TUCoPS :: Web :: Wiki, Collaborationware :: bx3063.htm

Bugzilla 3.0.3, 3.1.3, 2.22.3, and 2.20.5
Security Advisory for Bugzilla 3.0.3, 3.1.3, 2.22.3, and 2.20.5
Security Advisory for Bugzilla 3.0.3, 3.1.3, 2.22.3, and 2.20.5

Bugzilla is a Web-based bug-tracking system, used by a large number of=0D
software projects.=0D
This advisory covers three security issues that have recently been=0D
fixed in the Bugzilla code:=0D
* Users without the "canconfirm" privilege could enter a bug as NEW=0D
  or ASSIGNED by using the XML-RPC interface.=0D
* When viewing several bugs at once, there was a Cross-Site Scripting hole.=0D
* The inbound email interface allowed you to set the Reporter via the=0D
  text of the email, instead of just using the From header.=0D
All affected installations are encouraged to upgrade as soon as possible.=0D
Vulnerability Details=0D
Class:       Unauthorized Bug Change=0D
Versions:    3.1.3=0D
Description: Users normally need the "canconfirm" privilege to put bugs=0D
             in the NEW or ASSIGNED state. However, users were being =0D
             allowed to create bugs in the NEW or ASSIGNED state if they=0D
             were creating the bug through the XML-RPC interface.=0D
Reference:   https://bugzilla.mozilla.org/show_bug.cgi?id=415471=0D
Class:       Cross-Site Scripting=0D
Versions:    2.17.2 and higher=0D
Description: When using the "Format for Printing" view of a bug (or=0D
             the "Long Format" of a bug list, which is the same thing),=0D
             there was a cross-site scripting hole--arbitrary text=0D
             from a particular URL parameter could be injected into the=0D
             page without filtering.=0D
Reference:   https://bugzilla.mozilla.org/show_bug.cgi?id=425665=0D
Class:       Account Impersonation (Minor)=0D
Versions:    2.23.4 and higher=0D
Description: By design, email_in.pl always believes the "From" header as=0D
             the user making changes or uses that as the reporter of the=0D
             bug. However, you could also specify the changer/reporter in=0D
             the body of the email and override the "From" header, possibly=0D
             bypassing some security checks set up by administrators=0D
             against the "From" header.=0D
             For most installations this is a minor or inconsequential=0D
             issue, as the documentation of email_in.pl already explains=0D
             that it does not do any user authentication (it just=0D
             believes the "From" header), so installations using it should=0D
             not have been expecting user account security (though they=0D
             may have had checks against the "From" header--that is what=0D
             makes this a security issue).=0D
Reference:   https://bugzilla.mozilla.org/show_bug.cgi?id=419188=0D
Vulnerability Solutions=0D
The fixes for the security bugs mentioned in this advisory are=0D
included in the 3.0.4, 3.1.4, 2.22.4, and 2.20.6 releases. Upgrading=0D
to these releases will protect installations from possible exploits of=0D
these issues.=0D
Full release downloads, patches to upgrade Bugzilla from previous=0D
versions, and CVS upgrade instructions are available at:=0D
The Bugzilla team wish to thank the following people for their=0D
assistance in locating, advising us of, and assisting us to fix=0D
these issues:=0D
Fr=E9d=E9ric Buclin=0D
Max Kanat-Alexander=0D
Bradley Baetz=0D
Loren Butler=0D
Marc Schumann=0D
General information about the Bugzilla bug-tracking system can be found=0D
Comments and follow-ups can be directed to the mozilla.support.bugzilla=0D
newsgroup or the support-bugzilla mailing list.=0D
http://www.bugzilla.org/support/ has directions for accessing these=0D 

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH