Mageia 3 still provides Bugzilla 4.4rc2 despite 4.4 final has been released 3 months ago. Please upgrade this package.
(unmaintained package)
Keywords: (none) => TriagedCC: (none) => dmorganec, olav
Bugzilla 4.4.1 contains 4 security fixes (+2 security enhancements), see http://www.bugzilla.org/security/4.0.10/.
Summary: Upgrade the Bugzilla RPM to 4.4 final => Upgrade the Bugzilla RPM to 4.4.1Severity: normal => major
I have uploaded a patched/updated package for Mageia 3. You can test this by installing the package and pointing your webbrowser at http://localhost/bugzilla. Suggested advisory: ======================== Updated bugzilla packages fix security vulnerabilities: * A CSRF vulnerability in process_bug.cgi affecting Bugzilla 4.4 only can lead to a bug being edited without the user consent. * A CSRF vulnerability in attachment.cgi can lead to an attachment being edited without the user consent. * Several unfiltered parameters when editing flagtypes can lead to XSS. * Due to an incomplete fix for CVE-2012-4189, some incorrectly filtered field values in tabular reports can lead to XSS. References: http://www.bugzilla.org/security/4.0.10/ ======================== Updated packages in core/updates_testing: ======================== bugzilla-4.4.1-1.mga3.noarch.rpm bugzilla-contrib-4.4.1-1.mga3.noarch.rpm Source RPMs: bugzilla-4.4.1-1.mga3.src.rpm
Assignee: bugsquad => qa-bugs
Procedure: https://bugs.mageia.org/show_bug.cgi?id=9088#c14
Whiteboard: (none) => has_procedure
Testing mga3 64 Current bugzilla package doesn't appear to be working. After configuring the db, running the installation script and browsing to http://localhost/buzilla it displays the perl code rather than running it. Missing some ExecCGI somewhere I think or an apache-mod, I don't know enough about CGI to debug it. After updating and even running checksetup.pl again it's still the same. eg: #!/usr/bin/perl -wT # This Source Code Form is subject to the terms of the Mozilla Public # License, v. 2.0. If a copy of the MPL was not distributed with this # file, You can obtain one at http://mozilla.org/MPL/2.0/. # # This Source Code Form is "Incompatible With Secondary Licenses", as # defined by the Mozilla Public License, v. 2.0. ############################################################################### # Script Initialization ############################################################################### # Make it harder for us to do dangerous things in Perl. use strict; # Include the Bugzilla CGI and general utility library. use lib qw(. lib); use Bugzilla; use Bugzilla::Constants; use Bugzilla::Error; use Bugzilla::Update;
Cool, thanks for testing! Did you notice if it also happened with the original Bugzilla version that came with Mageia 3?
Whiteboard: has_procedure => has_procedure feedback
Sorry Olav, I missed your comment. Yes it does. It was the same before and after the update.
Fedora has issued an advisory for this on October 19: https://lists.fedoraproject.org/pipermail/package-announce/2013-October/119846.html It fixes CVE-2013-1734, CVE-2013-1742, and CVE-2013-1743.
URL: (none) => http://lwn.net/Vulnerabilities/572097/Component: RPM Packages => Security
(In reply to David Walser from comment #8) > Fedora has issued an advisory for this on October 19: > It fixes CVE-2013-1734, CVE-2013-1742, and CVE-2013-1743. Fedora has Bugzilla 4.2.x. Mageia 3 has Bugzilla 4.4.x, and so their security advisory is incomplete as it misses one security issue (CVE-2013-1733) which affects 4.4rc1 to 4.4. The official security advisory from Bugzilla is: http://www.bugzilla.org/security/4.0.10/
URL: http://lwn.net/Vulnerabilities/572097/ => http://www.bugzilla.org/security/4.0.10/
Assigning Olav for now. Please reassign to QA when when you've had a chance to take a look. Thanks.
