Upstream has issued an advisory today (October 6): http://www.bugzilla.org/security/4.0.14/ Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory: ======================== Updated bugzilla packages fix security vulnerabilities: If a new comment was marked private to the insider group, and a flag was set in the same transaction, the comment would be visible to flag recipients even if they were not in the insider group (CVE-2014-1571). An attacker creating a new Bugzilla account can override certain parameters when finalizing the account creation that can lead to the user being created with a different email address than originally requested. The overridden login name could be automatically added to groups based on the group's regular expression setting (CVE-2014-1572). During an audit of the Bugzilla code base, several places were found where cross-site scripting exploits could occur which could allow an attacker to access sensitive information (CVE-2014-1573). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1571 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1572 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1573 http://www.bugzilla.org/security/4.0.14/ http://www.bugzilla.org/releases/4.4.6/release-notes.html ======================== Updated packages in core/updates_testing: ======================== bugzilla-4.4.6-1.mga3.noarch.rpm bugzilla-contrib-4.4.6-1.mga3.noarch.rpm bugzilla-4.4.6-1.mga4.noarch.rpm bugzilla-contrib-4.4.6-1.mga4.noarch.rpm from SRPMS: bugzilla-4.4.6-1.mga3.src.rpm bugzilla-4.4.6-1.mga4.src.rpm Reproducible: Steps to Reproduce:
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=9088#c14
Whiteboard: (none) => MGA3TOO has_procedure
Testing on Mageia4-32 Installed : - bugzilla-4.4.6-1.mga4.noarch in /usr/share/bugzilla/bin # ./checksetup.pl --check-modules # ./checksetup.pl # leafpad /etc/bugzilla/localconfig $db_driver = 'mysql'; $db_host = 'localhost'; $db_name = 'bugs'; $db_pass = 'passwd'; # mysqladmin --user=root -p create bugs # mysql -u root -p MariaDB [(none)]> GRANT SELECT, INSERT, UPDATE, DELETE, INDEX, ALTER, CREATE, LOCK TABLES, CREATE TEMPORARY TABLES, DROP, REFERENCES ON bugs.* TO bugs@localhost IDENTIFIED BY 'passwd'; MariaDB [(none)]> FLUSH PRIVILEGES; MariaDB [(none)]> quit # cd /etc/bugzilla/ # grep webservergroup localconfig $webservergroup = 'apache'; # grep Group /etc/httpd/conf/httpd.conf # User/Group: The name (or #number) of the user/group to run httpd as. Group apache # cd /usr/share/bugzilla/bin/ # ./checksetup.pl * This is Bugzilla 4.4.6 on perl 5.18.1 (...) Enter the e-mail address of the administrator: olli@free.fr Enter the real name of the administrator: olli Enter a password for the administrator account: Please retype the password to verify: olli@free.fr is now set up as an administrator. Creating initial dummy product 'TestProduct'... checksetup.pl complete. edit /etc/bugzilla/localconfig http://localhost/bugzilla/ Logged in as olli@free.fr and passwd previously set. On welcome page, went to Administration/Parameters/Required Settings and filled urlbase : http://localhost/bugzilla/ Then created bugs, add attachments, logged out, search, read bugs, download attachments... All went smooth.
CC: (none) => olchalWhiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA4-32-OK
Testing on Mageia4-64 * This is Bugzilla 4.4.6 on perl 5.18.1 Followed same procedure as in comment 2 Once installed and configured, created bugs, placed comments, attachments, logged in and out, created users, products, etc ... All good.
Whiteboard: MGA3TOO has_procedure MGA4-32-OK => MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK
Testing complete mga3 64
Whiteboard: MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK => MGA3TOO has_procedure mga3-64-ok MGA4-32-OK MGA4-64-OK
Testing complete mga3 32
Whiteboard: MGA3TOO has_procedure mga3-64-ok MGA4-32-OK MGA4-64-OK => MGA3TOO has_procedure mga3-32-ok mga3-64-ok MGA4-32-OK MGA4-64-OK
Validating. Advisory uploaded. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok MGA4-32-OK MGA4-64-OK => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok MGA4-32-OK MGA4-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0412.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/615620/
bugs.mageia.org also updated to 4.4.6
CC: (none) => tmb