From justdave at bugzilla.org Fri Jan 7 02:06:01 2005 From: justdave at bugzilla.org (David Miller) Date: Thu, 06 Jan 2005 21:06:01 -0500 Subject: [BUGZILLA] XSS in Internal Error messages in Bugzilla 2.16.7 and 2.18rc3 Message-ID: <41DDEE89.4030005@bugzilla.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bugzilla Security Advisory January 6, 2005 Summary ======= Bugzilla is a Web-based bug-tracking system, used by a large number of software projects. This advisory covers a single cross-site scripting issue that has recently been discovered and fixed in the Bugzilla code: If a malicious user links to a Bugzilla site using a specially crafted URL, a script in the error page generated by Bugzilla will display the URL unaltered in the page, allowing scripts embedded in the URL to execute. Not all browsers are affected. Many web browsers prevent these types of URLs from being sent in the first place. A list of browsers that we know are or are not affected is in the Vulnerability Details section below. At this time, we are very close to producing a new release of Bugzilla, however, that release has not yet been completed. In the mean time, we felt it was only fair to advise everyone of this issue, since it has already been made public via at least BugTraq and Secunia as part of a broader paper covering cross-site scripting on many major websites. We do have patches available which can be applied to your Bugzilla installation. Vulnerability Details ===================== Class: Cross-site scripting Versions: 2.15 through 2.18rc3 and 2.19.1(from cvs) Description: It is possible to send a carefully crafted URL to Bugzilla ~ designed to trigger an error message. The Internal Error ~ message includes javascript code which displays the URL the ~ user is visiting. The javascript code does not escape the ~ URL before displaying it, allowing scripts contained in the ~ URL to be executed by the browser. Many browsers do not ~ allow unescaped URLs to be sent to a webserver (thus ~ complying with RFC 2616 section 2.3.1 and RFC 2396 section ~ 2.4.3), and are thus immune to this issue. ~ Browsers which are known to be immune: ~ - Firefox 1.0 ~ - Mozilla 1.7.5 ~ - Camino 0.8.2 ~ - Netscape 7.2 ~ - Safari 1.2.4 ~ Browsers known to be susceptible: ~ - Internet Explorer 6 SP2 ~ - Konqueror 3.2 ~ Browsers not listed here have not been tested. Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=272620 CVE Name: CAN-2004-1061 Vulnerability Solutions ======================= The fixes for the security bug mentioned in this advisory will be included in the 2.16.8 and 2.18 releases, and in the first release candidate of 2.20, none of which are yet available at this writing. In the mean time, the patch to correct the issue may be downloaded from the bug report at https://bugzilla.mozilla.org/show_bug.cgi?id=272620 . Applying the provided patch, or upgrading to these releases once they are available, will protect installations from possible exploits of this issue. Credits ======= The Bugzilla team wish to thank the following people for their assistance in locating, advising us of, and assisting us to fix these situations: Michael Krax Gervase Markham Marc Schumann General information about the Bugzilla bug-tracking system can be found at http://www.bugzilla.org/ Comments and follow-ups can be directed to the netscape.public.mozilla.webtools newsgroup or the mozilla-webtools mailing list; http://www.bugzilla.org/support/ has directions for accessing these forums. - -30- - -- Dave Miller http://www.justdave.net/ System Administrator, Mozilla Foundation http://www.mozilla.org/ Project Leader, Bugzilla Bug Tracking System http://www.bugzilla.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD4DBQFB3e6I0YeDAOcbS44RAkt8AJjNxA+iZ6t+thlK+oJVwu4RHWA4AJ4+mOeS smjYVRn6Zx/P4eBSwiqd5Q== =ucpu -----END PGP SIGNATURE----- From justdave at bugzilla.org Sun Jan 16 15:08:00 2005 From: justdave at bugzilla.org (David Miller) Date: Sun, 16 Jan 2005 10:08:00 -0500 Subject: [ANN] Bugzilla 2.18 Released (and 2.16.8, 2.19.2) Message-ID: <41EA8350.9070608@bugzilla.org> After over two years of hard work from an international team of volunteers led by Dave Miller, we are proud to announce the release of Bugzilla 2.18. Bugzilla 2.18 is our best release to date. It is a major improvement over Bugzilla 2.16, containing over 1000 bug fixes and enhancements. See the link to the Release Notes below for details on all the enhancements. All Bugzilla administrators are encouraged to upgrade to it as soon as is convenient. If you run a Bugzilla installation, please let us know by emailing gerv at mozilla.org! We will put a link to your installation (or at least your company's or organization's name) at http://www.bugzilla.org/installation-list/ Along with the release of 2.18, we are also releasing 2.16.8, a new bugfix release for 2.16, and 2.19.2, our latest development version. Download -------- Bugzilla is available at: http://www.bugzilla.org/download/ Release Notes & Changes ----------------------- Before installing (and to see all the cool new features in 2.18), read the Release Notes: http://www.bugzilla.org/docs/2.18/rel_notes.txt Additional information about the release can be found at http://www.bugzilla.org/releases/2.18/ To see a list of all changes between your version of Bugzilla and the current version of Bugzilla, you can see the chart at: http://www.bugzilla.org/status/changes.html Try Out Bugzilla 2.18 --------------------- You can see and play with a testing installation of Bugzilla 2.18 at: http://landfill.bugzilla.org/bugzilla-2.18-branch/ About Bugzilla -------------- Bugzilla is a "Defect Tracking System" or "Bug-Tracking System." Defect Tracking Systems allow individual or groups of developers to keep track of outstanding bugs in their product effectively. Most commercial defect-tracking software vendors charge enormous licensing fees. Despite being "free", Bugzilla has many features its expensive counterparts lack. Consequently, Bugzilla has quickly become a favorite of hundreds of organizations across the globe, and is widely regarded as one of the top defect-tracking systems available. See http://www.bugzilla.org/about/ for more details. -30- -- Dave Miller http://www.justdave.net/ System Administrator, Mozilla Foundation http://www.mozilla.org/ Project Leader, Bugzilla Bug Tracking System http://www.bugzilla.org/