Bug 4374

Summary: Bugzilla 4.0.5 security release
Product: Mageia Reporter: Olav Vitters <olav>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, sysadmin-bugs, tmb
Version: 1Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://www.bugzilla.org/security/3.4.13/
Whiteboard:
Source RPM: bugzilla CVE:
Status comment:

Description Olav Vitters 2012-02-01 09:13:05 CET 
See URL for security advisory.

I've packaged this atm for Cauldron. Still need to submit it for Mageia 1; will do so after the buildsystem outage.
Comment 1 Manuel Hiebel 2012-02-12 14:25:26 CET 
The BS is now UP
Comment 2 Olav Vitters 2012-02-22 22:50:29 CET 
And yet another security release:

Advisory at:
http://www.bugzilla.org/security/4.0.4/


Submitted Bugzilla 4.0.5

Hardware: i586 => All
Assignee: bugsquad => qa-bugs

Manuel Hiebel 2012-02-22 22:52:24 CET

Version: Cauldron => 1
Summary: Bugzilla 4.0.4 security release => Bugzilla 4.0.5 security release
Source RPM: (none) => bugzilla

Comment 3 Dave Hodgins 2012-02-22 23:58:51 CET 
Testing complete on i586 for the srpm
bugzilla-4.0.5-1.1.mga1.src.rpm

As no malicious html sample code has been provided by the
advisory, just testing that creating a new bug etc works.

CC: (none) => davidwhodgins

Comment 4 claire robinson 2012-02-23 15:51:17 CET 
x86_64

Created bugs and attachments, done searches and all seems OK except when I click on reports/old charts..

Bugzilla has suffered an internal error. Please save this page and send it to with details of what you were doing at the time this message appeared.

URL: http://mega/bugzilla/reports.cgi
Unable to open the chart datafile /var/lib/bugzilla/mining/-All-.

Traceback:

 at /usr/share/bugzilla/www/reports.cgi line 151
	main::get_data(...) called at /usr/share/bugzilla/www/reports.cgi line 78
Comment 5 claire robinson 2012-02-23 15:52:45 CET 
This package would benefit from a readme.urpmi with some installation instructions.
Comment 6 claire robinson 2012-02-23 16:00:25 CET 
# ls /var/lib/bugzilla/mining/

Shows it is an empty directory.
Comment 7 claire robinson 2012-02-23 16:18:36 CET 
A bit of a google later..

# /usr/share/bugzilla/bin/collectstats.pl

problem solved.
Comment 8 claire robinson 2012-02-23 16:20:55 CET 
Olav do you want to add a readme.urpmi before this is validated?

I notice there is a readme and a readme.mdv but neither display on installation.
Comment 9 Olav Vitters 2012-02-25 17:17:42 CET 
I renamed the README.mdv to README.urpmi and changed "Mandriva" to "Mageia".

Submitted a new version:
  bugzilla-4.0.5-1.2.mga1

Could you check if ok?
Comment 10 Dave Hodgins 2012-02-28 05:15:47 CET 
(In reply to comment #9)
> I renamed the README.mdv to README.urpmi and changed "Mandriva" to "Mageia".
> 
> Submitted a new version:
>   bugzilla-4.0.5-1.2.mga1
> 
> Could you check if ok?

Just did an uninstall/reinstall, and the README.urpmi does display
install, and I confirmed it still works.

Could someone from the sysadmin team push the srpm
bugzilla-4.0.5-1.2.mga1.src.rpm
from Core Updates Testing to Core Updates.

Advisory: This security update for bugzilla corrects
CVE-2012-0448, Account Impersonation due to email addresses containing non-ASCII
 characters
CVE-2012-0440, a Cross-Site Request Forgery vulnerability in jsonrpc.cgi
CVE-2012-0453, a Cross-Site Request Forgery vulnerability in xmlrpc.cgi

References:http://www.bugzilla.org/security/3.4.13/ 
           http://www.bugzilla.org/security/4.0.4/

https://bugs.mageia.org/show_bug.cgi?id=4374

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 11 Thomas Backlund 2012-02-28 17:16:43 CET 
update pushed

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED