From justdave at syndicomm.com Fri Apr 25 08:38:30 2003 From: justdave at syndicomm.com (David Miller) Date: Fri, 25 Apr 2003 04:38:30 -0400 Subject: [ANN] Bugzilla 2.16.3 Released Message-ID: After two months of banging heads against walls, the Bugzilla Team is pleased to announce the release of Bugzilla 2.16.3. 2.16.3 is the latest stable Bugzilla release, and fixes multiple security bugs in Bugzilla 2.16.2. For more detailed information on what was fixed, review the latest Bugzilla status report available at http://www.bugzilla.org/status_reports/2003-04-24.html or read the release notes within the archive. The Bugzilla team strongly recommends all 2.16.x users upgrade to 2.16.3 due to the security bugs fixed in this release. For details on upgrade options and to download 2.16.3, see: http://www.bugzilla.org/download.html . Be sure to read the 2.16.3 release notes located within the release package in docs/rel_notes.txt. Thanks to everyone who worked on 2.16.3! -- Dave Miller Project Leader, Bugzilla Bug Tracking System http://www.justdave.net/ http://www.bugzilla.org/ From justdave at syndicomm.com Fri Apr 25 08:39:13 2003 From: justdave at syndicomm.com (David Miller) Date: Fri, 25 Apr 2003 04:39:13 -0400 Subject: [ANN] Bugzilla 2.17.4 Dev Snapshot Released Message-ID: The Bugzilla Team is pleased to announce the posting of Bugzilla 2.17.4, a snapshot of the current development sources from CVS. Bugzilla 2.17.4 is a Development Release and is intended for developers wishing to base large landings or patches on an official bugzilla.org release. It should not be used for production purposes, unless you have a Perl programmer on staff willing to put out any fires that may arise. The vast majority of sites wanting to test or use Bugzilla in production should continue to use version 2.16.3. Bugzilla 2.17.4 also contains fixes to the security bugs fixed in the concurrent 2.16.3 release. Bugzilla 2.17.4 can be obtained from http://www.bugzilla.org/download.html . Most of the details on new features available were posted in our latest status update, which can be viewed at http://www.bugzilla.org/status_updates/2003-04-24.html#newfeatures -- Dave Miller Project Leader, Bugzilla Bug Tracking System http://www.justdave.net/ http://www.bugzilla.org/ From justdave at syndicomm.com Fri Apr 25 08:40:33 2003 From: justdave at syndicomm.com (David Miller) Date: Fri, 25 Apr 2003 04:40:33 -0400 Subject: [BUGZILLA] Security Advisory - XSS, insecure temporary filenames Message-ID: Bugzilla Security Advisory April 24, 2003 Summary ======= All Bugzilla installations are advised to upgrade to the latest stable version of Bugzilla, 2.16.3, which was released today. Development snapshots prior to version 2.17.4 are also affected, so if you are using a development snapshot, you should obtain a newer one (2.17.4) or use CVS to update. This advisory covers multiple situations where unescaped raw HTML submitted by users could be echoed back to the user, and a situation where temporary files were not written to verified-unique filenames, thus exposing them to potential symlink attacks by local users with sufficient permissions. Vulnerability Details ===================== The following three security issues were fixed in versions 2.16.3 and 2.17.4. Multiple Cross-Site Scripting Vulnerabilities in Default Templates ------------------------------------------------------------------ Bugzilla output shown to end-users is generated via HTML templates. One of the core Bugzilla contributors recently contributed an automated tool which detects failure-to-filter situations in the HTML templates - situations where untrusted data was not properly filtered for HTML metacharacters prior to outputting to end-users, allowing an attacker to insert a script into the output by submitting data to the server in a specially formatted manner. Several exploitable instances were discovered in the default English templates that are shipped with both 2.16.2 and 2.17.3 and have been closed with this release. We have received confirmation from the maintainers of the German and Russian localized templates that corrected versions of those templates sets should be available within 24 hours of this announcement for the versions they support. For corrected versions of other localizations, please consult the localization's maintainer. Bugzilla's output did not use HTML templates prior to version 2.16. (Bugzilla Bug 192677 / BugTraq ID 6868) Cross-Site Scripting vulnerability in local dependency graphs ------------------------------------------------------------- Bugzilla contains a feature which allows users to generate visual graphs of the dependency relationships between bugs. In the past this was done by using a remote server running the "Webdot" software. In version 2.16, a feature was introduced which provided the capability to use a locally-installed copy of the GraphViz suite to generate the graph files directly on the Bugzilla server instead of using a remote server. This option is not enabled by default. Bugzilla does not properly escape the bug summaries placed in the ALT and NAME attributes to the AREA tags in the client-side image map which is generated to go with the visual