Bug 18480

Summary: bugzilla new security issue CVE-2016-2803
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: sysadmin-bugs, tmb
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/688207/
Whiteboard: has_procedure advisory mga5-64-ok
Source RPM: bugzilla-4.4.11-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-05-18 03:49:26 CEST 
Upstream has issued an advisory on May 16:
https://www.bugzilla.org/security/4.4.11/

The issue is fixed in 4.4.12:
https://www.bugzilla.org/releases/4.4.12/release-notes.html

Updated packages uploaded for Mageia 5 and Cauldron by Thomas Backlund.

Advisory:
========================

Updated bugzilla packages fix security vulnerability:

In Bugzilla before 4.4.12, due to an incorrect parsing of the image map
generated by the dot script, a specially crafted bug summary could trigger XSS
in dependency graphs (CVE-2016-2803).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2803
https://www.bugzilla.org/security/4.4.11/
https://www.bugzilla.org/releases/4.4.12/release-notes.html
========================

Updated packages in core/updates_testing:
========================
bugzilla-4.4.12-1.mga5.noarch.rpm
bugzilla-contrib-4.4.12-1.mga5.noarch.rpm

from bugzilla-4.4.12-1.mga5.src.rpm
Comment 1 David Walser 2016-05-18 03:49:45 CEST 
Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=9088#c14

CC: (none) => tmb
Whiteboard: (none) => has_procedure

David Walser 2016-05-20 18:06:00 CEST

URL: (none) => http://lwn.net/Vulnerabilities/688207/

Comment 2 claire robinson 2016-05-21 21:08:19 CEST 
Testing complete mga5 64

Installed, created bug, updated, created another bug.

Whiteboard: has_procedure => has_procedure mga5-64-ok

claire robinson 2016-05-21 21:52:44 CEST

Keywords: (none) => validated_update
Whiteboard: has_procedure mga5-64-ok => has_procedure advisory mga5-64-ok
CC: (none) => sysadmin-bugs

Comment 3 Mageia Robot 2016-05-22 00:12:21 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0201.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED