| Summary: | Upgrade the Bugzilla RPM to 4.0.2 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Frédéric "LpSolit" Buclin <LpSolit> |
| Component: | RPM Packages | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | major | ||
| Priority: | High | CC: | davidwhodgins, marcello.anni, sysadmin-bugs |
| Version: | 1 | Keywords: | validated_update |
| Target Milestone: | Mageia 1 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Source RPM: | bugzilla-4.0-1.mga1.noarch.rpm | CVE: | |
| Status comment: | |||
| Attachments: |
Fix Filesystem.pm, v1
Screenshot showing bug entered. |
||
|
Description
Frédéric "LpSolit" Buclin
2011-04-28 21:17:19 CEST
Frédéric "LpSolit" Buclin
2011-05-08 16:16:13 CEST
Assignee:
bugsquad =>
dmorganec closing *** This bug has been marked as a duplicate of bug 40 *** Status:
NEW =>
RESOLVED No, that's not the swame bug. Bug 40 is about upgrading bugs.mageia.org to 4.0.1. This bug is about upgrading the Bugzilla RPM available in Cauldron. Status:
RESOLVED =>
REOPENED sorry i misread.
Marcello Anni
2011-06-27 12:15:28 CEST
CC:
(none) =>
marcello.anni Bugzilla 4.0.2 contains several security fixes, see the security advisory: http://www.bugzilla.org/security/3.4.11/. So those running bugzilla-4.0-1.mga1.noarch.rpm are vulnerable. Status:
REOPENED =>
NEW
Frédéric "LpSolit" Buclin
2011-08-05 12:08:59 CEST
Source RPM:
bugzilla-4.0 =>
bugzilla-4.0-1.mga1.noarch.rpm dmorgan: not only my comment 4 still stands (security issues in 4.0 and 4.0.1), but I saw that kharec uploaded perl-version-0.930.0-1.mga2, which makes Bugzilla < 4.0.3 to fail. So you have to upgrade to 4.0.2 + apply my patch from https://bugzilla.mozilla.org/show_bug.cgi?id=678772 (checked in upstream yesterday). This patch will be in Bugzilla 4.0.3. Increasing severity (due to security bugs) and priority (because Bugzilla is now broken in Cauldron). Priority:
Normal =>
High dmorgan, instead of the ugly http://svnweb.mageia.org/packages/cauldron/bugzilla/current/SOURCES/bugzilla-4.0-fhs.patch?revision=46838&view=markup patch, you could use my module from https://bugzilla.mozilla.org/show_bug.cgi?id=679965 It doesn't require any code change upstream. You could ship it with the Bugzilla RPM. Fixed on cauldron, using your patches. thanks Status:
NEW =>
RESOLVED Fixed on cauldron, using your patches. thanks Doesn't work at all. There are several mistakes: - In the fake Bugzilla.pm, $bz_root_dir must be '/usr/share/bugzilla/lib', not '/usr/share/bugzilla'. - checksetup.pl is the only script which doesn't |use Bugzilla;| and so you still have to include /usr/share/bugzilla/lib in its |use lib (. lib);| call. All other scripts (both .pl and .cgi) are fine. - You forgot to fix pathes in Bugzilla::Constants::bz_locations() and so no file can be found by Bugzilla. Status:
RESOLVED =>
REOPENED
Frédéric "LpSolit" Buclin
2011-09-18 14:58:57 CEST
Assignee:
dmorganec =>
olav Created attachment 808 [details]
Fix Filesystem.pm, v1
The t/ xt/ and contrib/ directories do not exist on Mageia, making checksetup.pl to fail.
