From justdave at syndicomm.com Tue Oct 1 16:44:05 2002 From: justdave at syndicomm.com (David Miller) Date: Tue, 1 Oct 2002 12:44:05 -0400 Subject: [ANN] Bugzilla 2.14.4 Released Message-ID: The Bugzilla Team is pleased to announce the release of Bugzilla 2.14.4. 2.14.4 is the latest release on the 2.14 branch and fixes two security bugs involving groups and email and a bug involving the bug_email.pl script. For more detailed information, review the latest Bugzilla status report available at http://www.bugzilla.org/status_reports/2002-09-22.html . The Bugzilla team strongly recommends all 2.14.x users upgrade to 2.14.4, due to the security bugs fixed in this release. All 2.14.x users should begin planning an upgrade path to the 2.16 branch (currently at 2.16.1, also released today). The Bugzilla team has decided to focus development attention on newer, more maintainable release lineages. As such, the Bugzilla team will only be maintaining the 2.14 branch past the end of 2002. For details on upgrade options and to download 2.14.4, please see: http://www.bugzilla.org/download.html . Be sure to read the 2.14.4 release notes located within the release package in docs/rel_notes.txt. Finally, thanks to everyone who worked on this release! -- Dave Miller Project Leader, Bugzilla Bug Tracking System Lead Software Engineer/System Administrator, Syndicomm Online http://www.syndicomm.com/ http://www.bugzilla.org/ From justdave at syndicomm.com Tue Oct 1 16:44:34 2002 From: justdave at syndicomm.com (David Miller) Date: Tue, 1 Oct 2002 12:44:34 -0400 Subject: [ANN] Bugzilla 2.16.1 Released Message-ID: The Bugzilla Team is pleased to announce the release of Bugzilla 2.16.1. 2.16.1 is the latest stable Bugzilla release, and fixes a number of security bugs and other defects in Bugzilla 2.16, originally released on July 28th. For more detailed information on what was fixed, review the latest Bugzilla status report available at http://www.bugzilla.org/status_reports/2002-09-22.html . The Bugzilla team strongly recommends all 2.16 users upgrade to 2.16.1 due to the security bugs fixed in this release. Also, a few smaller bugs which may be beneficial to your installation were fixed. For details on upgrade options and to download 2.16.1, see: http://www.bugzilla.org/download.html . Be sure to read the 2.16.1 release notes located within the release package in docs/rel_notes.txt. Thanks to everyone who worked on 2.16.1! -- Dave Miller Project Leader, Bugzilla Bug Tracking System Lead Software Engineer/System Administrator, Syndicomm Online http://www.syndicomm.com/ http://www.bugzilla.org/ From justdave at syndicomm.com Tue Oct 1 16:50:46 2002 From: justdave at syndicomm.com (David Miller) Date: Tue, 1 Oct 2002 12:50:46 -0400 Subject: [BUGZILLA] Security Advisory Message-ID: Bugzilla Security Advisory October 1st, 2002 All Bugzilla installations are advised to upgrade to the latest versions of Bugzilla, 2.14.4 and 2.16.1, both released today. Security issues of varying importance have been fixed in both. These vulnerabilities affect all previous 2.14 and 2.16 releases. 2.14.x users are additionally encouraged to upgrade to 2.16.1 as soon as possible, as the 2.14 branch will no longer be maintained by the Bugzilla team beyond the end of this year. Individual patches to upgrade Bugzilla are available at http://ftp.mozilla.org/pub/webtools/ (however these patches are only valid for 2.14.3 and 2.16 users). Full release downloads and CVS upgrade instructions are available at http://www.bugzilla.org/download.html Complete bug reports for all the following bugs may be obtained at http://bugzilla.mozilla.org/ The following security issues were fixed in both 2.14.4 and 2.16.1: - Permissions leak when using "usebuggroups" and more than 47 groups; permissions are granted to users in higher groups when they shouldn't be. (bug 167485; comment 12 has additional detection/recovery information) http://bugzilla.mozilla.org/show_bug.cgi?id=167485#c12 - bugzilla_email_append.pl calls processmail insecurely; command injection possible. (bug 163024) The following additional security issue was fixed in 2.16.1: - Apostrophes are not properly handled during account creation; SQL injection possible. (bug 165221) General information about the Bugzilla bug-tracking system can be found at http://www.bugzilla.org/ Comments and follow-ups can be directed to the netscape.public.mozilla.webtools newsgroup or the mozilla-webtools mailing list; http://www.mozilla.org/community.html has directions for accessing these forums. -- Dave Miller Project Leader, Bugzilla Bug Tracking System Lead Software Engineer/System Administrator, Syndicomm Online http://www.syndicomm.com/ http://www.bugzilla.org/