From mkanat at bugzilla.org Sun Oct 15 10:09:10 2006
From: mkanat at bugzilla.org (Max Kanat-Alexander)
Date: Sun, 15 Oct 2006 03:09:10 -0700
Subject: Release of Bugzilla 2.18.6, 2.20.3, 2.22.1, and 2.23.3
Message-ID: <1160906950.2465.16.camel@es-lappy>
We have many releases for you, today!
Bugzilla 2.18.6 and 2.20.3 are security-fix releases for our older
branches.
Bugzilla 2.22.1 is our first bugfix release in the 2.22 series,
and contains many useful fixes that improve the experience of using
Bugzilla.
Finally, we are releasing an unstable development snapshot, Bugzilla
2.23.3. This snapshot has both custom fields and mod_perl support,
but has not been tested as thoroughly as our other releases. The 2.23
series will eventually culminate in Bugzilla 3.0.
Users of the 2.18.x series should note that 2.18.x will reach
End Of Life when Bugzilla 3.0 is released. There are more details
in our Status Update.
We hope you enjoy all our new releases!
Download
--------
Bugzilla is available at:
http://www.bugzilla.org/download/
Release Notes & Changes
-----------------------
Before installing or upgrading, it is VERY IMPORTANT to read
the Release Notes:
2.18.6: http://www.bugzilla.org/releases/2.18.6/release-notes.html
2.20.3: http://www.bugzilla.org/releases/2.20.3/release-notes.html
2.22.1: http://www.bugzilla.org/releases/2.22.1/release-notes.html
To see a list of all changes between your version of Bugzilla and
the current version of Bugzilla, you can use the chart at:
http://www.bugzilla.org/status/changes.html
Security Advisory
-----------------
All of our releases contain important security fixes. Read about
them here:
http://www.bugzilla.org/security/2.18.5/
Status Update
-------------
To see what's new with the Bugzilla Project, including all the features
of our latest Development Release, see our latest Status Update:
http://www.bugzilla.org/status/2006-10-15.html
Try Out Bugzilla
----------------
If you'd like to test-drive Bugzilla, you can use the demo
installations of Bugzilla at:
http://landfill.bugzilla.org/
Support
-------
You can ask questions for free on the mailing lists (or in IRC)
about Bugzilla, or you can hire a paid consultant to help you out:
Free Support: http://www.bugzilla.org/support/
Paid Support: http://www.bugzilla.org/support/consulting.html
About Bugzilla
--------------
Bugzilla is a "Defect Tracking System" or "Bug-Tracking System."
Defect Tracking Systems allow individual or groups of developers
to keep track of outstanding bugs in their product effectively.
Most commercial defect-tracking software vendors charge enormous
licensing fees. Despite being "free", Bugzilla has many features
its expensive counterparts lack. Consequently, Bugzilla has quickly
become a favorite of hundreds of organizations across the globe, and
is widely regarded as one of the top defect-tracking systems available.
See http://www.bugzilla.org/about/ for more details.
-Max Kanat-Alexander
Release Manager, Bugzilla Project
From mkanat at bugzilla.org Sun Oct 15 10:01:25 2006
From: mkanat at bugzilla.org (Max Kanat-Alexander)
Date: Sun, 15 Oct 2006 03:01:25 -0700
Subject: Security Advisory for Bugzilla 2.18.5, 2.20.2, 2.22, and 2.23.2
Message-ID: <1160906485.2465.11.camel@es-lappy>
Summary
=======
Bugzilla is a Web-based bug-tracking system, used by a large number of
software projects.
This advisory covers six security issues that have recently been
fixed in the Bugzilla code:
+ Sometimes the information put into the
and tags in Bugzilla
was not properly escaped, leading to a possible XSS vulnerability.
+ Bugzilla administrators were allowed to put raw, unfiltered HTML into
many fields in Bugzilla, leading to a possible XSS vulnerability.
Now, the HTML allowed in those fields is limited.
