[BUGZILLA] Security Advisory
justdave at syndicomm.com
Tue Oct 1 16:50:46 UTC 2002
Bugzilla Security Advisory
October 1st, 2002
All Bugzilla installations are advised to upgrade to the latest versions of
Bugzilla, 2.14.4 and 2.16.1, both released today. Security issues of
varying importance have been fixed in both. These vulnerabilities affect
all previous 2.14 and 2.16 releases.
2.14.x users are additionally encouraged to upgrade to 2.16.1 as soon as
possible, as the 2.14 branch will no longer be maintained by the Bugzilla
team beyond the end of this year.
Individual patches to upgrade Bugzilla are available at
(however these patches are only valid for 2.14.3 and 2.16 users).
Full release downloads and CVS upgrade instructions are available at
Complete bug reports for all the following bugs may be obtained at
The following security issues were fixed in both 2.14.4 and 2.16.1:
- Permissions leak when using "usebuggroups" and more than 47 groups;
permissions are granted to users in higher groups when they shouldn't be.
(bug 167485; comment 12 has additional detection/recovery information)
- bugzilla_email_append.pl calls processmail insecurely; command injection
The following additional security issue was fixed in 2.16.1:
- Apostrophes are not properly handled during account creation; SQL
General information about the Bugzilla bug-tracking system can be found at
Comments and follow-ups can be directed to the
netscape.public.mozilla.webtools newsgroup or the mozilla-webtools mailing
list; http://www.mozilla.org/community.html has directions for accessing
Dave Miller Project Leader, Bugzilla Bug Tracking System
Lead Software Engineer/System Administrator, Syndicomm Online
More information about the announce