From justdave at bugzilla.org Fri Oct 15 20:46:26 2004 From: justdave at bugzilla.org (David Miller) Date: Fri, 15 Oct 2004 16:46:26 -0400 Subject: pt_BR localization pack for Bugzilla 2.18rc2 now available Message-ID: <41703722.3050800@bugzilla.org> On October 13th, Felipe Ga?cho announced the availability of the 2.18rc2 version of the Brazilian Portuguese (pt_BR) localization pack. You can find it listed on the Bugzilla download page (http://www.bugzilla.org/download/#localizations) or on the pt_BR localization project site (http://sourceforge.net/projects/bugzilla-br/) -- Dave Miller Project Leader, Bugzilla Bug Tracking System http://www.justdave.net/ http://www.bugzilla.org/ From justdave at bugzilla.org Mon Oct 25 10:53:16 2004 From: justdave at bugzilla.org (David Miller) Date: Mon, 25 Oct 2004 06:53:16 -0400 Subject: [ANN] Bugzilla 2.16.7 Released Message-ID: <417CDB1C.9070106@bugzilla.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Bugzilla Team is pleased to announce the release of Bugzilla 2.16.7. 2.16.7 is the latest stable release of Bugzilla and contains a fix to a security bug. Download: http://www.bugzilla.org/download/ Release Notes: http://www.bugzilla.org/releases/2.16.7/release-notes.html Security Advisory: http://www.bugzilla.org/security/2.16.6/ (All administrators are advised to read the release notes and security advisory.) Bugzilla Status Update: http://www.bugzilla.org/status_updates/2004-10-24.html Thanks to everyone who contributed to 2.16.7. - -- Dave Miller Project Leader, Bugzilla Bug Tracking System http://www.justdave.net/ http://www.bugzilla.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBfNsc0YeDAOcbS44RAmUgAKCI4eXbdIAjqgxQDKsfA3TyAGdfbQCgq/Xs OUohW+ddGbSNDbjRHgFGyZM= =zhwv -----END PGP SIGNATURE----- From justdave at bugzilla.org Mon Oct 25 11:02:01 2004 From: justdave at bugzilla.org (David Miller) Date: Mon, 25 Oct 2004 07:02:01 -0400 Subject: [ANN] Bugzilla 2.18rc3 and 2.19.1 Released Message-ID: <417CDD29.1080509@bugzilla.org> Our third release candidate for Bugzilla 2.18 is now available. There are a few security issues addressed, so if you're already running 2.18rc2 or earlier on the 2.17 or 2.18 branches, an upgrade is strongly recommended. Information about what's new and what's still left to fix is on the 2.18 Release Status page at http://www.bugzilla.org/releases/2.18/ Download 2.18rc3: http://www.bugzilla.org/download/#candidate We encourage you to try it out and let us know of any problems you find. We've done a third release candidate for 2.18 because there were some major changes to the group security code in the new "Charts over time" section of the reporting features, intended to give you better control over who can see charts of what data. Any testing you can do on chart-related features would be appreciated. If all goes well, we'll have a final release of 2.18 within a couple weeks. For a rundown of what's new (there's actually been quite a few fixes since 2.18rc2), see our new status update page at http://www.bugzilla.org/status/2004-10-24.html We've also released a new development snapshot from cvs, version 2.19.1, which already includes several new features since 2.18. If you like to be on the bleeding edge, give it a shot. The new features in 2.19.1 are also summarized on the status update page. Download 2.19.1: http://www.bugzilla.org/download/#devel -- Dave Miller Project Leader, Bugzilla Bug Tracking System http://www.justdave.net/ http://www.bugzilla.org/ From justdave at bugzilla.org Mon Oct 25 11:08:47 2004 From: justdave at bugzilla.org (David Miller) Date: Mon, 25 Oct 2004 07:08:47 -0400 Subject: [BUGZILLA] Vulnerabilities in Bugzilla 2.16.6 and 2.18rc2 Message-ID: <417CDEBF.80506@bugzilla.