CC: (none) => qa-bugsAssignee: qa-bugs => olavWhiteboard: has_procedure feedback => has_procedure
Mandriva has issued an advisory for this today (November 26): http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:285/ Their advisory includes the missing CVE-2013-1733. LWN reference for CVE-2013-1733: http://lwn.net/Vulnerabilities/575049/ LWN reference for the other CVEs: http://lwn.net/Vulnerabilities/572097/
just enable a suitable handler for cgi file, either in main apache configuration file (where it is now disabled by default), either in bugzilla-specific configuration file: AddHandler cgi-script .cgi
CC: (none) => guillomovitch
Guillaume has fixed the packaging issue. Thanks Guillaume! Assigning back to QA. Advisory: ======================== Updated bugzilla packages fix security vulnerabilities: Cross-site request forgery (CSRF) vulnerability in process_bug.cgi in Bugzilla 4.4.x before 4.4.1 allows remote attackers to hijack the authentication of arbitrary users for requests that modify bugs via vectors involving a midair-collision token (CVE-2013-1733). Cross-site request forgery (CSRF) vulnerability in attachment.cgi in Bugzilla 2.x, 3.x, and 4.0.x before 4.0.11; 4.1.x and 4.2.x before 4.2.7; and 4.3.x and 4.4.x before 4.4.1 allows remote attackers to hijack the authentication of arbitrary users for requests that commit an attachment change via an update action (CVE-2013-1734). Multiple cross-site scripting (XSS) vulnerabilities in editflagtypes.cgi in Bugzilla 2.x, 3.x, and 4.0.x before 4.0.11; 4.1.x and 4.2.x before 4.2.7; and 4.3.x and 4.4.x before 4.4.1 allow remote attackers to inject arbitrary web script or HTML via the (1) id or (2) sortkey parameter (CVE-2013-1742). Multiple cross-site scripting (XSS) vulnerabilities in report.cgi in Bugzilla 4.1.x and 4.2.x before 4.2.7 and 4.3.x and 4.4.x before 4.4.1 allow remote attackers to inject arbitrary web script or HTML via a field value that is not properly handled during construction of a tabular report, as demonstrated by the (1) summary or (2) real name field. NOTE: this issue exists because of an incomplete fix for CVE-2012-4189 (CVE-2013-1743). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1733 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1734 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1743 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1742 http://www.bugzilla.org/security/4.0.10/ http://www.bugzilla.org/releases/4.4.1/release-notes.html http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:285/ ======================== Updated packages in core/updates_testing: ======================== bugzilla-4.4.1-1.1.mga3.noarch.rpm bugzilla-contrib-4.4.1-1.1.mga3.noarch.rpm from bugzilla-4.4.1-1.1.mga3.src.rpm
Assignee: olav => qa-bugsQA Contact: (none) => security
It's now displaying the proper bugzilla rather than the code but it's missing graphics or css, maybe a missing alias.
Now this needs to be updated to 4.4.3, for Mageia 3, Mageia 4, and Cauldron. Any interested packager can do the update and fix the issue in Comment 14. Here's the new upstream advisory: http://www.bugzilla.org/security/4.0.11/ Fedora has issued an advisory for this on April 21: https://lists.fedoraproject.org/pipermail/package-announce/2014-April/132309.html
URL: http://www.bugzilla.org/security/4.0.10/ => http://lwn.net/Vulnerabilities/596803/Version: 3 => CauldronAssignee: qa-bugs => bugsquadTarget Milestone: Mageia 3 => ---Summary: Upgrade the Bugzilla RPM to 4.4.1 => Upgrade the Bugzilla RPM to 4.4.3Whiteboard: has_procedure feedback => MGA4TOO MGA3TOO has_procedure
(In reply to David Walser from comment #15) > Now this needs to be updated to 4.4.3 You must skip 4.4.3 and jump to 4.4.4 directly. One of the security fixes broke 4.4.3 and we had to release 4.4.4 the day after to fix this regression.
Summary: Upgrade the Bugzilla RPM to 4.4.3 => Upgrade the Bugzilla RPM to 4.4.4
Updated to 4.4.4 in Cauldron by tmb. Other updates apparently in progress.
