Bug 10897 - Upgrade the Bugzilla RPM to 4.4.4
: Upgrade the Bugzilla RPM to 4.4.4
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/596803/
: MGA3TOO has_procedure advisory mga3-3...
: Triaged, validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-08-02 00:31 CEST by Frédéric Buclin
Modified: 2014-05-02 20:08 CEST (History)
6 users (show)

See Also:
Source RPM: bugzilla
CVE:
Status comment:


Attachments

Description Frédéric Buclin 2013-08-02 00:31:18 CEST
Mageia 3 still provides Bugzilla 4.4rc2 despite 4.4 final has been released 3 months ago. Please upgrade this package.
Comment 1 Manuel Hiebel 2013-08-06 22:36:46 CEST
(unmaintained package)
Comment 2 Frédéric Buclin 2013-10-17 17:07:29 CEST
Bugzilla 4.4.1 contains 4 security fixes (+2 security enhancements), see http://www.bugzilla.org/security/4.0.10/.
Comment 3 Olav Vitters 2013-10-21 22:47:05 CEST
I have uploaded a patched/updated package for Mageia 3.

You can test this by installing the package and pointing your webbrowser at http://localhost/bugzilla.

Suggested advisory:
========================

Updated bugzilla packages fix security vulnerabilities:

* A CSRF vulnerability in process_bug.cgi affecting Bugzilla 4.4 only
  can lead to a bug being edited without the user consent.

* A CSRF vulnerability in attachment.cgi can lead to an attachment
  being edited without the user consent.

* Several unfiltered parameters when editing flagtypes can lead to XSS.

* Due to an incomplete fix for CVE-2012-4189, some incorrectly filtered
  field values in tabular reports can lead to XSS.


References:
http://www.bugzilla.org/security/4.0.10/

========================

Updated packages in core/updates_testing:
========================
bugzilla-4.4.1-1.mga3.noarch.rpm
bugzilla-contrib-4.4.1-1.mga3.noarch.rpm


Source RPMs: 
bugzilla-4.4.1-1.mga3.src.rpm
Comment 4 claire robinson 2013-10-24 16:36:03 CEST
Procedure: https://bugs.mageia.org/show_bug.cgi?id=9088#c14
Comment 5 claire robinson 2013-10-24 17:36:14 CEST
Testing mga3 64

Current bugzilla package doesn't appear to be working. After configuring the db, running the installation script and browsing to http://localhost/buzilla it displays the perl code rather than running it. Missing some ExecCGI somewhere I think or an apache-mod, I don't know enough about CGI to debug it.

After updating and even running checksetup.pl again it's still the same.

eg:
#!/usr/bin/perl -wT
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# This Source Code Form is "Incompatible With Secondary Licenses", as
# defined by the Mozilla Public License, v. 2.0.

###############################################################################
# Script Initialization
###############################################################################

# Make it harder for us to do dangerous things in Perl.
use strict;

# Include the Bugzilla CGI and general utility library.
use lib qw(. lib);

use Bugzilla;
use Bugzilla::Constants;
use Bugzilla::Error;
use Bugzilla::Update;
Comment 6 Olav Vitters 2013-10-24 17:45:24 CEST
Cool, thanks for testing!

Did you notice if it also happened with the original Bugzilla version that came with Mageia 3?
Comment 7 claire robinson 2013-10-24 17:48:03 CEST
Sorry Olav, I missed your comment. Yes it does. It was the same before and after the update.
Comment 8 David Walser 2013-10-29 20:29:21 CET
Fedora has issued an advisory for this on October 19:
https://lists.fedoraproject.org/pipermail/package-announce/2013-October/119846.html

It fixes CVE-2013-1734, CVE-2013-1742, and CVE-2013-1743.
Comment 9 Frédéric Buclin 2013-10-29 20:42:42 CET
(In reply to David Walser from comment #8)
> Fedora has issued an advisory for this on October 19:
> It fixes CVE-2013-1734, CVE-2013-1742, and CVE-2013-1743.

Fedora has Bugzilla 4.2.x. Mageia 3 has Bugzilla 4.4.x, and so their security advisory is incomplete as it misses one security issue (CVE-2013-1733) which affects 4.4rc1 to 4.4. The official security advisory from Bugzilla is:

  http://www.bugzilla.org/security/4.0.10/
Comment 10 claire robinson 2013-11-07 22:45:14 CET
Assigning Olav for now. 

