From justdave at bugzilla.org Sat Jul 10 23:25:32 2004 From: justdave at bugzilla.org (David Miller) Date: Sat, 10 Jul 2004 19:25:32 -0400 Subject: [ANN] Bugzilla 2.18rc1 Released Message-ID: <40F07AEC.4090108@bugzilla.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Bugzilla Team is pleased to announce the release of Bugzilla 2.18rc1. 2.18rc1 is the first release candidate of Bugzilla 2.18, the next stable version of Bugzilla. Users of 2.17.x branch versions of Bugzilla are strongly advised to upgrade in order to patch security holes present in these versions and to receive the new features and bug fixes present in 2.18rc1. Furthermore, users of the 2.16 stable branch should consider testing the release candidate. We appreciate your feedback and bug reports on the release candidate version. Download: http://www.bugzilla.org/download/ Release Notes: http://www.bugzilla.org/releases/2.18rc1/release-notes.html Security Advisory: http://www.bugzilla.org/security/2.16.5/ (All administrators are advised to read the release notes and security advisory.) Bugzilla Status Update: http://www.bugzilla.org/status_updates/2004-04-10.html Thanks to Mike Morgan and other members of the Bugzilla Team, we are also pleased to release the new redesign of the Bugzilla website, located at http://www.bugzilla.org/ . We hope that the new site makes finding information about Bugzilla easier. Thank you to everyone who contributed to the 2.18 branch and this release, including developing patches, finding security bugs, and all other contributions. - -- Dave Miller Project Leader, Bugzilla Bug Tracking System http://www.justdave.net/ http://www.bugzilla.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFA8Hrr0YeDAOcbS44RAm5jAKCOwhUsLr2K9qRuIVtKpdM5fTZ0PwCfVcP1 gBg8yQvVEhW3HsNTHyfcYiw= =1Tud -----END PGP SIGNATURE----- From justdave at bugzilla.org Sat Jul 10 23:21:31 2004 From: justdave at bugzilla.org (David Miller) Date: Sat, 10 Jul 2004 19:21:31 -0400 Subject: [ANN] Bugzilla 2.16.6 Released Message-ID: <40F079FB.5020100@bugzilla.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Bugzilla Team is pleased to announce the release of Bugzilla 2.16.6. 2.16.6 is the latest stable release of Bugzilla and contains fixes to several security bugs. Download: http://www.bugzilla.org/download/ Release Notes: http://www.bugzilla.org/releases/2.16.6/release-notes.html Security Advisory: http://www.bugzilla.org/security/2.16.5/ (All administrators are advised to read the release notes and security advisory.) Bugzilla Status Update: http://www.bugzilla.org/status_updates/2004-04-10.html Revamped Bugzilla Site: http://www.bugzilla.org/ Thanks to everyone who contributed to 2.16.6. - -- Dave Miller Project Leader, Bugzilla Bug Tracking System http://www.justdave.net/ http://www.bugzilla.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFA8Hn60YeDAOcbS44RAuWVAJ0a2hALrIYyHOGiM4ZVTzOR7Ex5EwCgl9Ur wifPaUM7ywaWzxJqx1UPfc8= =a9PE -----END PGP SIGNATURE----- From justdave at bugzilla.org Sat Jul 10 23:23:04 2004 From: justdave at bugzilla.org (David Miller) Date: Sat, 10 Jul 2004 19:23:04 -0400 Subject: [BUGZILLA] Multiple vulnerabilities in Bugzilla 2.16.5 and 2.17.7 Message-ID: <40F07A58.6070401@bugzilla.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bugzilla Security Advisory July 10, 2004 Summary ======= Bugzilla is a Web-based bug-tracking system, used by a large number of software projects. This advisory covers security bugs that have recently been discovered and fixed in the Bugzilla code: In the stable 2.16 releases, one instance of arbitrary SQL injection exploitable only by a privileged user, several instances of insufficient data validation and/or escaping, and two instances of unprivileged access to names of restricted products. We know of no occasion where any of these vulnerabilities have been exploited. All Bugzilla installations are advised to upgrade to the latest stable version of Bugzilla, 2.16.6, which was released today. Development snapshots prior to version 2.18rc1 are also affected, so if you are using a development snapshot, you should obtain a newer one (2.18rc1) or use CVS to update. Vulnerability Details ===================== Issue 1 - ------- Class: Database Password Compromise Versions: 2.17.1 through 2.17.7 (2.16-based releases are not affected) Description: If the SQL server is halted but the webserver is left running, ~ older versions of DBI display an error message to the remote ~ user which contains the database password. While a properly- ~ configured database would still only be accessible by a local ~ user using that password, all installations are advised to ~ change the password after upgrading. Reference: http://bugzilla.mozilla.org/show_bug.cgi?id=227191 Issue 2 - ------- Class: Privilege escalation Versions: 2.17.1 through 2.17.7 (2.16-based releases are not affected) Description: A user with privileges to grant membership to one or more ~ individual groups (i.e. usually an administrator) can ~ trick the administrative controls into granting membership ~ in groups other than the ones he has privileges for. Reference: http://bugzilla.mozilla.org/show_bug.cgi?id=233486 Issue 3 - ------- Class: Information Leak Versions: All versions prior to 2.16.6 and 2.18rc1 Description: If Bugzilla is configured to hide entire products from some ~ users, both duplicates.cgi and the form for mass-editing a ~ list of bugs in buglist.cgi can disclose the names of those ~ hidden products to such users. References: http://bugzilla.mozilla.org/show_bug.cgi?id=234825 ~ http://bugzilla.mozilla.org/show_bug.cgi?id=234855 Issue 4 - ------- Class: Cross-site scripting vulnerability Versions: All versions prior to 2.16.6 and 2.18rc1 Description: Several administration CGIs echo invalid data back to the ~ user without escaping it. Reference: http://bugzilla.mozilla.org/show_bug.cgi?id=235265 Issue 5 - ------- Class: User Password embedded in URL Versions: 2.17.5 through 2.17.7 (2.16-based releases are not affected) Description: The user's password can be embedded as part of an image URL, ~ and thus visible in the web server logs, if the user is ~ prompted to log in while attempting to view a chart. Reference: http://bugzilla.mozilla.org/show_bug.cgi?id=235510 Issue 6 - ------- Class: Remote SQL injection vulnerability Versions: All versions prior to 2.16.6 and 2.18rc1 Description: A user with privileges to grant membership to any group ~ (i.e. usually an administrator) can trick editusers.cgi ~ into executing arbitrary SQL. Reference: http://bugzilla.mozilla.org/show_bug.cgi?id=244272 Vulnerability Solutions ======================= The fixes for all of the security bugs mentioned in this advisory are included in the 2.16.6 and 2.18rc1 releases. Upgrading to these releases will protect installations from possible exploits of these issues. Full release downloads, patches to upgrade Bugzilla to 2.16.6 from previous 2.16.x versions, and CVS upgrade instructions are available at: ~ http://www.bugzilla.org/download.html Specific patches for each of the individual issues can be found on the corresponding bug reports for each issue, at the URL given in the reference for that issue in the list above. Credits ======= The Bugzilla team wish to thank the following people for their assistance in locating, advising us of, and assisting us to fix these situations: Vlad Dascalu Laran Evans Jouni Heikniemi Felix Hieronymi Byron Jones Gervase Markham Dave Miller Gabriel Millerd Joel Peshkin Christian Reis General information about the Bugzilla bug-tracking system can be found at http://www.bugzilla.org/ Comments and follow-ups can be directed to the netscape.public.mozilla.webtools newsgroup or the mozilla-webtools mailing list; http://www.bugzilla.org/discussion.html has directions for accessing these forums. - -30- - -- Dave Miller Project Leader, Bugzilla Bug Tracking System http://www.justdave.net/ http://www.bugzilla.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFA8HpX0YeDAOcbS44RAphsAJ9czTa994vPqcCB5M6nmzi2qf1QUwCgnUiq txjxqfRC+96Qm6whxshfM4s= =RPO1 -----END PGP SIGNATURE----- From justdave at bugzilla.org Wed Jul 28 09:18:56 2004 From: justdave at bugzilla.org (David Miller) Date: Wed, 28 Jul 2004 05:18:56 -0400 Subject: [ANN] Bugzilla 2.18rc2 Released Message-ID: <41076F80.6020103@bugzilla.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Our second release candidate for Bugzilla 2.18 is now available. There are a few major issues addressed that snuck into 2.18rc1, so if you're already running 2.18rc1, an upgrade is strongly recommended. Information about what's new and what's still left to fix is on the 2.18 Release Status page at http://www.bugzilla.org/releases/2.18/ Download: http://www.bugzilla.org/download/#candidate We encourage you to try it out and let us know of any problems you find. At this point, we believe there will be a third release candidate prior to the final release. Here's a quick list of the major changes since 2.18rc1: http://bugzilla.mozilla.org/show_bug.cgi?id=250881 Fixed problem where a cookie set by defining a series causes the user to be unable to use the search page until the cookie is cleared. http://bugzilla.mozilla.org/show_bug.cgi?id=250967 Prevent flags system from making spurious updates to outstanding flags http://bugzilla.mozilla.org/show_bug.cgi?id=250892 Fix some w3c validation errors http://bugzilla.mozilla.org/show_bug.cgi?id=250840 Correct some minimum system requirements http://bugzilla.mozilla.org/show_bug.cgi?id=251567 Enhance "find a specific bug" so it does not miss the obvious http://bugzilla.mozilla.org/show_bug.cgi?id=251484 Fix taint error on product creation when series feature is enabled http://bugzilla.mozilla.org/show_bug.cgi?id=240093 Fix broken canconfirm privileges http://bugzilla.mozilla.org/show_bug.cgi?id=245877 Add testserver.pl installation test suite http://bugzilla.mozilla.org/show_bug.cgi?id=253088 Fix inability of users with limited bless privileges to bless other users - -- Dave Miller Project Leader, Bugzilla Bug Tracking System http://www.justdave.net/ http://www.bugzilla.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBB2+A0YeDAOcbS44RAsp5AJ482L5DyYVpUqvZR4X9LfXPJDlarQCfeIIp MEKdODVOI/2TNUmOf4lcK+o= =1QeT -----END PGP SIGNATURE-----