CC: (none) => tmbVersion: Cauldron => 4Whiteboard: MGA4TOO MGA3TOO has_procedure => MGA3TOO has_procedure
tmb updated it to 4.4.4 in updates_testing, but I'm not sure if the issue in Comment 14 has been addressed. I'll let him comment on that before pushing to QA. Here are potential advisories. Advisory (Mageia 3): ======================== Updated bugzilla packages fix security vulnerabilities: Cross-site request forgery (CSRF) vulnerability in process_bug.cgi in Bugzilla 4.4.x before 4.4.1 allows remote attackers to hijack the authentication of arbitrary users for requests that modify bugs via vectors involving a midair-collision token (CVE-2013-1733). Cross-site request forgery (CSRF) vulnerability in attachment.cgi in Bugzilla 2.x, 3.x, and 4.0.x before 4.0.11; 4.1.x and 4.2.x before 4.2.7; and 4.3.x and 4.4.x before 4.4.1 allows remote attackers to hijack the authentication of arbitrary users for requests that commit an attachment change via an update action (CVE-2013-1734). Multiple cross-site scripting (XSS) vulnerabilities in editflagtypes.cgi in Bugzilla 2.x, 3.x, and 4.0.x before 4.0.11; 4.1.x and 4.2.x before 4.2.7; and 4.3.x and 4.4.x before 4.4.1 allow remote attackers to inject arbitrary web script or HTML via the (1) id or (2) sortkey parameter (CVE-2013-1742). Multiple cross-site scripting (XSS) vulnerabilities in report.cgi in Bugzilla 4.1.x and 4.2.x before 4.2.7 and 4.3.x and 4.4.x before 4.4.1 allow remote attackers to inject arbitrary web script or HTML via a field value that is not properly handled during construction of a tabular report, as demonstrated by the (1) summary or (2) real name field. NOTE: this issue exists because of an incomplete fix for CVE-2012-4189 (CVE-2013-1743). The login form in Bugzilla 2.x, 3.x, 4.x before 4.4.3, and 4.5.x before 4.5.3 does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to obtain sensitive information by arranging for a victim to login to the attacker's account and then submit a vulnerability report, related to a "login CSRF" issue (CVE-2014-1517). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1733 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1734 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1743 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1742 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1517 http://www.bugzilla.org/security/4.0.10/ http://www.bugzilla.org/security/4.0.11/ http://www.bugzilla.org/releases/4.4.4/release-notes.html http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:285/ https://lists.fedoraproject.org/pipermail/package-announce/2014-April/132309.html ======================== Updated packages in core/updates_testing: ======================== bugzilla-4.4.4-1.mga3.noarch.rpm bugzilla-contrib-4.4.4-1.mga3.noarch.rpm from bugzilla-4.4.4-1.mga3.src.rpm Advisory (Mageia 4): ======================== Updated bugzilla packages fix security vulnerability: The login form in Bugzilla 2.x, 3.x, 4.x before 4.4.3, and 4.5.x before 4.5.3 does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to obtain sensitive information by arranging for a victim to login to the attacker's account and then submit a vulnerability report, related to a "login CSRF" issue (CVE-2014-1517). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1517 http://www.bugzilla.org/security/4.0.11/ http://www.bugzilla.org/releases/4.4.4/release-notes.html https://lists.fedoraproject.org/pipermail/package-announce/2014-April/132309.html ======================== Updated packages in core/updates_testing: ======================== bugzilla-4.4.4-1.mga4.noarch.rpm bugzilla-contrib-4.4.4-1.mga4.noarch.rpm from bugzilla-4.4.4-1.mga4.src.rpm
