From justdave at bugzilla.org Mon Nov 3 05:10:15 2003 From: justdave at bugzilla.org (David Miller) Date: Mon, 3 Nov 2003 00:10:15 -0500 Subject: [ANN] Bugzilla 2.16.4 Released Message-ID: The Bugzilla Team is pleased to announce the release of Bugzilla 2.16.4. 2.16.4 is the latest stable Bugzilla release. It contains fixes for three security bugs found in Bugzilla 2.16.3, a few functionality / dataloss bugfixes, and compatibilty fixes for MySQL 4 and Perl 5.8. For more detailed information on what was fixed, review the latest Bugzilla status report available at http://www.bugzilla.org/status_reports/2003-11-02.html or read the release notes within the archive. The Bugzilla team strongly recommends all 2.16.x users upgrade to 2.16.4 due to the security bugs fixed in this release. For details on upgrade options and to download 2.16.4, see: http://www.bugzilla.org/download.html . Be sure to read the 2.16.4 release notes located within the release package in docs/rel_notes.txt, or available online at http://www.bugzilla.org/releases/2.16.4/release-notes.html Thanks to everyone who worked on 2.16.4! -- Dave Miller Project Leader, Bugzilla Bug Tracking System http://www.justdave.net/ http://www.bugzilla.org/ From justdave at bugzilla.org Mon Nov 3 05:13:39 2003 From: justdave at bugzilla.org (David Miller) Date: Mon, 3 Nov 2003 00:13:39 -0500 Subject: [BUGZILLA] Security Advisory - SQL injection, information leak Message-ID: Bugzilla Security Advisory November 2, 2003 Summary ======= Bugzilla is a Web-based bug-tracking system, currently used by a large number of software projects. This advisory covers security bugs that have recently been discovered and fixed in the Bugzilla code: two instances of arbitrary SQL injection exploitable only by a privileged user, one instance where a privileged user may retain privileges that should have been removed, and two instances of unprivileged access to summaries of restricted data. These bugs are not considered critical, since their impact is quite limited. Nevertheless, all Bugzilla installations are advised to upgrade to the latest stable version of Bugzilla, 2.16.4, which was released today. Development snapshots prior to version 2.17.5 are also affected, so if you are using a development snapshot, you should obtain a newer one (2.17.5) or use CVS to update. Vulnerability Details ===================== Issue 1 ------- Class: SQL injection (by privileged user only) Versions: 2.16.3 and earlier (2.17.1 and up are not affected) Description: A user with 'editproducts' privileges (i.e. usually an administrator) can select arbitrary SQL to be run by the nightly statistics cron job (collectstats.pl), by giving a product a special name. Reference: http://bugzilla.mozilla.org/show_bug.cgi?id=214290 Issue 2 ------- Class: SQL injection (by privileged user only) Versions: 2.16.3 and earlier, 2.17.1 through 2.17.4 Description: A user with 'editkeywords' privileges (i.e. usually an administrator) can inject arbitrary SQL via the URL used to edit an existing keyword. Reference: http://bugzilla.mozilla.org/show_bug.cgi?id=219044 Issue 3 ------- Class: Privilege mishandling Versions: 2.16.3 and earlier (2.17.1 and up are not affected) Description: When deleting products and the 'usebuggroups' parameter is on, the privilege which allows someone to add people to the group which is being deleted does not get removed, allowing people with that privilege to get that privilege for the next group that is created which reuses that group ID. Note that this only allows someone who had been granted privileges in the past to retain them. Reference: http://bugzilla.mozilla.org/show_bug.cgi?id=219690 Issue 4 ------- Class: Information leak Versions: 2.16.3 and earlier, 2.17.1 through 2.17.4 Description: If you know the email address of someone who has voted on a secure bug, you can access the summary of that bug even if you do not have sufficient permissions to view the bug itself. Reference: http://bugzilla.mozilla.org/show_bug.cgi?id=209376 Issue 5 ------- Class: Information leak Versions: 2.17.3 and 2.17.4 only Description: Under some circumstances, a user can obtain component descriptions for a product to which he does not normally have access. Reference: http://bugzilla.mozilla.org/show_bug.cgi?id=209742 Vulnerability Solutions ======================= The fixes for all of the security bugs mentioned in this advisory are included in the 2.16.4 and 2.17.5 releases. Upgrading to these releases will protect installations from these issues. Full release downloads, patches to upgrade Bugzilla to 2.16.4 from previous 2.16.x verions, and CVS upgrade instructions are available at: http://www.bugzilla.org/download.html Specific patches for each of the individual issues can be found on the corresponding bug reports for each issue, at the URL given in the reference for that issue in the list above. Credits ======= The Bugzilla team wish to thank the following people for their assistance in locating and advising us of these situations: Bradley Baetz - for discovering and fixing the issue with voting on a secure bug Ryan Cleary - for discovering the issue with component descriptions of secured products Andrew Eross - for discovering the SQL injection in collectstats.pl Vlad Dascalu - for discovering the SQL injection in editkeywords.cgi Stefan Mayr - for discovering and fixing the privilege deletion issue when deleting products General information about the Bugzilla bug-tracking system can be found at http://www.bugzilla.org/ Comments and follow-ups can be directed to the netscape.public.mozilla.webtools newsgroup or the mozilla-webtools mailing