bugzilla-4.0.2-5.mga2 is working fine. bkor: could you upload it to update_testing for Mageia 1 too, please? :) Could you check -7 first? Pushed -7 to 1/updates_testing. Please check. Assignee:
olav =>
qa-bugs Created attachment 814 [details] Screenshot showing bug entered. As shown, bugzilla is working here. I installed bugzilla and bugzilla-contrib. I ran /usr/share/bugzilla/bin/checksetup.pl (ignored the warning about perl-DBD-Oracle not being found). Edited /etc/bugzilla/localconfig to set a password for the bugs user. Used webmin to create a mysql bugs user with all permissions. Confirmed I could access mysql with "mysql -u bugs -p". Ran checksetup.pl again. It created the mysql databases, and I provided and admin email address and password. I then connected to http://hodgins.homeip.net/bugzilla, followed the prompts to update the url-base, etc, and then entered a test bug. Anything further that should be tested? This is on i586, for the srpm bugzilla-4.0.2-7.1.mga1.src.rpm x86_64: Setup and added a bug, updated and added another one. Added attachments OK. Messed around with the preferences. No obvious faults found. Update validated. Advisory ---------------- This is a security update for the bugzilla package. It provides fixes for several security vulnerabilities including.. * Internet Explorer 8 and older, and Safari before 5.0.6 do content sniffing when viewing a patch in "Raw Unified" mode, which could trigger a cross-site scripting attack due to the execution of malicious code in the attachment. * It is possible to determine whether or not certain group names exist while creating or updating bugs; and in Bugzilla 4.1.1 and 4.1.2, also by using custom searches. * Attachment descriptions with a newline in them could lead to the injection of crafted headers in email notifications sent to the requestee or the requester when editing an attachment flag. * If an attacker has access to a user's session, he can modify that user's email address without that user being notified of the change. * Temporary files for uploaded attachments are not deleted on Windows, which could let a user with local access to the server read them. * Up to Bugzilla 3.4.11, if a BUGLIST cookie is compromised, it can be used to inject HTML code when viewing a bug report, leading to a cross-site scripting attack. For a complete list please see: http://www.bugzilla.org/security/3.4.11/ ---------------- SRPM: bugzilla-4.0.2-7.1.mga1.src.rpm Could sysadmin please push from core/updates_testing to core/updates Thankyou! Keywords:
(none) =>
validated_update (In reply to comment #15) > Created attachment 814 [details] > Screenshot showing bug entered. Fortunately Bugzilla looks nicer than that in a "normal" browser. :-p (In reply to comment #16) > Advisory > ---------------- Don't you usually include the CVE references in the security advisories? We're usually given a suggested advisory to work from. I thought I did well! Feel free to ad them :) Advisory This is a security update for the bugzilla package. It provides fixes for several security vulnerabilities including.. * Internet Explorer 8 and older, and Safari before 5.0.6 do content sniffing when viewing a patch in "Raw Unified" mode, which could trigger a cross-site scripting attack due to the execution of malicious code in the attachment. CVE-2011-2379 * It is possible to determine whether or not certain group names exist while creating or updating bugs; and in Bugzilla 4.1.1 and 4.1.2, also by using custom searches. CVE-2011-2380, CVE-2011-2979 * Attachment descriptions with a newline in them could lead to the injection of crafted headers in email notifications sent to the requestee or the requester when editing an attachment flag. CVE-2011-2381 * If an attacker has access to a user's session, he can modify that user's email address without that user being notified of the change. CVE-2011-2978 * Temporary files for uploaded attachments are not deleted on Windows, which could let a user with local access to the server read them. CVE-2011-2977 * Up to Bugzilla 3.4.11, if a BUGLIST cookie is compromised, it can be used to inject HTML code when viewing a bug report, leading to a cross-site scripting attack. CVE-2011-2976 For a complete list please see: http://www.bugzilla.org/security/3.4.11/ https://bugs.mageia.org/show_bug.cgi?id=1040 Could someone from the sysadmin team please push the srpm bugzilla-4.0.2-7.1.mga1.src.rpm from core/updates_testing to core/updates CC:
(none) =>
davidwhodgins Pushed to updates. Status:
ASSIGNED =>
RESOLVED
Nicolas Vigier
2014-05-08 18:04:44 CEST
CC:
boklm =>
(none) |