+ attachment.cgi could leak the names of private attachments
+ The "deadline" field was visible in the XML format of a bug, even to
users who were not a member of the "timetrackinggroup."
+ A malicious user could pass a URL to an admin, and make the admin
delete or change something that he had not intended to delete or
change.
+ It is possible to inject arbitrary HTML into the showdependencygraph.cgi
page, allowing for a cross-site scripting attack.
We strongly advise that 2.18.x users upgrade to 2.18.6. 2.20.x users
should upgrade to 2.20.3. 2.22 users, and users of 2.16.x or below,
should upgrade to 2.22.1.
Development snapshots of 2.23 before 2.23.3 are also vulnerable to all
of these issues. If you are using a development snapshot, you should
upgrade to 2.23.3, use CVS to update, or apply the patches from the
specific bugs listed below.
Vulnerability Details
=====================
Issue 1
-------
Class: Cross-Site Scripting
Versions: 2.15 and above
Description: Bugzilla sometimes displays admin-provided data in page
headers (meaning the and HTML tags of a page).
Sometimes, this data was not properly escaped, leading to
the possibility of a Cross-Site Scripting vulnerability.
For the most part, this was only exploitable by
administrators, and so is not of critical severity.
Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=330555
Issue 2
-------
Class: Cross-Site Scripting
Versions: 2.0 and above
Description: Bugzilla allows administrators to put HTML in the
descriptions of products, components, and other items. It
also allows HTML in certain other fields. Before the
most recent releases of Bugzilla, this HTML was completely
unfiltered. These fields are only editable by
certain users, who are specified by the admin. This makes
this vulnerability less severe. However, these users could
use this exploit to perform Cross-Site Scripting attacks
on nearly all users of a particular Bugzilla (including
users with higher permission levels than themselves).
Bugzilla now allows only certain HTML tags in those fields,
protecting users from a Cross-Site Scripting attack.
Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=206037
Issue 3
-------
Class: Information Leak
Versions: 2.17 and above
Description: When viewing an attachment in "Diff" mode, a user who is
not in the "insidergroup" (the group required to view
private attachments) can read the one-line descriptions
of all attachments, even "private" attachments.
Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=346086
Issue 4
-------
Class: Information Leak
Versions: 2.19.2 and above
Description: Bugzilla has a "deadline" field, which is usually only
visible to people in the "timetrackinggroup" group.
However, it was exposed in the XML format of a bug to all
users.
Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=346564
Issue 5
-------
Class: Security Enhancement
Versions: 2.0 and above
Description: Bugzilla updates, deletes, and creates data through a
web interface. Administrators update things like user
accounts through this interface. All of these pages accept
URL variables in both GET and POST formats.
A malicious user could craft a URL that would edit a user
(or any other admin-protected item), and then using a
service like TinyURL, could obscure the URL so that an
administrator couldn't tell what it was. Then, getting the
administrator to click on that URL, the action would be
performed, against the administrator's will.
This is now prevented. Bugzilla will only accept changes
on administrative pages if they come from Bugzilla's own
forms. That is, you have to use the form to make changes--
you now cannot just click a URL and accidentally make an
administrative change to Bugzilla.
Although technically this affects all versions of Bugzilla,
it has only been fixed on our most recent release (2.22.1
and our latest development snapshot, 2.23.3), because the
fix was too invasive to backport further. Administrators
of previous versions of Bugzilla should only click on URLs
from users that they fully trust.
Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=281181
Issue 6
-------
Class: Cross-Site Scripting
Versions: 2.15 and above
Description: showdependencygraph.cgi is a script that allows you to display
a graph of how bugs are related. There is a cross-site
scripting vulnerability in this script that allows for arbitrary
HTML injection. The user would have to follow a malicious URL
in order to trigger the attack--it is not possible for another
user to otherwise inject HTML into the page for the current
user.
Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=355728
Vulnerability Solutions
=======================
The fixes for all of the security bugs mentioned in this advisory
are included in the 2.18.6, 2.20.3, 2.22.1, and 2.23.3 releases.