list; http://www.bugzilla.org/discussion.html has directions for accessing these forums. -30- -- Dave Miller Project Leader, Bugzilla Bug Tracking System http://www.justdave.net/ http://www.bugzilla.org/ From justdave at bugzilla.org Mon Nov 3 05:11:39 2003 From: justdave at bugzilla.org (David Miller) Date: Mon, 3 Nov 2003 00:11:39 -0500 Subject: [ANN] Bugzilla 2.17.5 Dev Snapshot Released Message-ID: The Bugzilla Team is pleased to announce the posting of Bugzilla 2.17.5, a snapshot of the current development sources from CVS. Bugzilla 2.17.5 is a Development Release and is intended for developers wishing to base large landings or patches on an official bugzilla.org release. It should not be used for production purposes, unless you have a Perl programmer on staff willing to put out any fires that may arise. The vast majority of sites wanting to test or use Bugzilla in production should continue to use version 2.16.4. Bugzilla 2.17.5 also contains fixes to three security bugs found in the 2.17.4 release. Bugzilla 2.17.5 can be obtained from http://www.bugzilla.org/download.html . Most of the details on new features available were posted in our latest status update, which can be viewed at http://www.bugzilla.org/status_updates/2003-11-02.html#newfeatures -- Dave Miller Project Leader, Bugzilla Bug Tracking System http://www.justdave.net/ http://www.bugzilla.org/ From justdave at bugzilla.org Mon Nov 10 06:01:00 2003 From: justdave at bugzilla.org (David Miller) Date: Mon, 10 Nov 2003 01:01:00 -0500 Subject: [ANN] Bugzilla 2.17.6 Dev Snapshot Released Message-ID: The Bugzilla Team (with egg on our collective faces) has posted Bugzilla 2.17.6, a snapshot of the current development sources from CVS. We had a small "oops" with the 2.17.5 release, whereas one of the new features that was introduced also introduced a new security hole. For the full details, read the security advisory, which is being mailed separately to this mailing list. Note that this affects version 2.17.5 only and the current stable version 2.16.4 is *not* affected. Since this is the development branch, there have been other checkins besides the security fix. For a complete list, visit http://www.bugzilla.org/changes.html and click the "2.17.5 -> 2.17.6" link. Most notable is a change to the way saved queries are managed. Queries are now saved or deleted from the results page instead of from the query page itself, greatly simplifying both how you deal with saved queries, and the UI on the query page itself. For a demo, you can check out http://landfill.bugzilla.org/bugzilla-tip/query.cgi . Bugzilla 2.17.6 is a Development Release and is intended for developers wishing to base large landings or patches on an official bugzilla.org release. It should not be used for production purposes, unless you have a Perl programmer on staff willing to put out any fires that may arise. The vast majority of sites wanting to test or use Bugzilla in production should continue to use version 2.16.4. Bugzilla 2.17.6 can be obtained from http://www.bugzilla.org/download.html . -- Dave Miller Project Leader, Bugzilla Bug Tracking System http://www.justdave.net/ http://www.bugzilla.org/ From justdave at bugzilla.org Mon Nov 10 06:04:38 2003 From: justdave at bugzilla.org (David Miller) Date: Mon, 10 Nov 2003 01:04:38 -0500 Subject: [BUGZILLA] Security Advisory - information leak Message-ID: Bugzilla Security Advisory November 9, 2003 Summary ======= Bugzilla is a Web-based bug-tracking system, currently used by a large number of software projects. This advisory covers a security bug which was accidently introduced in development version 2.17.5 and subsequently fixed in the Bugzilla code involving unprivileged access to restricted data. All Bugzilla installations who have upgraded to the 2.17.5 development snapshot are encouraged to obtain version 2.17.6 or apply the relevant patch. The current stable version of Bugzilla is 2.16.4, and is not affected by this advisory. Vulnerability Details ===================== Class: Information leak Versions: 2.17.5 is the only version affected. Description: A new feature was introduced in version 2.17.5 which allows remote websites to build tooltips and other dynamically generated data using current bug information retrieved from Bugzilla. A security lapse in the initial implementation of this feature allows the remote site to obtain that information from Bugzilla using the privileges of the client user. Reference: http://bugzilla.mozilla.org/show_bug.cgi?id=195530 Vulnerability Solutions ======================= The fix for the security bug mentioned in this advisory is included in the 2.17.6 release. Upgrading to this release will protect installations from this issue. As stated above, this only affects Bugzilla 2.17.5, and does not affect the stable version 2.16.4. Full release downloads of Bugzilla 2.17.6 and CVS upgrade instructions can be found at: http://www.bugzilla.org/download.html A specific patch for this issue can be found on the corresponding bug report, at the URL given in the reference for the issue in the Vulnerability Details section above. Credits ======= The Bugzilla team wish to thank Gervase Markham for discovering and fixing this promptly after he introduced it. General information about the Bugzilla bug-tracking system can be found at http://www.bugzilla.org/ Comments and follow-ups can be directed to the netscape.public.mozilla.webtools newsgroup or the mozilla-webtools mailing list; http://www.bugzilla.org/discussion.html has directions for accessing these forums. -30- -- Dave Miller Project Leader, Bugzilla Bug Tracking System http://www.justdave.net/ http://www.bugzilla.org/