Bugzilla released 4.0.3. It fixes various security problems. It does NOT contain any new features. Submitted 4.0.3 as update for mga1
See URL for the security advisory. Full release notes at http://www.bugzilla.org/releases/4.0.3/release-notes.html.
URL: (none) => http://www.bugzilla.org/security/3.4.12/
Testing complete on i586 for the srpm bugzilla-4.0.3-1.1.mga1.src.rpm I don't see a POC in the advisory, so just testing that the package works. I've checked the password reset, adding a comment to an existing bug, and adding a new bug. See https://bugs.mageia.org/show_bug.cgi?id=1040#c15 for testing setup.
CC: (none) => davidwhodgins
Testing complete on x86_64 Suggested Advisory: ------------- This update addresses the folloving CVEs: - CVE-2011-3657 When viewing tabular or graphical reports as well as new charts, an XSS vulnerability is possible in debug mode. https://bugzilla.mozilla.org/show_bug.cgi?id=697699 - CVE-2011-3667 The User.offer_account_by_email WebService method lets you create a new user account even if the active authentication method forbids users to create an account. https://bugzilla.mozilla.org/show_bug.cgi?id=711714 - CVE-2011-3668, CVE-2011-3669 A CSRF vulnerability in post_bug.cgi and in attachment.cgi could lead to the creation of unwanted bug reports and attachments. https://bugzilla.mozilla.org/show_bug.cgi?id=703975 https://bugzilla.mozilla.org/show_bug.cgi?id=703983 In addition, following important fixes/changes have been made in this release: see http://www.bugzilla.org/releases/4.0.3/release-notes.html https://bugs.mageia.org/show_bug.cgi?id=3996 ------------- SRPM: bugzilla-4.0.3-1.1.mga1.src.rpm Could sysadmin please push from core/updates_testing to core/updates Thankyou!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Update pushed.
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED