COMMAND

	Bugzilla remote command injection

SYSTEMS AFFECTED

	All 2.14 and 2.16 releases up to 2.14.4 / 2.16.1

PROBLEM

	In Bugzilla security advisory by Dave Miller :
	

	--snipp--
	

	- Permissions leak when using "usebuggroups" and more  than  47  groups;
	permissions are granted to users in higher groups  when  they  shouldn't
	be.  (bug  167485;  comment   12   has   additional   detection/recovery
	information)
	

	http://bugzilla.mozilla.org/show_bug.cgi?id=167485#c12

	

	-  bugzilla_email_append.pl  calls   processmail   insecurely;   command
	injection possible. (bug 163024)
	

	The following additional security issue was fixed in 2.16.1:
	

	- Apostrophes are not properly  handled  during  account  creation;  SQL
	injection possible. (bug 165221)
	

	--snipp--

SOLUTION

	See Bugzilla branch 2.14.4 / 2.16.1