Fedora has issued an advisory on July 28: https://lists.fedoraproject.org/pipermail/package-announce/2014-August/136217.html The issue is fixed upstream in 4.4.5. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Updated package uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory: ======================== Updated bugzilla packages fix security vulnerabilities: Adobe does not properly restrict the SWF file format, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks against Bugzilla's JSONP endpoint, possibly obtaining sensitive bug information, via a crafted OBJECT element with SWF content satisfying the character-set requirements of a callback API (CVE-2014-1546). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1546 https://lists.fedoraproject.org/pipermail/package-announce/2014-August/136217.html ======================== Updated packages in core/updates_testing: ======================== bugzilla-4.4.5-1.mga3 bugzilla-contrib-4.4.5-1.mga3 bugzilla-4.4.5-1.mga4 bugzilla-contrib-4.4.5-1.mga4 from SRPMS: bugzilla-4.4.5-1.mga3.src.rpm bugzilla-4.4.5-1.mga4.src.rpm
Version: Cauldron => 4Assignee: bugsquad => qa-bugsWhiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=9088#c14
Whiteboard: MGA3TOO => MGA3TOO has_procedure
I shall have a go at this MGA4 x64.
CC: (none) => lewyssmith
Just a note to confirm the installation of Bugzilla, with a bit more detail than the correct summary cited in Comment 2. Note this from urpmi bugzilla:- "The setup used here differs from default one, to achieve better FHS compliance. - the constant files are in /usr/share/bugzilla - the variables files are in /var/lib/bugzilla - the configuration file will be generated in /etc/bugzilla & [the installation script is at] /usr/share/bugzilla/bin/checksetup.pl" http://www.bugzilla.org/docs/4.4/en/html/installation.html http://www.bugzilla.org/docs/4.4/en/html/configuration.html are good to follow (mostly). After you have confirmed the major dependancies cited:- # /usr/share/bugzilla/bin/checksetup.pl --check-modules does a check of required & optional Perl modules. Only the first screenful+ really matters. Bugzilla Configuration section 2.2.1. localconfig should really be in two sections, before & after database priming. # /usr/share/bugzilla/bin/checksetup.pl [creates /etc/bugzilla/localconfig] 2.2.2. Database Server.I opted to use PostgreSQL:- # su - postgres [PostgreSQL system user] $ createuser -U postgres -dRSP bugs [create the PosgreSQL DB user 'bugs'] Enter password for new role: [PostgreSQL user bugs password] Enter it again: 2.2.2.3.2. Configure PostgreSQL:- $ vi /var/lib/pgsql/data/pg_hba.conf add a new line to it as follows: host all bugs 127.0.0.1 255.255.255.255 md5 $ logout [from PostgreSQL session] # systemctl stop postgresql # systemctl start postgresql NOW back to 2.2.1. edit localconfig:- # vi /etc/bugzilla/localconfig "$db_driver can be either 'mysql', 'Pg', 'Oracle' or 'Sqlite'." "$db_pass the password for the user you [created] for your database" 2.2.3. checksetup.pl [creates database and Bugzilla admin user] # /usr/share/bugzilla/bin/checksetup.pl [lots of output] Enter the e-mail address of the administrator: xxxxxxxxxxx Enter the real name of the administrator: xxxxxx Enter a password for the administrator account: Please retype the password to verify: Because Claire's earlier summary made no mention of 2.2.4. Web server/2.2.4.1. Bugzilla using Apache, I did *not* edit /etc/httpd/conf/httpd.conf as documented, (could find nothing Bugzilla in /var/www/), so tried http://localhost/bugzilla/ and it showed the "Welcome to Bugzilla" page. Ready to play with, hopefully.
I guess we can add MGA4-64-OK from your tests Lewis?
CC: (none) => remi
(In reply to Rémi Verschelde from comment #5) > I guess we can add MGA4-64-OK from your tests Lewis? No! All I got to was installing the release version for testing. In fact, I cannot log into it... I noted the Admin username and password, but they yield always: "You tried to log in using the Lewis account, but Bugzilla is unable to trust your request. Make sure your web browser accepts cookies and that you haven't been redirected here from an external web site. Click here if you really want to log in. Please press Back and try again" [That the browser is OK is shown by my actual use of Bugzilla here in another tab]. The Bugzilla user name came from asking for the real name for the Admin account, and I replied Lewis; I have tried variants like lewis, alternative possible passwords, but the same failure. Sometimes the response is different: "Bugzilla needs a legitimate login and password to continue." with bare login dialogue; most reproduceable with a nonsense login name. I tried creating a new account, but that was bounced because the e-mail address was already known. So once more, advice welcome. Once logged in, the update should be quick to try.
The default login is the email/password you gave it when running checksetup.pl Tested ok here mga4 64. https://bugs.mageia.org/show_bug.cgi?id=9088#c14 I installed/configured created a bug with an attachment and then updated and created another bug with another attachment. I'll test mga4 32 also and install the update directly as lewis has had some problems.
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga4-64-ok
Testing complete mga4 32
Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga4-32-ok mga4-64-ok
Testing complete mga3 32
Whiteboard: MGA3TOO has_procedure mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga4-32-ok mga4-64-ok
Validating. Advisory uploaded. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0349.html
Status: NEW => RESOLVEDResolution: (none) => FIXED