graph. This means an attacker could place scripts in a graph by including a script in a specifically formatted manner as part of a bug summary. You are vulnerable if the "webdotbase" configuration parameter contains a local pathname to an installation of "dot". This bug is related to a feature added to Bugzilla in version 2.16, and thus does not affect prior versions. (Bugzilla Bug 192661 / BugTraq ID 6861) Insecure Handling of Temporary Filenames ---------------------------------------- There are multiple places where Bugzilla creates temporary files in world- or group-writable directories without verifying that the filename is unused. A user with local access to the server could potentially create a properly-named symlink within those directories pointing at a file which the webserver had access to, thus causing Bugzilla to overwrite that file. These instances have been fixed in both 2.16.3 and 2.17.4 and affect all prior versions of Bugzilla. (Bugzilla Bug 197153 / BugTraq ID 7412) Vulnerability Solutions ======================= The fixes for all of the security bugs mentioned in this advisory are included in the 2.16.3 and 2.17.4 releases. Upgrading to these releases will protect installations against exploitations of these security bugs. Patches to upgrade Bugzilla to 2.16.3 are available at: http://ftp.mozilla.org/pub/webtools/ (these patches are only valid for 2.16.2, 2.16.1, and 2.16 users). Full release downloads and CVS upgrade instructions are available at: http://www.bugzilla.org/download.html Links to the distribution sites of localized template sets can be found at: http://www.bugzilla.org/download.html#localizations Credits ======= The Bugzilla team wish to thank the following people for their assistance in locating and advising us of these situations: Jouni Heikniemi - for finding the XSS in local dependency graphs Gervase Markham - for contributing the automated testing tool which located the XSS issues in the default template set Jonathan Schatz - for discovering the insecure temporary filename handling References ========== Complete bug reports and the specific patches for the security bugs covered herein may be obtained on the following bug reports: XSS in local dependency graphing: => http://bugzilla.mozilla.org/show_bug.cgi?id=192661 XSS failure to filter in default templates: => http://bugzilla.mozilla.org/show_bug.cgi?id=192677 Insecure handling of temporary filenames => http://bugzilla.mozilla.org/show_bug.cgi?id=197153 General information about the Bugzilla bug-tracking system can be found at http://www.bugzilla.org/ Comments and follow-ups can be directed to the netscape.public.mozilla.webtools newsgroup or the mozilla-webtools mailing list; http://www.mozilla.org/community.html has directions for accessing these forums. -30- -- Dave Miller Project Leader, Bugzilla Bug Tracking System http://www.justdave.net/ http://www.bugzilla.org/ From tobias.burnus at physik.fu-berlin.de Fri Apr 25 18:36:00 2003 From: tobias.burnus at physik.fu-berlin.de (Tobias Burnus) Date: Fri, 25 Apr 2003 20:36:00 +0200 (CEST) Subject: [Bugzilla-de] Security Advisory - XSS, insecure temporary filenames Message-ID: (German version below / Der deutsche Text befindet sich am Ende) The German template files for Bugzilla 2.17.x (known as Bugzilla-de) are affected of the announced XSS security problem which has been fixed in Bugzilla 2.17.4. These security fixes are included in the CVS version of Bugzilla-de. Please update to Bugzilla-2.17.4 and to the CVS version of Bugzilla-de. Note that the 2.16 tar archives of Bugzilla-de are not maintained but are also affected. Please update to Bugzilla 2.16.3 and check your templates using ./runtests.sh and filterexceptions.pl. Please ensure that your customized templates will be audited as well. For the templates in the other available languages, please check the references given at http://www.bugzilla.org/download.html#localizations Bugzilla: http://www.bugzilla.org/ Bugzilla Security Advisory: http://www.bugzilla.org/security/2.16.2/ Bugzilla-de: http://bugzilla-de.sourceforge.net/ Bugzilla-de download page: http://bugzilla-de.sourceforge.net/download.html Die deutschen Vorlagen/Template-Dateien zu Bugzilla 2.17.x (bekannt als Bugzilla-de) sind von dem Cross-Site-Scripting-Sicherheitsproblem betroffen, die in Bugzilla 2.17.4 behoben wurden. Die CVS-Version von Bugzilla-de behebt diese Sicherheitsproblme. Bitte aktualisieren Sie sowohl Bugzilla als auch Bugzilla-de. Beachten Sie, da? die tar-Archive von Bugzilla-de 2.16 ebenfalls betroffen sind, aber nicht mehr gepflegt werden. Sie sollten auf Bugzilla auf 2.16.3 aktualisieren und dann mittels ./runtests.sh und filterexceptions.pl die Bugzilla-de-Dateien ?berpr?fen. Die eigenen Template/Vorlagen-Dateien sollten auch auf Sicherheitsprobleme ?berpr?ft werden. Information zu den anderen Sprachversionen findet sich unter http://www.bugzilla.org/download.html#localizations Bugzilla: http://www.bugzilla.org/ Bugzilla Sicherheitsempfehlung: http://www.bugzilla.org/security/2.16.2/ Bugzilla-de: http://bugzilla-de.sourceforge.net/index.de.html Bugzilla-de herunterladen: http://bugzilla-de.sourceforge.net/download.de.html Gru?, Tobias Burnus Bugzilla-de