Please reassign to QA when when you've had a chance to take a look. 

Thanks.
Comment 11 David Walser 2013-11-26 19:47:06 CET
Mandriva has issued an advisory for this today (November 26):
http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:285/

Their advisory includes the missing CVE-2013-1733.

LWN reference for CVE-2013-1733:
http://lwn.net/Vulnerabilities/575049/

LWN reference for the other CVEs:
http://lwn.net/Vulnerabilities/572097/
Comment 12 Guillaume Rousse 2014-02-27 15:23:55 CET
just enable a suitable handler for cgi file, either in main apache configuration file (where it is now disabled by default), either in bugzilla-specific configuration file:
AddHandler cgi-script .cgi
Comment 13 David Walser 2014-04-10 21:16:15 CEST
Guillaume has fixed the packaging issue.  Thanks Guillaume!

Assigning back to QA.

Advisory:
========================

Updated bugzilla packages fix security vulnerabilities:

Cross-site request forgery (CSRF) vulnerability in process_bug.cgi
in Bugzilla 4.4.x before 4.4.1 allows remote attackers to hijack the
authentication of arbitrary users for requests that modify bugs via
vectors involving a midair-collision token (CVE-2013-1733).

Cross-site request forgery (CSRF) vulnerability in attachment.cgi in
Bugzilla 2.x, 3.x, and 4.0.x before 4.0.11; 4.1.x and 4.2.x before
4.2.7; and 4.3.x and 4.4.x before 4.4.1 allows remote attackers to
hijack the authentication of arbitrary users for requests that commit
an attachment change via an update action (CVE-2013-1734).

Multiple cross-site scripting (XSS) vulnerabilities in
editflagtypes.cgi in Bugzilla 2.x, 3.x, and 4.0.x before 4.0.11;
4.1.x and 4.2.x before 4.2.7; and 4.3.x and 4.4.x before 4.4.1 allow
remote attackers to inject arbitrary web script or HTML via the (1)
id or (2) sortkey parameter (CVE-2013-1742).

Multiple cross-site scripting (XSS) vulnerabilities in report.cgi
in Bugzilla 4.1.x and 4.2.x before 4.2.7 and 4.3.x and 4.4.x before
4.4.1 allow remote attackers to inject arbitrary web script or HTML
via a field value that is not properly handled during construction
of a tabular report, as demonstrated by the (1) summary or (2) real
name field. NOTE: this issue exists because of an incomplete fix
for CVE-2012-4189 (CVE-2013-1743).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1733
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1734
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1743
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1742
http://www.bugzilla.org/security/4.0.10/
http://www.bugzilla.org/releases/4.4.1/release-notes.html
http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:285/
========================

Updated packages in core/updates_testing:
========================
bugzilla-4.4.1-1.1.mga3.noarch.rpm
bugzilla-contrib-4.4.1-1.1.mga3.noarch.rpm

from bugzilla-4.4.1-1.1.mga3.src.rpm
Comment 14 claire robinson 2014-04-16 13:02:32 CEST
It's now displaying the proper bugzilla rather than the code but it's missing graphics or css, maybe a missing alias.
Comment 15 David Walser 2014-04-30 18:22:36 CEST
Now this needs to be updated to 4.4.3, for Mageia 3, Mageia 4, and Cauldron.

Any interested packager can do the update and fix the issue in Comment 14.

Here's the new upstream advisory:
http://www.bugzilla.org/security/4.0.11/

Fedora has issued an advisory for this on April 21:
https://lists.fedoraproject.org/pipermail/package-announce/2014-April/132309.html
Comment 16 Frédéric Buclin 2014-04-30 18:39:17 CEST
(In reply to David Walser from comment #15)
> Now this needs to be updated to 4.4.3

You must skip 4.4.3 and jump to 4.4.4 directly. One of the security fixes broke 4.4.3 and we had to release 4.4.4 the day after to fix this regression.
Comment 17 David Walser 2014-04-30 23:19:18 CEST
Updated to 4.4.4 in Cauldron by tmb.  Other updates apparently in progress.
Comment 18 David Walser 2014-04-30 23:47:00 CEST
tmb updated it to 4.4.4 in updates_testing, but I'm not sure if the issue in Comment 14 has been addressed.  I'll let him comment on that before pushing to QA.  Here are potential advisories.

