From justdave at bugzilla.org Sat Apr 2 22:16:43 2005 From: justdave at bugzilla.org (David Miller) Date: Sat, 02 Apr 2005 14:16:43 -0800 Subject: Security Advisory for Bugzilla CVS 2005/01/23 - 2005/03/30 Message-ID: <424F19CB.5010700@bugzilla.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 A flaw exists in versions of Bugzilla checked out from the HEAD branch (the tip) of Bugzilla CVS between January 23, 2005 and March 30, 2005, which allows users to display comments on secured bugs they don't have access to by feeding the bug numbers to show_bug.cgi with "format=multiple" in the URL. If you do not use the group system to secure bug reports, this problem does not affect you. This code has never been released in a tarball, not even as a development snapshot. The only way you would have obtained a copy of Bugzilla containing this flaw is if you checked it out directly from our CVS repository, or got it from a third party who obtained it that way. All users of Bugzilla who have checked out Bugzilla from CVS prior to today and after January 23, 2005 are strongly encouraged to cvs update to the tip (or at least to mid-day today) to pick up this fix. For more information, see https://bugzilla.mozilla.org/show_bug.cgi?id=287880 - -- Dave Miller http://www.justdave.net/ System Administrator, Mozilla Foundation http://www.mozilla.org/ Project Leader, Bugzilla Bug Tracking System http://www.bugzilla.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCTxnK0YeDAOcbS44RArZdAJ9B++sEYOgUoJ7DeU0i6vMVFLPaRQCfbc3B HqdohczfCGn0q3Bvdf3iIUc= =kw+P -----END PGP SIGNATURE-----