Bug 7267 - Security release: Bugzilla 4.2.3
Summary: Security release: Bugzilla 4.2.3
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 2
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL: https://bug786364.bugzilla.mozilla.or...
Whiteboard: MGA2-32-OK MGA2-64-OK
Keywords: Security, validated_update
Depends on:
Blocks:
 
Reported: 2012-08-30 22:52 CEST by Olav Vitters
Modified: 2012-09-04 20:50 CEST (History)
3 users (show)

See Also:
Source RPM:
CVE:
Status comment:


Attachments

Description Olav Vitters 2012-08-30 22:52:21 CEST
This is being released at the moment. It should be updated for Mageia 2.
Olav Vitters 2012-08-30 22:52:31 CEST

Assignee: bugsquad => olav

Comment 1 Olav Vitters 2012-08-30 22:54:39 CEST
Security advisory as from upstream bugzilla:
https://bug786364.bugzilla.mozilla.org/attachment.cgi?id=656933



Vulnerability Details
=====================

Class:       LDAP Injection
Versions:    2.12 to 3.6.10, 3.7.1 to 4.0.7, 4.1.1 to 4.2.2,
             4.3.1 to 4.3.2
Fixed In:    3.6.11, 4.0.8, 4.2.3, 4.3.3
Description: When the user logs in using LDAP, the username is not
             escaped when building the uid=$username filter which is
             used to query the LDAP directory. This could potentially
             lead to LDAP injection.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=785470
CVE Number:  CVE-2012-3981

Class:       Directory Browsing
Versions:    2.23.2 to 3.6.10, 3.7.1 to 4.0.7, 4.1.1 to 4.2.2,
             4.3.1 to 4.3.2
Fixed In:    4.0.8, 4.2.3, 4.3.3
Description: Extensions are not protected against directory browsing
             and users can access the source code of the templates
             which may contain sensitive data.
             Directory browsing is blocked in Bugzilla 4.3.3 only,
             because it requires a configuration change in the Apache
             httpd.conf file to allow local .htaccess files to use
             Options -Indexes. To not break existing installations,
             this fix has not been backported to stable branches.
             The access to templates is blocked for all supported
             branches except the old 3.6 branch, because this branch
             doesn't have .htaccess in the bzr repository and cannot
             be fixed easily for existing installations without
             potentially conflicting with custom changes.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=785522
             https://bugzilla.mozilla.org/show_bug.cgi?id=785511
CVE Number:  none

URL: (none) => https://bug786364.bugzilla.mozilla.org/attachment.cgi?id=656933

Comment 2 Olav Vitters 2012-08-30 23:00:17 CEST
Mageia 2 currently has Bugzilla 4.2.1, which also has a security problems fixed in 4.2.2.. though obviously should upgrade to 4.2.3:


Vulnerability Details
=====================

Class:       Information Leak
Versions:    4.1.1 to 4.2.1, 4.3.1
Fixed In:    4.2.2, 4.3.2
Description: In HTML bugmails, all bug IDs and attachment IDs are
             linkified, and hovering these links displays a tooltip
             with the bug summary or the attachment description if
             the user is allowed to see the bug or attachment.
             But when validating user permissions when generating the
             email, the permissions of the user who edited the bug were
             taken into account instead of the permissions of the
             addressee. This means that confidential information could
             be disclosed to the addressee if the other user has more
             privileges than the addressee.
             Plain text bugmails are not affected as bug and attachment
             IDs are not linkified.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=777398
CVE Number:  CVE-2012-1968

Class:       Information Leak
Versions:    2.17.5 to 3.6.9, 3.7.1 to 4.0.6, 4.1.1 to 4.2.1, 4.3.1
Fixed In:    3.6.10, 4.0.7, 4.2.2, 4.3.2
Description: The description of a private attachment could be visible
             to a user who hasn't permissions to access this attachment
             if the attachment ID is mentioned in a public comment in
             a bug that the user can see.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=777586
CVE Number:  CVE-2012-1969
Comment 3 Olav Vitters 2012-08-30 23:29:48 CEST
These releases also fix various other small bugs, for reference:
http://www.bugzilla.org/releases/4.2.2/release-notes.html
http://www.bugzilla.org/releases/4.2.3/release-notes.html

The http://www.bugzilla.org/ has been updated.
Comment 4 Olav Vitters 2012-08-31 00:40:20 CEST
Package available in updates_testing.

SRPM:
bugzilla-4.2.3-1.mga2.src.rpm

Assignee: olav => qa-bugs

Comment 5 Dave Hodgins 2012-08-31 04:34:26 CEST
Testing complete on Mageia 2 i586 and x86-64.

Just testing that I can set it up, and enter a new bug.

Could someone from the sysadmin team push the srpm
bugzilla-4.2.3-1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: This security update for bugzilla fixes
CVE-2012-3981, LDAP injection vulnerability.
CVE-2012-1969, Information Leak - description of a private attachment.

Also fixed are various other small bugs, for reference:
http://www.bugzilla.org/releases/4.2.2/release-notes.html
http://www.bugzilla.org/releases/4.2.3/release-notes.html

https://bugs.mageia.org/show_bug.cgi?id=7267

Keywords: (none) => Security, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs
Whiteboard: (none) => MGA2-32-OK MGA2-64-OK

Comment 6 Thomas Backlund 2012-09-04 20:50:31 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0255

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.