Upgrading to these releases will protect installations from possible
exploits of these issues.
Full release downloads, patches to upgrade Bugzilla from previous
versions, and CVS upgrade instructions are available at:
http://www.bugzilla.org/download.html
Specific patches for each of the individual issues can be found on the
corresponding bug reports for each issue, at the URL given in the
reference for that issue in the list above.
Credits
=======
The Bugzilla team wish to thank the following people for their
assistance in locating, advising us of, and assisting us to fix
these situations:
Fr?d?ric Buclin*
Dave Miller
Gervase Markham
Gavin Shelley
Max Kanat-Alexander
Myk Melez
Josh "timeless" Soref
Olav Vitters
Adam Merrifield
* The Bugzilla Project would like to express special thanks to
Fr?d?ric. He worked many, many volunteer hours to fix many of the
issues above, and is largely responsible for most of these issues
being fixed. They would not have been fixed without him.
General information about the Bugzilla bug-tracking system can be found
at:
http://www.bugzilla.org/
Comments and follow-ups can be directed to the mozilla.support.bugzilla
newsgroup or the support-bugzilla mailing list.
http://www.bugzilla.org/support/ has directions for accessing these
forums.
-Max Kanat-Alexander
Release Manager, Bugzilla Project
From mkanat at bugzilla.org Sun Oct 15 10:09:10 2006
From: mkanat at bugzilla.org (Max Kanat-Alexander)
Date: Sun, 15 Oct 2006 03:09:10 -0700
Subject: Release of Bugzilla 2.18.6, 2.20.3, 2.22.1, and 2.23.3
Message-ID: <1160906950.2465.16.camel@es-lappy>
We have many releases for you, today!
Bugzilla 2.18.6 and 2.20.3 are security-fix releases for our older
branches.
Bugzilla 2.22.1 is our first bugfix release in the 2.22 series,
and contains many useful fixes that improve the experience of using
Bugzilla.
Finally, we are releasing an unstable development snapshot, Bugzilla
2.23.3. This snapshot has both custom fields and mod_perl support,
but has not been tested as thoroughly as our other releases. The 2.23
series will eventually culminate in Bugzilla 3.0.
Users of the 2.18.x series should note that 2.18.x will reach
End Of Life when Bugzilla 3.0 is released. There are more details
in our Status Update.
We hope you enjoy all our new releases!
Download
--------
Bugzilla is available at:
http://www.bugzilla.org/download/
Release Notes & Changes
-----------------------
Before installing or upgrading, it is VERY IMPORTANT to read
the Release Notes:
2.18.6: http://www.bugzilla.org/releases/2.18.6/release-notes.html
2.20.3: http://www.bugzilla.org/releases/2.20.3/release-notes.html
2.22.1: http://www.bugzilla.org/releases/2.22.1/release-notes.html
To see a list of all changes between your version of Bugzilla and
the current version of Bugzilla, you can use the chart at:
http://www.bugzilla.org/status/changes.html
Security Advisory
-----------------
All of our releases contain important security fixes. Read about
them here:
http://www.bugzilla.org/security/2.18.5/
Status Update
-------------
To see what's new with the Bugzilla Project, including all the features
of our latest Development Release, see our latest Status Update:
http://www.bugzilla.org/status/2006-10-15.html
Try Out Bugzilla
----------------
If you'd like to test-drive Bugzilla, you can use the demo
installations of Bugzilla at:
http://landfill.bugzilla.org/
Support
-------
You can ask questions for free on the mailing lists (or in IRC)
about Bugzilla, or you can hire a paid consultant to help you out:
Free Support: http://www.bugzilla.org/support/
Paid Support: http://www.bugzilla.org/support/consulting.html
About Bugzilla
--------------
Bugzilla is a "Defect Tracking System" or "Bug-Tracking System."
Defect Tracking Systems allow individual or groups of developers
to keep track of outstanding bugs in their product effectively.