Advisory (Mageia 3):
========================

Updated bugzilla packages fix security vulnerabilities:

Cross-site request forgery (CSRF) vulnerability in process_bug.cgi
in Bugzilla 4.4.x before 4.4.1 allows remote attackers to hijack the
authentication of arbitrary users for requests that modify bugs via
vectors involving a midair-collision token (CVE-2013-1733).

Cross-site request forgery (CSRF) vulnerability in attachment.cgi in
Bugzilla 2.x, 3.x, and 4.0.x before 4.0.11; 4.1.x and 4.2.x before
4.2.7; and 4.3.x and 4.4.x before 4.4.1 allows remote attackers to
hijack the authentication of arbitrary users for requests that commit
an attachment change via an update action (CVE-2013-1734).

Multiple cross-site scripting (XSS) vulnerabilities in
editflagtypes.cgi in Bugzilla 2.x, 3.x, and 4.0.x before 4.0.11;
4.1.x and 4.2.x before 4.2.7; and 4.3.x and 4.4.x before 4.4.1 allow
remote attackers to inject arbitrary web script or HTML via the (1)
id or (2) sortkey parameter (CVE-2013-1742).

Multiple cross-site scripting (XSS) vulnerabilities in report.cgi
in Bugzilla 4.1.x and 4.2.x before 4.2.7 and 4.3.x and 4.4.x before
4.4.1 allow remote attackers to inject arbitrary web script or HTML
via a field value that is not properly handled during construction
of a tabular report, as demonstrated by the (1) summary or (2) real
name field. NOTE: this issue exists because of an incomplete fix
for CVE-2012-4189 (CVE-2013-1743).

The login form in Bugzilla 2.x, 3.x, 4.x before 4.4.3, and 4.5.x before
4.5.3 does not properly handle a correctly authenticated but unintended
login attempt, which makes it easier for remote authenticated users to
obtain sensitive information by arranging for a victim to login to the
attacker's account and then submit a vulnerability report, related to a
"login CSRF" issue (CVE-2014-1517).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1733
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1734
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1743
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1742
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1517
http://www.bugzilla.org/security/4.0.10/
http://www.bugzilla.org/security/4.0.11/
http://www.bugzilla.org/releases/4.4.4/release-notes.html
http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:285/
https://lists.fedoraproject.org/pipermail/package-announce/2014-April/132309.html
========================

Updated packages in core/updates_testing:
========================
bugzilla-4.4.4-1.mga3.noarch.rpm
bugzilla-contrib-4.4.4-1.mga3.noarch.rpm

from bugzilla-4.4.4-1.mga3.src.rpm


Advisory (Mageia 4):
========================

Updated bugzilla packages fix security vulnerability:

The login form in Bugzilla 2.x, 3.x, 4.x before 4.4.3, and 4.5.x before
4.5.3 does not properly handle a correctly authenticated but unintended
login attempt, which makes it easier for remote authenticated users to
obtain sensitive information by arranging for a victim to login to the
attacker's account and then submit a vulnerability report, related to a
"login CSRF" issue (CVE-2014-1517).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1517
http://www.bugzilla.org/security/4.0.11/
http://www.bugzilla.org/releases/4.4.4/release-notes.html
https://lists.fedoraproject.org/pipermail/package-announce/2014-April/132309.html
========================

Updated packages in core/updates_testing:
========================
bugzilla-4.4.4-1.mga4.noarch.rpm
bugzilla-contrib-4.4.4-1.mga4.noarch.rpm

from bugzilla-4.4.4-1.mga4.src.rpm
Comment 19 David Walser 2014-05-01 20:37:53 CEST
It looks like tmb has fixed the issue in Comment 14.  Assigning to QA.

Advisory (Mageia 3):
========================

Updated bugzilla packages fix security vulnerabilities:

Cross-site request forgery (CSRF) vulnerability in process_bug.cgi
in Bugzilla 4.4.x before 4.4.1 allows remote attackers to hijack the
authentication of arbitrary users for requests that modify bugs via
vectors involving a midair-collision token (CVE-2013-1733).

Cross-site request forgery (CSRF) vulnerability in attachment.cgi in
Bugzilla 2.x, 3.x, and 4.0.x before 4.0.11; 4.1.x and 4.2.x before
4.2.7; and 4.3.x and 4.4.x before 4.4.1 allows remote attackers to
hijack the authentication of arbitrary users for requests that commit
an attachment change via an update action (CVE-2013-1734).

