Security Advisory for Bugzilla CVS 2005/01/23 - 2005/03/30

David Miller justdave at bugzilla.org
Sat Apr 2 22:16:43 UTC 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A flaw exists in versions of Bugzilla checked out from the HEAD branch
(the tip) of Bugzilla CVS between January 23, 2005 and March 30, 2005,
which allows users to display comments on secured bugs they don't have
access to by feeding the bug numbers to show_bug.cgi with
"format=multiple" in the URL.

If you do not use the group system to secure bug reports, this problem
does not affect you.

This code has never been released in a tarball, not even as a
development snapshot.  The only way you would have obtained a copy of
Bugzilla containing this flaw is if you checked it out directly from our
CVS repository, or got it from a third party who obtained it that way.

All users of Bugzilla who have checked out Bugzilla from CVS prior to
today and after January 23, 2005 are strongly encouraged to cvs update
to the tip (or at least to mid-day today) to pick up this fix.

For more information, see
https://bugzilla.mozilla.org/show_bug.cgi?id=287880

- --
Dave Miller                                   http://www.justdave.net/
System Administrator, Mozilla Foundation       http://www.mozilla.org/
Project Leader, Bugzilla Bug Tracking System  http://www.bugzilla.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCTxnK0YeDAOcbS44RArZdAJ9B++sEYOgUoJ7DeU0i6vMVFLPaRQCfbc3B
HqdohczfCGn0q3Bvdf3iIUc=
=kw+P
-----END PGP SIGNATURE-----



More information about the announce mailing list