Most commercial defect-tracking software vendors charge enormous
licensing fees. Despite being "free", Bugzilla has many features
its expensive counterparts lack. Consequently, Bugzilla has quickly
become a favorite of hundreds of organizations across the globe, and
is widely regarded as one of the top defect-tracking systems available.
See http://www.bugzilla.org/about/ for more details.
-Max Kanat-Alexander
Release Manager, Bugzilla Project
From mkanat at bugzilla.org Sun Oct 15 10:01:25 2006
From: mkanat at bugzilla.org (Max Kanat-Alexander)
Date: Sun, 15 Oct 2006 03:01:25 -0700
Subject: Security Advisory for Bugzilla 2.18.5, 2.20.2, 2.22, and 2.23.2
Message-ID: <1160906485.2465.11.camel@es-lappy>
Summary
=======
Bugzilla is a Web-based bug-tracking system, used by a large number of
software projects.
This advisory covers six security issues that have recently been
fixed in the Bugzilla code:
+ Sometimes the information put into the and tags in Bugzilla
was not properly escaped, leading to a possible XSS vulnerability.
+ Bugzilla administrators were allowed to put raw, unfiltered HTML into
many fields in Bugzilla, leading to a possible XSS vulnerability.
Now, the HTML allowed in those fields is limited.
+ attachment.cgi could leak the names of private attachments
+ The "deadline" field was visible in the XML format of a bug, even to
users who were not a member of the "timetrackinggroup."
+ A malicious user could pass a URL to an admin, and make the admin
delete or change something that he had not intended to delete or
change.
+ It is possible to inject arbitrary HTML into the showdependencygraph.cgi
page, allowing for a cross-site scripting attack.
We strongly advise that 2.18.x users upgrade to 2.18.6. 2.20.x users
should upgrade to 2.20.3. 2.22 users, and users of 2.16.x or below,
should upgrade to 2.22.1.
Development snapshots of 2.23 before 2.23.3 are also vulnerable to all
of these issues. If you are using a development snapshot, you should
upgrade to 2.23.3, use CVS to update, or apply the patches from the
specific bugs listed below.
Vulnerability Details
=====================
Issue 1
-------
Class: Cross-Site Scripting
Versions: 2.15 and above
Description: Bugzilla sometimes displays admin-provided data in page
headers (meaning the and HTML tags of a page).
Sometimes, this data was not properly escaped, leading to
the possibility of a Cross-Site Scripting vulnerability.
For the most part, this was only exploitable by
administrators, and so is not of critical severity.
Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=330555
Issue 2
-------
Class: Cross-Site Scripting
Versions: 2.0 and above
Description: Bugzilla allows administrators to put HTML in the
descriptions of products, components, and other items. It
also allows HTML in certain other fields. Before the
most recent releases of Bugzilla, this HTML was completely
unfiltered. These fields are only editable by
certain users, who are specified by the admin. This makes
this vulnerability less severe. However, these users could
use this exploit to perform Cross-Site Scripting attacks
on nearly all users of a particular Bugzilla (including
users with higher permission levels than themselves).
Bugzilla now allows only certain HTML tags in those fields,
protecting users from a Cross-Site Scripting attack.
Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=206037
Issue 3
-------
Class: Information Leak
Versions: 2.17 and above
Description: When viewing an attachment in "Diff" mode, a user who is
not in the "insidergroup" (the group required to view
private attachments) can read the one-line descriptions
of all attachments, even "private" attachments.
Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=346086
Issue 4
-------
Class: Information Leak
Versions: 2.19.2 and above
Description: Bugzilla has a "deadline" field, which is usually only
visible to people in the "timetrackinggroup" group.
However, it was exposed in the XML format of a bug to all
users.
Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=346564
Issue 5
-------
Class: Security Enhancement
Versions: 2.0 and above
Description: Bugzilla updates, deletes, and creates data through a
web interface. Administrators update things like user
accounts through this interface. All of these pages accept
URL variables in both GET and POST formats.