It looks like tmb has fixed the issue in Comment 14. Assigning to QA. Advisory (Mageia 3): ======================== Updated bugzilla packages fix security vulnerabilities: Cross-site request forgery (CSRF) vulnerability in process_bug.cgi in Bugzilla 4.4.x before 4.4.1 allows remote attackers to hijack the authentication of arbitrary users for requests that modify bugs via vectors involving a midair-collision token (CVE-2013-1733). Cross-site request forgery (CSRF) vulnerability in attachment.cgi in Bugzilla 2.x, 3.x, and 4.0.x before 4.0.11; 4.1.x and 4.2.x before 4.2.7; and 4.3.x and 4.4.x before 4.4.1 allows remote attackers to hijack the authentication of arbitrary users for requests that commit an attachment change via an update action (CVE-2013-1734). Multiple cross-site scripting (XSS) vulnerabilities in editflagtypes.cgi in Bugzilla 2.x, 3.x, and 4.0.x before 4.0.11; 4.1.x and 4.2.x before 4.2.7; and 4.3.x and 4.4.x before 4.4.1 allow remote attackers to inject arbitrary web script or HTML via the (1) id or (2) sortkey parameter (CVE-2013-1742). Multiple cross-site scripting (XSS) vulnerabilities in report.cgi in Bugzilla 4.1.x and 4.2.x before 4.2.7 and 4.3.x and 4.4.x before 4.4.1 allow remote attackers to inject arbitrary web script or HTML via a field value that is not properly handled during construction of a tabular report, as demonstrated by the (1) summary or (2) real name field. NOTE: this issue exists because of an incomplete fix for CVE-2012-4189 (CVE-2013-1743). The login form in Bugzilla 2.x, 3.x, 4.x before 4.4.3, and 4.5.x before 4.5.3 does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to obtain sensitive information by arranging for a victim to login to the attacker's account and then submit a vulnerability report, related to a "login CSRF" issue (CVE-2014-1517). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1733 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1734 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1743 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1742 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1517 http://www.bugzilla.org/security/4.0.10/ http://www.bugzilla.org/security/4.0.11/ http://www.bugzilla.org/releases/4.4.4/release-notes.html http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:285/ https://lists.fedoraproject.org/pipermail/package-announce/2014-April/132309.html ======================== Updated packages in core/updates_testing: ======================== bugzilla-4.4.4-1.1.mga3.noarch.rpm bugzilla-contrib-4.4.4-1.1.mga3.noarch.rpm from bugzilla-4.4.4-1.1.mga3.src.rpm Advisory (Mageia 4): ======================== Updated bugzilla packages fix security vulnerability: The login form in Bugzilla 2.x, 3.x, 4.x before 4.4.3, and 4.5.x before 4.5.3 does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to obtain sensitive information by arranging for a victim to login to the attacker's account and then submit a vulnerability report, related to a "login CSRF" issue (CVE-2014-1517). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1517 http://www.bugzilla.org/security/4.0.11/ http://www.bugzilla.org/releases/4.4.4/release-notes.html https://lists.fedoraproject.org/pipermail/package-announce/2014-April/132309.html ======================== Updated packages in core/updates_testing: ======================== bugzilla-4.4.4-1.1.mga4.noarch.rpm bugzilla-contrib-4.4.4-1.1.mga4.noarch.rpm from bugzilla-4.4.4-1.1.mga4.src.rpm
CC: qa-bugs => (none)Assignee: bugsquad => qa-bugs
Yep, and initial tests done on both mga3 64bit and mga4 64bit to confirm they work
bugs.mageia.org is now also running 4.4.4
Thanks Thomas, testing the others now.
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga3-64-ok mga4-64-ok
Testing complete mga3 32 Reminder, the procedure is here https://bugs.mageia.org/show_bug.cgi?id=9088#c14 Login is with email/password
Whiteboard: MGA3TOO has_procedure mga3-64-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok
Testing complete mga4 32
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Validating. Separate advisories uploaded for mga3 & mga4 Could sysadmin please push both to updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
(In reply to Thomas Backlund from comment #21) > bugs.mageia.org is now also running 4.4.4 Thank you so much!
CC: (none) => marja11
Mga3 update pushed: http://advisories.mageia.org/MGASA-2014-0199.html Mga4 update pushed: http://advisories.mageia.org/MGASA-2014-0200.html
Status: NEW => RESOLVEDResolution: (none) => FIXED