| Summary: | Security release: Bugzilla 4.2.3 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Olav Vitters <olav> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, sysadmin-bugs, tmb |
| Version: | 2 | Keywords: | Security, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bug786364.bugzilla.mozilla.org/attachment.cgi?id=656933 | ||
| Whiteboard: | MGA2-32-OK MGA2-64-OK | ||
| Source RPM: | CVE: | ||
| Status comment: | |||
|
Description
Olav Vitters
2012-08-30 22:52:21 CEST
Olav Vitters
2012-08-30 22:52:31 CEST
Assignee:
bugsquad =>
olav Security advisory as from upstream bugzilla: https://bug786364.bugzilla.mozilla.org/attachment.cgi?id=656933 Vulnerability Details ===================== Class: LDAP Injection Versions: 2.12 to 3.6.10, 3.7.1 to 4.0.7, 4.1.1 to 4.2.2, 4.3.1 to 4.3.2 Fixed In: 3.6.11, 4.0.8, 4.2.3, 4.3.3 Description: When the user logs in using LDAP, the username is not escaped when building the uid=$username filter which is used to query the LDAP directory. This could potentially lead to LDAP injection. References: https://bugzilla.mozilla.org/show_bug.cgi?id=785470 CVE Number: CVE-2012-3981 Class: Directory Browsing Versions: 2.23.2 to 3.6.10, 3.7.1 to 4.0.7, 4.1.1 to 4.2.2, 4.3.1 to 4.3.2 Fixed In: 4.0.8, 4.2.3, 4.3.3 Description: Extensions are not protected against directory browsing and users can access the source code of the templates which may contain sensitive data. Directory browsing is blocked in Bugzilla 4.3.3 only, because it requires a configuration change in the Apache httpd.conf file to allow local .htaccess files to use Options -Indexes. To not break existing installations, this fix has not been backported to stable branches. The access to templates is blocked for all supported branches except the old 3.6 branch, because this branch doesn't have .htaccess in the bzr repository and cannot be fixed easily for existing installations without potentially conflicting with custom changes. References: https://bugzilla.mozilla.org/show_bug.cgi?id=785522 https://bugzilla.mozilla.org/show_bug.cgi?id=785511 CVE Number: none URL:
(none) =>
https://bug786364.bugzilla.mozilla.org/attachment.cgi?id=656933 Mageia 2 currently has Bugzilla 4.2.1, which also has a security problems fixed in 4.2.2.. though obviously should upgrade to 4.2.3:
Vulnerability Details
=====================
Class: Information Leak
Versions: 4.1.1 to 4.2.1, 4.3.1
Fixed In: 4.2.2, 4.3.2
Description: In HTML bugmails, all bug IDs and attachment IDs are
linkified, and hovering these links displays a tooltip
with the bug summary or the attachment description if
the user is allowed to see the bug or attachment.
But when validating user permissions when generating the
email, the permissions of the user who edited the bug were
taken into account instead of the permissions of the
addressee. This means that confidential information could
be disclosed to the addressee if the other user has more
privileges than the addressee.
Plain text bugmails are not affected as bug and attachment
IDs are not linkified.
References: https://bugzilla.mozilla.org/show_bug.cgi?id=777398
CVE Number: CVE-2012-1968
Class: Information Leak
Versions: 2.17.5 to 3.6.9, 3.7.1 to 4.0.6, 4.1.1 to 4.2.1, 4.3.1
Fixed In: 3.6.10, 4.0.7, 4.2.2, 4.3.2
Description: The description of a private attachment could be visible
to a user who hasn't permissions to access this attachment
if the attachment ID is mentioned in a public comment in
a bug that the user can see.
References: https://bugzilla.mozilla.org/show_bug.cgi?id=777586
CVE Number: CVE-2012-1969
These releases also fix various other small bugs, for reference: http://www.bugzilla.org/releases/4.2.2/release-notes.html http://www.bugzilla.org/releases/4.2.3/release-notes.html The http://www.bugzilla.org/ has been updated. Package available in updates_testing. SRPM: bugzilla-4.2.3-1.mga2.src.rpm Assignee:
olav =>
qa-bugs Testing complete on Mageia 2 i586 and x86-64. Just testing that I can set it up, and enter a new bug. Could someone from the sysadmin team push the srpm bugzilla-4.2.3-1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. Advisory: This security update for bugzilla fixes CVE-2012-3981, LDAP injection vulnerability. CVE-2012-1969, Information Leak - description of a private attachment. Also fixed are various other small bugs, for reference: http://www.bugzilla.org/releases/4.2.2/release-notes.html http://www.bugzilla.org/releases/4.2.3/release-notes.html https://bugs.mageia.org/show_bug.cgi?id=7267 Keywords:
(none) =>
Security, validated_update Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0255 Status:
NEW =>
RESOLVED |