A malicious user could craft a URL that would edit a user
(or any other admin-protected item), and then using a
service like TinyURL, could obscure the URL so that an
administrator couldn't tell what it was. Then, getting the
administrator to click on that URL, the action would be
performed, against the administrator's will.
This is now prevented. Bugzilla will only accept changes
on administrative pages if they come from Bugzilla's own
forms. That is, you have to use the form to make changes--
you now cannot just click a URL and accidentally make an
administrative change to Bugzilla.
Although technically this affects all versions of Bugzilla,
it has only been fixed on our most recent release (2.22.1
and our latest development snapshot, 2.23.3), because the
fix was too invasive to backport further. Administrators
of previous versions of Bugzilla should only click on URLs
from users that they fully trust.
Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=281181
Issue 6
-------
Class: Cross-Site Scripting
Versions: 2.15 and above
Description: showdependencygraph.cgi is a script that allows you to display
a graph of how bugs are related. There is a cross-site
scripting vulnerability in this script that allows for arbitrary
HTML injection. The user would have to follow a malicious URL
in order to trigger the attack--it is not possible for another
user to otherwise inject HTML into the page for the current
user.
Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=355728
Vulnerability Solutions
=======================
The fixes for all of the security bugs mentioned in this advisory
are included in the 2.18.6, 2.20.3, 2.22.1, and 2.23.3 releases.
Upgrading to these releases will protect installations from possible
exploits of these issues.
Full release downloads, patches to upgrade Bugzilla from previous
versions, and CVS upgrade instructions are available at:
http://www.bugzilla.org/download.html
Specific patches for each of the individual issues can be found on the
corresponding bug reports for each issue, at the URL given in the
reference for that issue in the list above.
Credits
=======
The Bugzilla team wish to thank the following people for their
assistance in locating, advising us of, and assisting us to fix
these situations:
Fr?d?ric Buclin*
Dave Miller
Gervase Markham
Gavin Shelley
Max Kanat-Alexander
Myk Melez
Josh "timeless" Soref
Olav Vitters
Adam Merrifield
* The Bugzilla Project would like to express special thanks to
Fr?d?ric. He worked many, many volunteer hours to fix many of the
issues above, and is largely responsible for most of these issues
being fixed. They would not have been fixed without him.
General information about the Bugzilla bug-tracking system can be found
at:
http://www.bugzilla.org/
Comments and follow-ups can be directed to the mozilla.support.bugzilla
newsgroup or the support-bugzilla mailing list.
http://www.bugzilla.org/support/ has directions for accessing these
forums.
-Max Kanat-Alexander
Release Manager, Bugzilla Project
From mkanat at bugzilla.org Sun Oct 15 10:09:10 2006
From: mkanat at bugzilla.org (Max Kanat-Alexander)
Date: Sun, 15 Oct 2006 03:09:10 -0700
Subject: Release of Bugzilla 2.18.6, 2.20.3, 2.22.1, and 2.23.3
Message-ID: <1160906950.2465.16.camel@es-lappy>
We have many releases for you, today!
Bugzilla 2.18.6 and 2.20.3 are security-fix releases for our older
branches.
Bugzilla 2.22.1 is our first bugfix release in the 2.22 series,
and contains many useful fixes that improve the experience of using
Bugzilla.
Finally, we are releasing an unstable development snapshot, Bugzilla
2.23.3. This snapshot has both custom fields and mod_perl support,
but has not been tested as thoroughly as our other releases. The 2.23
series will eventually culminate in Bugzilla 3.0.
Users of the 2.18.x series should note that 2.18.x will reach
End Of Life when Bugzilla 3.0 is released. There are more details
in our Status Update.
We hope you enjoy all our new releases!
