[BUGZILLA] Security Advisory - information leak

David Miller justdave at bugzilla.org
Mon Nov 10 06:04:38 UTC 2003


Bugzilla Security Advisory

November 9, 2003

Summary
=======

Bugzilla is a Web-based bug-tracking system, currently used by a large
number of software projects.

This advisory covers a security bug which was accidently introduced in
development version 2.17.5 and subsequently fixed in the Bugzilla code
involving unprivileged access to restricted data.

All Bugzilla installations who have upgraded to the 2.17.5 development
snapshot are encouraged to obtain version 2.17.6 or apply the relevant
patch.

The current stable version of Bugzilla is 2.16.4, and is not affected
by this advisory.


Vulnerability Details
=====================

Class:       Information leak
Versions:    2.17.5 is the only version affected.
Description: A new feature was introduced in version 2.17.5 which allows
             remote websites to build tooltips and other dynamically
             generated data using current bug information retrieved from
             Bugzilla.  A security lapse in the initial implementation
             of this feature allows the remote site to obtain that
             information from Bugzilla using the privileges of the
             client user.
Reference:   http://bugzilla.mozilla.org/show_bug.cgi?id=195530


Vulnerability Solutions
=======================

The fix for the security bug mentioned in this advisory is included in
the 2.17.6 release.  Upgrading to this release will protect
installations from this issue.  As stated above, this only affects
Bugzilla 2.17.5, and does not affect the stable version 2.16.4.

Full release downloads of Bugzilla 2.17.6 and CVS upgrade instructions
can be found at:
  http://www.bugzilla.org/download.html

A specific patch for this issue can be found on the corresponding bug
report, at the URL given in the reference for the issue in the
Vulnerability Details section above.


Credits
=======

The Bugzilla team wish to thank Gervase Markham for discovering and
fixing this promptly after he introduced it.


General information about the Bugzilla bug-tracking system can be found
at http://www.bugzilla.org/

Comments and follow-ups can be directed to the
netscape.public.mozilla.webtools newsgroup or the mozilla-webtools
mailing list; http://www.bugzilla.org/discussion.html has directions for
accessing these forums.

-30-
-- 
Dave Miller      Project Leader, Bugzilla Bug Tracking System
http://www.justdave.net/             http://www.bugzilla.org/



More information about the announce mailing list