Tuesday, Nov 13th, 2012 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * Confidential product and component names can be disclosed to unauthorized users if they are used to control the visibility of a custom field. * When calling the 'User.get' WebService method with a 'groups' argument, it is possible to check if the given group names exist or not. * Due to incorrectly filtered field values in tabular reports, it is possible to inject code which can lead to XSS. * When trying to mark an attachment in a bug you cannot see as obsolete, the description of the attachment is disclosed in the error message. * A vulnerability in swfstore.swf from YUI2 can lead to XSS. All affected installations are encouraged to upgrade as soon as possible. Vulnerability Details ===================== Class: Information Leak Versions: 3.3.4 to 3.6.11, 3.7.1 to 4.0.8, 4.1.1 to 4.2.3, 4.3.1 to 4.3.3 Fixed In: 3.6.12, 4.0.9, 4.2.4, 4.4rc1 Description: If the visibility of a custom field is controlled by a product or a component of a product you cannot see, their names are disclosed in the JavaScript code generated for this custom field despite they should remain confidential. References: https://bugzilla.mozilla.org/show_bug.cgi?id=731178 CVE Number: CVE-2012-4199 Class: Information Leak Versions: 3.7.1 to 4.0.8, 4.1.1 to 4.2.3, 4.3.1 to 4.3.3 Fixed In: 4.0.9, 4.2.4, 4.4rc1 Description: Calling the User.get method with a 'groups' argument leaks the existence of the groups depending on whether an error is thrown or not. This method now also throws an error if the user calling this method does not belong to these groups (independently of whether the groups exist or not). References: https://bugzilla.mozilla.org/show_bug.cgi?id=781850 CVE Number: CVE-2012-4198 Class: Cross-Site Scripting Versions: 4.1.1 to 4.2.3, 4.3.1 to 4.3.3 Fixed In: 4.2.4, 4.4rc1 Description: Due to incorrectly filtered field values in tabular reports, it is possible to inject code leading to XSS. References: https://bugzilla.mozilla.org/show_bug.cgi?id=790296 CVE Number: CVE-2012-4189 Class: Information Leak Versions: 2.16 to 3.6.11, 3.7.1 to 4.0.8, 4.1.1 to 4.2.3, 4.3.1 to 4.3.3 Fixed In: 3.6.12, 4.0.9, 4.2.4, 4.4rc1 Description: Trying to mark an attachment in a bug you cannot see as obsolete discloses its description in the error message. The description of the attachment is now removed from the error message. References: https://bugzilla.mozilla.org/show_bug.cgi?id=802204 CVE Number: CVE-2012-4197 Class: Cross-Site Scripting Versions: 3.7.1 to 4.0.8, 4.1.1 to 4.2.3, 4.3.1 to 4.3.3 Fixed In: 4.0.9, 4.2.4, 4.4rc1 Description: A vulnerability in swfstore.swf from YUI2 allows JavaScript injection exploits to be created against domains that host this affected YUI .swf file. References: https://bugzilla.mozilla.org/show_bug.cgi?id=808845 http://yuilibrary.com/support/20121030-vulnerability/ CVE Number: CVE-2012-5475 Vulnerability Solutions ======================= The fixes for these issues are included in the 3.6.12, 4.0.9, 4.2.4 and 4.4rc1 releases. Upgrading to a release with the relevant fixes will protect your installation from possible exploits of these issues. If you are unable to upgrade but would like to patch just the individual security vulnerabilities, there are patches available for each issue at the "References" URL for each vulnerability. Full release downloads, patches to upgrade Bugzilla from previous versions, and CVS/bzr upgrade instructions are available at: http://www.bugzilla.org/download/ Credits ======= The Bugzilla team wish to thank the following people/organizations for their assistance in locating, advising us of, and assisting us to fix this issue: Frédéric Buclin David Lawrence Gervase Markham Mateusz Goik General information about the Bugzilla bug-tracking system can be found at: http://www.bugzilla.org/ Comments and follow-ups can be directed to the mozilla.support.bugzilla newsgroup or the support-bugzilla mailing list. http://www.bugzilla.org/support/ has directions for accessing these forums.
