From mkanat at bugzilla.org Thu May 12 05:33:54 2005 From: mkanat at bugzilla.org (Max Kanat-Alexander) Date: Wed, 11 May 2005 22:33:54 -0700 Subject: [ANN] Release of Bugzilla 2.18.1, 2.19.3, and 2.16.9 Message-ID: <1115876035.7923.9.camel@localhost.localdomain> Today we are releasing Bugzilla 2.18.1, a bug-fix release for the 2.18 series. It contains various useful bug and security fixes for the original 2.18 release. We are also releasing a *very unstable* development snapshot, 2.19.3, for those who want to track the bleeding edge of Bugzilla development. We expect our next development release after this to be Release Candidate 1 (2.20rc1). Finally, there is a security-fix release for the old 2.16 series, version 2.16.9. Users of 2.16 are still encouraged to ugprade to 2.18 as soon as it is possible. Download -------- Bugzilla is available at: http://www.bugzilla.org/download/ Release Notes & Changes ----------------------- Before installing read the Release Notes: http://www.bugzilla.org/releases/2.18.1/release-notes.html To see a list of all changes between your version of Bugzilla and the current version of Bugzilla, you can use the chart at: http://www.bugzilla.org/status/changes.html Try Out Bugzilla ---------------- You can see and play with a testing installation of Bugzilla 2.18 at: http://landfill.bugzilla.org/bugzilla-2.18-branch/ And you can see the bleeding-edge Bugzilla at: http://landfill.bugzilla.org/bugzilla-tip/ Status Update ------------- If you'd like to know where the Bugzilla Project is heading, read our latest Status Update! http://www.bugzilla.org/status/2005-05-11.html Security Advisory ----------------- You can see the security issues that we have fixed in these releases of Bugzilla at: http://www.bugzilla.org/security/2.16.8/ All three released versions fix security issues, so please do read the advisory. About Bugzilla -------------- Bugzilla is a "Defect Tracking System" or "Bug-Tracking System." Defect Tracking Systems allow individual or groups of developers to keep track of outstanding bugs in their product effectively. Most commercial defect-tracking software vendors charge enormous licensing fees. Despite being "free", Bugzilla has many features its expensive counterparts lack. Consequently, Bugzilla has quickly become a favorite of hundreds of organizations across the globe, and is widely regarded as one of the top defect-tracking systems available. See http://www.bugzilla.org/about/ for more details. -Max Kanat-Alexander Release Manager, Bugzilla Project -- http://www.everythingsolved.com/ Everything Solved: Experts at Bugzilla... and everything else, too. From mkanat at bugzilla.org Thu May 12 05:21:35 2005 From: mkanat at bugzilla.org (Max Kanat-Alexander) Date: Wed, 11 May 2005 22:21:35 -0700 Subject: Security Advisory for Bugzilla 2.18, 2.19.2, and 2.16.8 Message-ID: <1115875295.7923.2.camel@localhost.localdomain> Summary ======= Bugzilla is a Web-based bug-tracking system, used by a large number of software projects. This advisory covers two security bugs that have recently been discovered and fixed in the Bugzilla code: + In all versions of Bugzilla since at least 2.16, it is possible to guess the name of a hidden product and have Bugzilla confirm that you were correct. + In Bugzilla 2.18 and above, a user's username and password are sometimes exposed in the URL after generating a Report. All Bugzilla installations are advised to upgrade to the latest stable version of Bugzilla, 2.18.1. Development snapshots of 2.19 and above are also vulnerable. If you are using a development snapshot, you should obtain a newer one (2.19.3) or use CVS to update or apply the patches from the specific bugs listed below. Vulnerability Details ===================== Issue 1 ------- Class: Information Leak Versions: 2.10 through 2.18, 2.19.1, 2.19.2 Description: If a user correctly guesses the name of a product that should be invisible to them, they will be specifically informed that they do not have access to it, thus letting them know that the product exists. Also, users can enter bugs into products that are closed for bug entry, if they correctly guess the name of the product. Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=287109 Issue 2 ------- Class: User Password Embedded in URL Versions: 2.17.1 through 2.18, 2.19.1, 2.19.2 Description: The user's password can be embedded as part of a report URL, and thus visible in the web server logs, if the user is prompted to log in while attempting to view a chart. Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=287436 Vulnerability Solutions ======================= The fixes for all of the security bugs mentioned in this advisory are included in the 2.16.9, 2.18.1, and 2.19.3 releases. Upgrading to these releases will protect installations from possible exploits of these issues. Full release downloads, patches to upgrade Bugzilla from previous versions, and CVS upgrade instructions are available at: http://www.bugzilla.org/download.html Specific patches for each of the individual issues can be found on the corresponding bug reports for each issue, at the URL given in the reference for that issue in the list above. Credits ======= The Bugzilla team wish to thank the following people for their assistance in locating, advising us of, and assisting us to fix these situations: Roman Pszonka Gervase Markham Fr?d?ric Buclin Myk Melez Joel Peshkin General information about the Bugzilla bug-tracking system can be found at http://www.bugzilla.org/ Comments and follow-ups can be directed to the netscape.public.mozilla.webtools newsgroup or the mozilla-webtools mailing list; http://www.bugzilla.org/support/ has directions for accessing these forums. -Max Kanat-Alexander Release Manager, Bugzilla Project From mkanat at bugzilla.org Thu May 19 09:17:28 2005 From: mkanat at bugzilla.org (Max Kanat-Alexander) Date: Thu, 19 May 2005 02:17:28 -0700 Subject: [ANN] Release of Bugzilla 2.16.10 Message-ID: <1116494248.10150.11.camel@localhost.localdomain> Today we are releasing Bugzilla 2.16.10, a bug-fix release for the old 2.16 series. In general, instead of the 2.16 series, new installations should use the 2.18 series. This release is an update for users who are still using the 2.16 series, and are not yet able to upgrade to 2.18. This release fixes a problem in 2.16.9 that would cause users to be unable to enter bugs under many circumstances. Download -------- Bugzilla is available at: http://www.bugzilla.org/download/ Look under the "Old Stable Release" section for 2.16.10. Release Notes & Changes ----------------------- The Release Notes for 2.16.10 are available at: http://www.bugzilla.org/releases/2.16.10/release-notes.html To see a list of all changes between your version of Bugzilla and the current version of Bugzilla, you can use the chart at: http://www.bugzilla.org/status/changes.html About Bugzilla -------------- Bugzilla is a "Defect Tracking System" or "Bug-Tracking System." Defect Tracking Systems allow individual or groups of developers to keep track of outstanding bugs in their product effectively. Most commercial defect-tracking software vendors charge enormous licensing fees. Despite being "free", Bugzilla has many features its expensive counterparts lack. Consequently, Bugzilla has quickly become a favorite of hundreds of organizations across the globe, and is widely regarded as one of the top defect-tracking systems available. See http://www.bugzilla.org/about/ for more details. -Max Kanat-Alexander Release Manager, Bugzilla Project