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bugzilla Security Advisory October 24, 2004 Summary ======= Bugzilla is a Web-based bug-tracking system, used by a large number of software projects. This advisory covers three security bugs that have recently been discovered and fixed in the Bugzilla code: In the stable 2.16 releases, it is possible to make a specific change to a bug without permissions; and in the 2.18 release candidate, there are information leaks with private attachments and comments. We are not aware of any occasions where any of these vulnerabilities have been exploited. All Bugzilla installations are advised to upgrade to the latest stable version of Bugzilla, 2.16.7, or to the current 2.18 release candidates, 2.18rc3, which were released today. Development snapshots and version 2.18 release candidates prior to version 2.18rc3 are also affected, so if you are using a development snapshot or 2.18 release candidate, you should obtain a newer one (2.18rc3) or use CVS to update. Vulnerability Details ===================== Issue 1 - ------- Class: Unauthorized Bug Change Versions: 2.9 through 2.18rc2 and 2.19(from cvs) Description: It is possible to send a carefully crafted HTTP POST ~ message to process_bug.cgi which will remove keywords from ~ a bug even if you don't have permissions to edit all bug ~ fields (the "editbugs" permission). Such changes are ~ reported in "bug changed" email notifications, so they are ~ easily detected and reversed if someone abuses it. Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=252638 Issue 2 - ------- Class: Information Leak Versions: 2.17.1 through 2.18rc2 and 2.19(from cvs) (2.16-based ~ releases and earlier are not affected) Description: Exporting a bug to XML exposes user comments and attachment ~ summaries which are marked as private to users who are not ~ members of the group allowed to see private comments and ~ attachments. XML export is not exposed in the user ~ interface, but is available to anyone who knows the correct ~ URL to invoke it. This only affects sites that use the ~ 'insidergroup' feature. Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=263780 Issue 3 - ------- Class: Information Leak Versions: 2.17.1 through 2.18rc2 and 2.19(from cvs) (2.16-based ~ releases and earlier are not affected) Description: Changes to the metadata (filename, description, mime type, ~ review flags) on attachments which were flagged as private ~ get displayed to users who are not members of the group ~ allowed to see private attachments when viewing the bug ~ activity log and when receiving bug change notification ~ mails. This only affects sites that use the 'insidergroup' ~ feature. References: https://bugzilla.mozilla.org/show_bug.cgi?id=250605 ~ https://bugzilla.mozilla.org/show_bug.cgi?id=253544 Vulnerability Solutions ======================= The fixes for all of the security bugs mentioned in this advisory are included in the 2.16.7 and 2.18rc3 releases, and in the 2.19.1 development snapshot. Upgrading to these releases will protect installations from possible exploits of these issues. Full release downloads, patches to upgrade Bugzilla to 2.16.7 from previous 2.16.x versions, and CVS upgrade instructions are available at: ~ http://www.bugzilla.org/download/ Specific patches for each of the individual issues can be found on the corresponding bug reports for each issue, at the URL given in the reference for that issue in the list above. Credits ======= The Bugzilla team wish to thank the following people for their assistance in locating, advising us of, and assisting us to fix these situations: Michael Whitfield Joel Peshkin Casey Klein Myk Melez General information about the Bugzilla bug-tracking system can be found at http://www.bugzilla.org/ Comments and follow-ups can be directed to the netscape.public.mozilla.webtools newsgroup or the mozilla-webtools mailing list; http://www.bugzilla.org/support/ has directions for accessing these forums. - -30- - -- Dave Miller Project Leader, Bugzilla Bug Tracking System http://www.justdave.net/ http://www.bugzilla.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBfN6/0YeDAOcbS44RAvirAJ99cbiFQj9uuF3XjZWRHqQMZDlebgCghu7D htGWOrR2hzC2mh52Z2iXjwU= =IYxd -----END PGP SIGNATURE-----