This was forgotten for some unknown reason. Additionally this bugzilla installation is affected as well. Anyway, fixed packages (4.2.4) has been submitted to mga2, updates_testing. Same version was committed to cauldron, and has to be submitted.
CC: (none) => luigiwalser
CC: (none) => dmorganec, sysadmin-bugs
CC: (none) => tmb
Note that we are going to release Bugzilla 4.2.5 next week. It fixes one critical security bug, see https://bugzilla.mozilla.org/show_bug.cgi?id=832256.
CC: (none) => LpSolit
(In reply to comment #1) > Same version was committed to cauldron, and has to be submitted. When will this be done? Note that for Cauldron, you should rather move to the 4.4 branch. 4.4rc1 is already available, and 4.4rc2 is going to be released very soon now.
Just bumped to 4.2.5 (fixes CVE-2013-0785, CVE-2013-0786).
Summary: Multiple vulnerabilities in bugzilla (CVE-2012-4199,4198,4189,4197,5475) => Multiple vulnerabilities in bugzilla (CVE-2012-4199,4198,4189,4197,5475,0785,0786)
And, for this bugzilla installation you need http://www.bugzilla.org/security/3.6.12/
Summary: Multiple vulnerabilities in bugzilla (CVE-2012-4199,4198,4189,4197,5475,0785,0786) => Multiple vulnerabilities in bugzilla (CVE-2012-4199,4198,4189,4197,5475, CVE-2013-0785,0786)
Cauldron version has been updated, so I think this ticket can be closed. Also, I don't understand why I'm assigned to it, whereas the maintainer is supposed to be Olav...
As this was pushed in Cauldron, the version can be changed, but as you can see from the comments, Oden has talked about an update for Mageia 2 also. I guess he doesn't know how we use the whiteboard to indicate two versions. This should be assigned to QA when the update for Mageia 2 is ready.
CC: (none) => guillomovitchVersion: Cauldron => 2Assignee: guillomovitch => oe
I see this was updated in MBS, but we haven't updated in Mageia 2 yet: http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:066/ Oden, has an update been built for Mageia 2 that's ready to test?
[qateam@titan ~]$ rchp /mnt/BIG/mirror/mageia/mga2/SRPMS/core/updates_testing/bugzilla-4.2.5-0.1.mga2.src.rpm * Wed 20 Feb 2013 07:00:00 AM EST oden <oden> 4.2.5-0.1.mga2 + Revision: 399521 - 4.2.5 (fixes CVE-2013-0785, CVE-2013-0786) - 4.2.4 (fixes CVE-2012-4199,4198,4189,4197,5475) + ovitters <ovitters> - new version 4.2.3 (security+bugfixes) - fix requirs (mga#6093) + fwang <fwang> - new version 4.2.1
Assigning to QA then. Advisory will be copied from the MDV MBS advisory in Comment 10.