Download
--------
Bugzilla is available at:
http://www.bugzilla.org/download/
Release Notes & Changes
-----------------------
Before installing or upgrading, it is VERY IMPORTANT to read
the Release Notes:
2.18.6: http://www.bugzilla.org/releases/2.18.6/release-notes.html
2.20.3: http://www.bugzilla.org/releases/2.20.3/release-notes.html
2.22.1: http://www.bugzilla.org/releases/2.22.1/release-notes.html
To see a list of all changes between your version of Bugzilla and
the current version of Bugzilla, you can use the chart at:
http://www.bugzilla.org/status/changes.html
Security Advisory
-----------------
All of our releases contain important security fixes. Read about
them here:
http://www.bugzilla.org/security/2.18.5/
Status Update
-------------
To see what's new with the Bugzilla Project, including all the features
of our latest Development Release, see our latest Status Update:
http://www.bugzilla.org/status/2006-10-15.html
Try Out Bugzilla
----------------
If you'd like to test-drive Bugzilla, you can use the demo
installations of Bugzilla at:
http://landfill.bugzilla.org/
Support
-------
You can ask questions for free on the mailing lists (or in IRC)
about Bugzilla, or you can hire a paid consultant to help you out:
Free Support: http://www.bugzilla.org/support/
Paid Support: http://www.bugzilla.org/support/consulting.html
About Bugzilla
--------------
Bugzilla is a "Defect Tracking System" or "Bug-Tracking System."
Defect Tracking Systems allow individual or groups of developers
to keep track of outstanding bugs in their product effectively.
Most commercial defect-tracking software vendors charge enormous
licensing fees. Despite being "free", Bugzilla has many features
its expensive counterparts lack. Consequently, Bugzilla has quickly
become a favorite of hundreds of organizations across the globe, and
is widely regarded as one of the top defect-tracking systems available.
See http://www.bugzilla.org/about/ for more details.
-Max Kanat-Alexander
Release Manager, Bugzilla Project
From mkanat at bugzilla.org Sun Oct 15 10:01:25 2006
From: mkanat at bugzilla.org (Max Kanat-Alexander)
Date: Sun, 15 Oct 2006 03:01:25 -0700
Subject: Security Advisory for Bugzilla 2.18.5, 2.20.2, 2.22, and 2.23.2
Message-ID: <1160906485.2465.11.camel@es-lappy>
Summary
=======
Bugzilla is a Web-based bug-tracking system, used by a large number of
software projects.
This advisory covers six security issues that have recently been
fixed in the Bugzilla code:
+ Sometimes the information put into the and tags in Bugzilla
was not properly escaped, leading to a possible XSS vulnerability.
+ Bugzilla administrators were allowed to put raw, unfiltered HTML into
many fields in Bugzilla, leading to a possible XSS vulnerability.
Now, the HTML allowed in those fields is limited.
+ attachment.cgi could leak the names of private attachments
+ The "deadline" field was visible in the XML format of a bug, even to
users who were not a member of the "timetrackinggroup."
+ A malicious user could pass a URL to an admin, and make the admin
delete or change something that he had not intended to delete or
change.
+ It is possible to inject arbitrary HTML into the showdependencygraph.cgi
page, allowing for a cross-site scripting attack.
We strongly advise that 2.18.x users upgrade to 2.18.6. 2.20.x users
should upgrade to 2.20.3. 2.22 users, and users of 2.16.x or below,
should upgrade to 2.22.1.
Development snapshots of 2.23 before 2.23.3 are also vulnerable to all
of these issues. If you are using a development snapshot, you should
upgrade to 2.23.3, use CVS to update, or apply the patches from the
specific bugs listed below.
Vulnerability Details
=====================
Issue 1
-------
Class: Cross-Site Scripting
Versions: 2.15 and above
Description: Bugzilla sometimes displays admin-provided data in page
headers (meaning the and HTML tags of a page).
Sometimes, this data was not properly escaped, leading to
the possibility of a Cross-Site Scripting vulnerability.
For the most part, this was only exploitable by
administrators, and so is not of critical severity.
Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=330555
Issue 2
-------
Class: Cross-Site Scripting
Versions: 2.0 and above
Description: Bugzilla allows administrators to put HTML in the
descriptions of products, components, and other items. It
also allows HTML in certain other fields. Before the
most recent releases of Bugzilla, this HTML was completely
unfiltered. These fields are only editable by
certain users, who are specified by the admin. This makes
this vulnerability less severe. However, these users could
use this exploit to perform Cross-Site Scripting attacks
on nearly all users of a particular Bugzilla (including
users with higher permission levels than themselves).
Bugzilla now allows only certain HTML tags in those fields,
protecting users from a Cross-Site Scripting attack.
Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=206037
Issue 3
-------
Class: Information Leak
Versions: 2.17 and above
Description: When viewing an attachment in "Diff" mode, a user who is
not in the "insidergroup" (the group required to view
private attachments) can read the one-line descriptions
of all attachments, even "private" attachments.
Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=346086
Issue 4
-------
Class: Information Leak
Versions: 2.19.2 and above
Description: Bugzilla has a "deadline" field, which is usually only
visible to people in the "timetrackinggroup" group.
However, it was exposed in the XML format of a bug to all
users.
Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=346564
Issue 5
-------
Class: Security Enhancement
Versions: 2.0 and above
Description: Bugzilla updates, deletes, and creates data through a
web interface. Administrators update things like user
accounts through this interface. All of these pages accept
URL variables in both GET and POST formats.
A malicious user could craft a URL that would edit a user
(or any other admin-protected item), and then using a
service like TinyURL, could obscure the URL so that an
administrator couldn't tell what it was. Then, getting the
administrator to click on that URL, the action would be
performed, against the administrator's will.
This is now prevented. Bugzilla will only accept changes
on administrative pages if they come from Bugzilla's own
forms. That is, you have to use the form to make changes--
you now cannot just click a URL and accidentally make an
administrative change to Bugzilla.
Although technically this affects all versions of Bugzilla,
it has only been fixed on our most recent release (2.22.1
and our latest development snapshot, 2.23.3), because the
fix was too invasive to backport further. Administrators
of previous versions of Bugzilla should only click on URLs
from users that they fully trust.
Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=281181
Issue 6
-------
Class: Cross-Site Scripting
Versions: 2.15 and above
Description: showdependencygraph.cgi is a script that allows you to display
a graph of how bugs are related. There is a cross-site
scripting vulnerability in this script that allows for arbitrary
HTML injection. The user would have to follow a malicious URL
in order to trigger the attack--it is not possible for another
user to otherwise inject HTML into the page for the current
user.
Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=355728
Vulnerability Solutions
=======================
The fixes for all of the security bugs mentioned in this advisory
are included in the 2.18.6, 2.20.3, 2.22.1, and 2.23.3 releases.
Upgrading to these releases will protect installations from possible
exploits of these issues.
Full release downloads, patches to upgrade Bugzilla from previous
versions, and CVS upgrade instructions are available at:
http://www.bugzilla.org/download.html
Specific patches for each of the individual issues can be found on the
corresponding bug reports for each issue, at the URL given in the
reference for that issue in the list above.
Credits
=======
The Bugzilla team wish to thank the following people for their
assistance in locating, advising us of, and assisting us to fix
these situations:
Fr?d?ric Buclin*
Dave Miller
Gervase Markham
Gavin Shelley
Max Kanat-Alexander
Myk Melez
Josh "timeless" Soref
Olav Vitters
Adam Merrifield
* The Bugzilla Project would like to express special thanks to
Fr?d?ric. He worked many, many volunteer hours to fix many of the
issues above, and is largely responsible for most of these issues
being fixed. They would not have been fixed without him.
General information about the Bugzilla bug-tracking system can be found
at:
http://www.bugzilla.org/
Comments and follow-ups can be directed to the mozilla.support.bugzilla
newsgroup or the support-bugzilla mailing list.
http://www.bugzilla.org/support/ has directions for accessing these
forums.
-Max Kanat-Alexander
Release Manager, Bugzilla Project