Security Advisory for Bugzilla CVS 2005/01/23 - 2005/03/30

David Miller justdave at
Sat Apr 2 22:16:43 UTC 2005

Hash: SHA1

A flaw exists in versions of Bugzilla checked out from the HEAD branch
(the tip) of Bugzilla CVS between January 23, 2005 and March 30, 2005,
which allows users to display comments on secured bugs they don't have
access to by feeding the bug numbers to show_bug.cgi with
"format=multiple" in the URL.

If you do not use the group system to secure bug reports, this problem
does not affect you.

This code has never been released in a tarball, not even as a
development snapshot.  The only way you would have obtained a copy of
Bugzilla containing this flaw is if you checked it out directly from our
CVS repository, or got it from a third party who obtained it that way.

All users of Bugzilla who have checked out Bugzilla from CVS prior to
today and after January 23, 2005 are strongly encouraged to cvs update
to the tip (or at least to mid-day today) to pick up this fix.

For more information, see

- --
Dave Miller                         
System Administrator, Mozilla Foundation
Project Leader, Bugzilla Bug Tracking System

Version: GnuPG v1.2.4 (Darwin)
Comment: Using GnuPG with Thunderbird -


More information about the announce mailing list