[BUGZILLA] Security Advisory

[David Miller]

Bugzilla Security Advisory

October 1st, 2002

All Bugzilla installations are advised to upgrade to the latest versions of
Bugzilla, 2.14.4 and 2.16.1, both released today. Security issues of
varying importance have been fixed in both.  These vulnerabilities affect
all previous 2.14 and 2.16 releases.

2.14.x users are additionally encouraged to upgrade to 2.16.1 as soon as
possible, as the 2.14 branch will no longer be maintained by the Bugzilla
team beyond the end of this year.

Individual patches to upgrade Bugzilla are available at
 http://ftp.mozilla.org/pub/webtools/
(however these patches are only valid for 2.14.3 and 2.16 users).

Full release downloads and CVS upgrade instructions are available at
 http://www.bugzilla.org/download.html

Complete bug reports for all the following bugs may be obtained at
 http://bugzilla.mozilla.org/

The following security issues were fixed in both 2.14.4 and 2.16.1:

- Permissions leak when using "usebuggroups" and more than 47 groups;
  permissions are granted to users in higher groups when they shouldn't be.
  (bug 167485; comment 12 has additional detection/recovery information)
  http://bugzilla.mozilla.org/show_bug.cgi?id=167485#c12

- bugzilla_email_append.pl calls processmail insecurely; command injection
  possible.
  (bug 163024)

The following additional security issue was fixed in 2.16.1:

- Apostrophes are not properly handled during account creation; SQL
  injection possible.
  (bug 165221)

General information about the Bugzilla bug-tracking system can be found at
http://www.bugzilla.org/

Comments and follow-ups can be directed to the
netscape.public.mozilla.webtools newsgroup or the mozilla-webtools mailing
list; http://www.mozilla.org/community.html has directions for accessing
these forums.
-- 
Dave Miller      Project Leader, Bugzilla Bug Tracking System
Lead Software Engineer/System Administrator, Syndicomm Online
http://www.syndicomm.com/            http://www.bugzilla.org/