Fedora has issued an advisory on March 6:
Mageia 6 is also affected.
The issue is fixed upstream in 5.0.4.
Fixed upstream in 5.0.4Whiteboard:
Assigning to the registered maintainer.
Update submitted to both mga7 and mga6 core/updates-testing.
Updated bugzilla packages fix security vulnerability:
A CSRF vulnerability in Bugzilla's report.cgi would allow a third-party site to
extract confidential information from a bug the victim had access to
Updated packages in core/updates_testing:
Testing complete mga6 64
Used phpmyadmin to create a database user 'bugs', selected Local, and chose a stupidly complex password so it will pass the password restrictions. Ticked to create a database with the same name and clicked Go at the bottom.
# urpmi bugzilla bugzilla-contrib
Added the database info into /etc/bugzilla/localconfig
# nano /etc/bugzilla/localconfig
Ran checksetup.pl again
Entered an email and details for the admin account.
# systemctl restart httpd.service
Opened http://localhost/bugzilla in a browser, logged in and created a bug report.
Updated bugzilla + bugzilla-contrib and created another bug.
Cleaned up. Used phpmyadmin to remove the bugzilla db user and ticked to delete the database at the same time. Removed bugzilla packages.
Thanks Claire for your test, and its carefully crafted model description!
Not sure of the wisdom of removing Bugzilla after all the pain to install it; it will be back!
Validating on the one-is-enough basis (esp x64).
An update for this issue has been pushed to the Mageia Updates repository.