CC: (none) => oeAssignee: oe => qa-bugs
Advisory: ======================== Updated bugzilla packages fix security vulnerabilities: The get_attachment_link function in Template.pm in Bugzilla 2.x and 3.x before 3.6.10, 3.7.x and 4.0.x before 4.0.7, 4.1.x and 4.2.x before 4.2.2, and 4.3.x before 4.3.2 does not check whether an attachment is private before presenting the attachment description within a public comment, which allows remote attackers to obtain sensitive description information by reading a comment (CVE-2012-1969). Auth/Verify/LDAP.pm in Bugzilla 2.x and 3.x before 3.6.11, 3.7.x and 4.0.x before 4.0.8, 4.1.x and 4.2.x before 4.2.3, and 4.3.x before 4.3.3 does not restrict the characters in a username, which might allow remote attackers to inject data into an LDAP directory via a crafted login attempt (CVE-2012-3981). Cross-site scripting (XSS) vulnerability in Bugzilla 4.1.x and 4.2.x before 4.2.4, and 4.3.x and 4.4.x before 4.4rc1, allows remote attackers to inject arbitrary web script or HTML via a field value that is not properly handled during construction of a tabular report, as demonstrated by the Version field (CVE-2012-4189). Bugzilla/Attachment.pm in attachment.cgi in Bugzilla 2.x and 3.x before 3.6.12, 3.7.x and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x and 4.4.x before 4.4rc1 allows remote attackers to read attachment descriptions from private bugs via an obsolete=1 insert action (CVE-2012-4197). The User.get method in Bugzilla/WebService/User.pm in Bugzilla 3.7.x and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x and 4.4.x before 4.4rc1 has a different outcome for a groups request depending on whether a group exists, which allows remote authenticated users to discover private group names by observing whether a call throws an error (CVE-2012-4198). template/en/default/bug/field-events.js.tmpl in Bugzilla 3.x before 3.6.12, 3.7.x and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x and 4.4.x before 4.4rc1 generates JavaScript function calls containing private product names or private component names in certain circumstances involving custom-field visibility control, which allows remote attackers to obtain sensitive information by reading HTML source code (CVE-2012-4199). Cross-site scripting (XSS) vulnerability in the Flash component infrastructure in YUI 2.8.0 through 2.9.0, as used in Bugzilla 3.7.x and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x and 4.4.x before 4.4rc1, allows remote attackers to inject arbitrary web script or HTML via vectors related to swfstore.swf, a similar issue to CVE-2010-4209 (CVE-2012-5883). Cross-site scripting (XSS) vulnerability in show_bug.cgi in Bugzilla before 3.6.13, 3.7.x and 4.0.x before 4.0.10, 4.1.x and 4.2.x before 4.2.5, and 4.3.x and 4.4.x before 4.4rc2 allows remote attackers to inject arbitrary web script or HTML via the id parameter in conjunction with an invalid value of the format parameter (CVE-2013-0785). The Bugzilla::Search::build_subselect function in Bugzilla 2.x and 3.x before 3.6.13 and 3.7.x and 4.0.x before 4.0.10 generates different error messages for invalid product queries depending on whether a product exists, which allows remote attackers to discover private product names by using debug mode for a query (CVE-2013-0786). The updated packages have upgraded to the 4.2.5 version which is not vulnerable to these issues. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1969 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3981 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4189 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4197 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4198 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4199 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5883 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0785 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0786 http://www.bugzilla.org/security/3.6.11/ http://www.bugzilla.org/security/3.6.12/ http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:066/ ======================== Updated packages in core/updates_testing: ======================== bugzilla-4.2.5-0.1.mga2 bugzilla-contrib-4.2.5-0.1.mga2 from bugzilla-4.2.5-0.1.mga2.src.rpm
URL: http://www.bugzilla.org/security/3.6.11/ => http://lwn.net/Vulnerabilities/546611/
QA Contact: (none) => securitySource RPM: (none) => bugzilla
Testing complete mga2 32 Created mysql database with phpmyadmin Ran /usr/share/bugzilla/bin/checksetup.pl edited /etc/bugzilla/localconfig to add the database details Ran /usr/share/bugzilla/bin/checksetup.pl again and performed the installation. Logged in and created bugs, added attachments etc logged out Updated Logged in and did the same
Whiteboard: (none) => has_procedure mga2-32-ok
Testing x86-64 shortly.
CC: (none) => davidwhodgins
Testing complete on x86-64. Could someone from the sysadmin team push the srpm bugzilla-4.2.5-0.1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. Please see Comment 13 for the advisory.
Keywords: (none) => validated_updateWhiteboard: has_procedure mga2-32-ok => has_procedure mga2-32-ok MGA2-64-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0117
Status: NEW => RESOLVEDResolution: (none) => FIXED