|
COMMAND Bugzilla remote database password disclosure SYSTEMS AFFECTED Vulnerabilities affect all previous 2.14 and 2.16 releases. Development snapshots prior to version 2.17.3 are also affected. PROBLEM In Dave Miller Project Leader, Bugzilla Bug Tracking System [http://www.justdave.net/] [http://www.bugzilla.org/] advisory : This advisory covers two security bugs: one involves incorrect local permissions on a directory, allowing local users access. The other involves protecting configuration information leaks due to backup files created by editors. The following security issues were fixed in 2.14.5, 2.16.2, and 2.17.3: - The provided data collection script intended to be run as a nightly cron job changes the permissions of the data/mining directory to be world- writable every time it runs. This would enable local users to alter or delete the collected data. (Bugzilla bug 183188 / Bugtraq ID 6502). - The default .htaccess scripts provided by checksetup.pl do not block access to backups of the localconfig file that might be created by editors such as vi or emacs (typically these will have a .swp or ~ suffix). This allows an end user to download one of the backup copies and potentially obtain your database password. If you already have such an editor backup in your bugzilla directory it would be advisable to change your database password in addition to upgrading. In addition, we also continue to recommend hardening access to the Bugzilla database user account by limiting access to the account to the machine Bugzilla is served from (typically localhost); consult the MySQL documentation for more information on how to accomplish this. (Bugzilla bug 186383 / Bugtraq ID 6501) Also included in these releases are the patches that were posted as part of our earlier security advisory on November 26th, 2002. (Bugzilla bug 179329, Bugtraq ID 6257 - see http://online.securityfocus.com/archive/1/301316 ) Complete bug reports for the security bugs covered herein may be obtained at: http://bugzilla.mozilla.org/show_bug.cgi?id=183188 http://bugzilla.mozilla.org/show_bug.cgi?id=186383 SOLUTION The fixes for both security bugs contained in this release, as well as the previously announced security bug involving cross-site scripting vulnerabilities are contained in the 2.14.5, 2.16.2, and 2.17.3 releases. Upgrading to these releases will protect installations against exploitations of these security bugs. Individual patches to upgrade Bugzilla are available at: http://ftp.mozilla.org/pub/webtools/ (these patches are only valid for 2.14.4 and 2.16.1 users). Full release downloads and CVS upgrade instructions are available at: http://www.bugzilla.org/download.html