially formatted field values can be interpreted as formulas which can be executed and used to attack a user's computer. References: https://bugzilla.mozilla.org/show_bug.cgi?id=1054702
Created bugzilla tracking bugs for this issue: Affects: fedora-all [bug 1150092]
Created bugzilla tracking bugs for this issue: Affects: epel-all [bug 1150096]
Further details of the CVE-2014-1572 issue: http://blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/
bugzilla-4.2.11-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
bugzilla-4.2.11-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
bugzilla-4.4.6-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.