Multiple cross-site scripting (XSS) vulnerabilities in
editflagtypes.cgi in Bugzilla 2.x, 3.x, and 4.0.x before 4.0.11;
4.1.x and 4.2.x before 4.2.7; and 4.3.x and 4.4.x before 4.4.1 allow
remote attackers to inject arbitrary web script or HTML via the (1)
id or (2) sortkey parameter (CVE-2013-1742).

Multiple cross-site scripting (XSS) vulnerabilities in report.cgi
in Bugzilla 4.1.x and 4.2.x before 4.2.7 and 4.3.x and 4.4.x before
4.4.1 allow remote attackers to inject arbitrary web script or HTML
via a field value that is not properly handled during construction
of a tabular report, as demonstrated by the (1) summary or (2) real
name field. NOTE: this issue exists because of an incomplete fix
for CVE-2012-4189 (CVE-2013-1743).

The login form in Bugzilla 2.x, 3.x, 4.x before 4.4.3, and 4.5.x before
4.5.3 does not properly handle a correctly authenticated but unintended
login attempt, which makes it easier for remote authenticated users to
obtain sensitive information by arranging for a victim to login to the
attacker's account and then submit a vulnerability report, related to a
"login CSRF" issue (CVE-2014-1517).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1733
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1734
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1743
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1742
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1517
http://www.bugzilla.org/security/4.0.10/
http://www.bugzilla.org/security/4.0.11/
http://www.bugzilla.org/releases/4.4.4/release-notes.html
http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:285/
https://lists.fedoraproject.org/pipermail/package-announce/2014-April/132309.html
========================

Updated packages in core/updates_testing:
========================
bugzilla-4.4.4-1.1.mga3.noarch.rpm
bugzilla-contrib-4.4.4-1.1.mga3.noarch.rpm

from bugzilla-4.4.4-1.1.mga3.src.rpm


Advisory (Mageia 4):
========================

Updated bugzilla packages fix security vulnerability:

The login form in Bugzilla 2.x, 3.x, 4.x before 4.4.3, and 4.5.x before
4.5.3 does not properly handle a correctly authenticated but unintended
login attempt, which makes it easier for remote authenticated users to
obtain sensitive information by arranging for a victim to login to the
attacker's account and then submit a vulnerability report, related to a
"login CSRF" issue (CVE-2014-1517).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1517
http://www.bugzilla.org/security/4.0.11/
http://www.bugzilla.org/releases/4.4.4/release-notes.html
https://lists.fedoraproject.org/pipermail/package-announce/2014-April/132309.html
========================

Updated packages in core/updates_testing:
========================
bugzilla-4.4.4-1.1.mga4.noarch.rpm
bugzilla-contrib-4.4.4-1.1.mga4.noarch.rpm

from bugzilla-4.4.4-1.1.mga4.src.rpm
Comment 20 Thomas Backlund 2014-05-01 21:11:42 CEST
Yep, and initial tests done on both mga3 64bit and mga4 64bit to confirm they work
Comment 21 Thomas Backlund 2014-05-01 23:15:38 CEST
 bugs.mageia.org is now also running 4.4.4
Comment 22 claire robinson 2014-05-02 16:10:37 CEST
Thanks Thomas, testing the others now.
Comment 23 claire robinson 2014-05-02 16:45:09 CEST
Testing complete mga3 32

Reminder, the procedure is here https://bugs.mageia.org/show_bug.cgi?id=9088#c14

Login is with email/password
Comment 24 claire robinson 2014-05-02 17:10:04 CEST
Testing complete mga4 32
Comment 25 claire robinson 2014-05-02 17:26:33 CEST
Validating. Separate advisories uploaded for mga3 & mga4

Could sysadmin please push both to updates

Thanks
Comment 26 Marja van Waes 2014-05-02 19:54:34 CEST
(In reply to Thomas Backlund from comment #21)
>  bugs.mageia.org is now also running 4.4.4

Thank you so much!
Comment 27 Thomas Backlund 2014-05-02 20:08:58 CEST
Mga3 update pushed:
http://advisories.mageia.org/MGASA-2014-0199.html

Mga4 update pushed:
http://advisories.mageia.org/MGASA-2014-0200.html

Note You need to log in before you can comment on or make changes to this bug.