COMMAND

	Bugzilla Various security issues of varying importance

SYSTEMS AFFECTED

	 2.14.1 or earlier

	 2.15 and 2.16rc1

PROBLEM

	In Bugzilla Security Advisory :
	

	Complete bug reports for all  bugs  can  be  obtained  by  visiting  the
	following URL:  http://bugzilla.mozilla.org/show_bug.cgi?id=XXXXX  where
	you replace the XXXXX at the end of the URL with a bug number as  listed
	below. You may also enter the bug numbers in the \"enter  a  bug#\"  box
	on the main page at http://bugzilla.mozilla.org/ or  in  the  footer  of
	any other page on bugzilla.mozilla.org.
	

	A complete list of issues solved in 2.14.2 follows:
	

	 - queryhelp.cgi no longer shows confidential products to

	   people it shouldn\'t.

	   (bug 126801)

	

	 - It was possible for a user to bypass the IP check by

	   setting up a fake reverse DNS, if the Bugzilla web server

	   was configured to do reverse DNS lookups.  Apache is not

	   configured as such by default.  This is not a complete

	   exploit, as the user\'s login cookie would also need to

	   be divulged for this to be a problem.

	   (bug 129466)

	

	 - In some situations the data directory became world writeable.

	   (bug 134575)

	

	 - Any user with access to editusers.cgi could delete a user

	   regardless of whether \'allowuserdeletion\' is on.

	   (bug 141557)

	

	 - Real names were not HTML filtered, causing possible cross

	   site scripting attacks.

	   (bug 146447, 147486)

	

	 - Mass change would set the groupset of every bug to be the

	   groupset of the first bug.

	   (bug 107718)

	

	 - Some browsers (eg NetPositive) interacted with Bugzilla

	   badly and could have various form problems, including

	   removing group restrictions on bugs.

	   (bug 148674)

	

	 - It was possible for random confidential information to be

	   divulged, if the shadow database was in use and became

	   corrupted.

	   (bug 92263)

	

	 - The bug list sort order is now stricter about the SQL it will accept,

	   ensuring you use correct column name syntax.  Before this, there were

	   some syntax checks, so it is not known whether this problem was

	   exploitable.

	   (bug 130821)

	

SOLUTION

	Hence, if you are running 2.14.1 or earlier, it is advised  you  upgrade
	to 2.14.2. Whereas if you were running 2.15 or 2.16rc1,  it  is  advised
	you upgrade to 2.16rc2.
	

	There are many patches that need to be applied to properly  close  these
	holes, so they are not included here. If you will not be upgrading  your
	system and instead wish to apply these patches to your existing  system,
	a single patch which can be applied to a  Bugzilla  2.14.1  installation
	is available at
	

	 http://ftp.mozilla.org/pub/webtools/bugzilla-2.14.1-to-2.14.2.diff.gz

	

	and a patch which can be applied to a Bugzilla 2.14 installation is at
	

	 http://ftp.mozilla.org/pub/webtools/bugzilla-2.14-to-2.14.2.diff.gz

	

	

	Full downloads (rather than patches) are available at
	

	 http://www.bugzilla.org/download.html