<!DOCTYPE html>
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<pre>Summary
=======
Bugzilla is a Web-based bug-tracking system used by a large number of
software projects. The following security issues have been discovered
in Bugzilla:
* A malicious user could create an account on a third-party service
such as GitHub which allows non-ASCII Unicode characters to be used
in email addresses and use it to log into a Bugzilla account with
lookalike ASCII characters in the email.
* Debugging code allowed XSS injection within the bug title
when viewing charts and reports if a specific URL param was
passed to enable the debugging code.
* Inserting specific multi-byte unicode characters into bug
comments could cause email notifications about bug changes
to fail.
All affected installations are encouraged to upgrade as soon as
possible.
Vulnerability Details
=====================
Class: Authentication Bypass
Affected: Versions 3.3.1 to 4.4.14, 4.5.1 to 5.0.4, 5.0.5 to 5.0.6,
5.1.1 to 5.1.2, 5.3.2, git checkouts of "harmony" prior to
5.9.1
Fixed In: 4.4.14, 5.0.4.1, 5.2, 5.3.3, 5.9.1
Description: When using external authentication against a third party
service (such as GitHub) which allows non-ASCII Unicode
characters to be used in email addresses, Bugzilla's email
address match would normalize the email into ASCII before
comparing when using MySQL as a back end, enabling someone
to take over a Bugzilla account if they created a user with
an email address which would match that way on such a third
party service.
We are not aware of any known exploits for versions prior to
the "harmony" developer branch which has not yet been
released, as prior to that there were no known
authentication plugins for third party authentication for
Bugzilla. However, we are patching the earlier supported
versions to prevent it anyway just in case someone had
written their own plugin that might be affected.
References: <a class="moz-txt-link-freetext" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1813629">https://bugzilla.mozilla.org/show_bug.cgi?id=1813629</a>
CVE Number: CVE-2023-4657
Class: Cross-site Scripting (XSS)
Affected: All versions before 4.4.14, 4.5.1 to 5.0.4, 5.0.5 to 5.0.6,
5.1.1 to 5.1.2, 5.3.2, git checkouts of "harmony" prior to
5.9.1
Fixed In: 4.4.14, 5.0.4.1, 5.2, 5.3.3, 5.9.1
Description: Debugging code allowed XSS injection within the bug title
when viewing charts and reports if a specific URL param was
passed to enable the debugging code.
Passing the debug flag now forces an HTML content type
regardless of the requsted type, and properly filters the
debug output.
References: <a class="moz-txt-link-freetext" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1439260">https://bugzilla.mozilla.org/show_bug.cgi?id=1439260</a>
CVE Number: CVE-2023-5206
Class: Denial of Service
Affected: Versions 5.0.2 to 5.0.4, 5.0.5 to 5.0.6, 5.1.2, 5.3.2,
git checkouts of "harmony" prior to 5.9.1
Fixed In: 5.0.4.1, 5.2, 5.3.3, 5.9.1
Description: Inserting specific multi-byte unicode characters into bug
comments could cause email notifications about bug changes
to fail.
References: <a class="moz-txt-link-freetext" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1880288">https://bugzilla.mozilla.org/show_bug.cgi?id=1880288</a>
Vulnerability Solutions
=======================
The fix for these issues is included in the 4.4.14, 5.0.4.1, 5.2, 5.3.3, and 5.9.1
releases. Upgrading to a release with the relevant fix will
protect your installation from possible exploits of these issues.
If you are unable to upgrade but would like to patch just the security
vulnerability, there are patches available for the issues at the
"References" URL.
Full release downloads, patches to upgrade Bugzilla from previous
versions, and git upgrade instructions are available at:
<a class="moz-txt-link-freetext" href="https://www.bugzilla.org/download/">https://www.bugzilla.org/download/</a>
A Note About Upgrade Paths
==========================
Bugzilla Versions within the 5.0.x range:
* Versions 5.0.4 and older should upgrade to 5.0.4.1
* Versions 5.0.5 and 5.0.6 should upgrade to 5.2 (which is equivalent to a
point upgrade for you).
Other versions of Bugzilla should upgrade to the newest version within
the same branch.
Credits
=======
The Bugzilla team wish to thank the following people for their
assistance in locating, advising us of, and assisting us to fix this
issue:
Issue 1 Reporter: Aaryan9898
Issue 1 Fixed by: David Lawrence, David Miller
Issue 2 Reporter: Holger Fuhrmannek
Issue 2 Fixed by: David Miller
Issue 3 Reporter: Frédéric Buclin
Issue 3 Fixed by: Frédéric Buclin, David Miller
General information about the Bugzilla bug-tracking system can be found
at:
<a class="moz-txt-link-freetext" href="https://www.bugzilla.org/">https://www.bugzilla.org/</a>
Comments and follow-ups can be directed to the support-bugzilla mailing list.
<a class="moz-txt-link-freetext" href="https://www.bugzilla.org/support/">https://www.bugzilla.org/support/</a> has directions for accessing this forum.</pre>
<br>
<div class="moz-signature"
signature-switch-id="b0b24bd1-735c-4a02-9f5d-e2b2e9b4f40d">
<div>
<table style="width: 300px; border-style: none;"
cellpadding="3px" border="0px">
<tbody>
<tr>
<td style="width: 106px;"><img alt="[Bugzilla Logo]"
src="cid:part1.YCDSKnna.4syD61mP@bugzilla.org"
width="100" height="100"></td>
<td>
<div><strong><span style="font-size: 13pt;">Dave Miller</span></strong></div>
<div>Project Leader</div>
<div><strong>Bugzilla Project</strong></div>
<div><a href="https://bugzilla.org/"
rel="nofollow
noopener noreferrer" target="_blank"
class="moz-txt-link-freetext">https://bugzilla.org/</a></div>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</body>
</html>