From mkanat at bugzilla.org Tue Feb 3 01:19:10 2009 From: mkanat at bugzilla.org (Max Kanat-Alexander) Date: Mon, 2 Feb 2009 17:19:10 -0800 Subject: [ANN] Security Advisory for Bugzilla 3.2, 3.0.6, 2.22.6, and 3.3.1 Message-ID: <20090202171910.5637b094@bugzilla.org> Summary ======= Bugzilla is a Web-based bug-tracking system, used by a large number of software projects. This advisory covers three security issues that have recently been fixed in the Bugzilla code: * It was possible for users to upload a malicious attachment to that would run in the context of Bugzilla's domain (thus circumventing cross-site request protections in browsers). * Bug updating was vulnerable to a cross-site request forgery. Note that this issue was only fixed for 3.2.1 and 3.3.2 even though all versions of Bugzilla are affected (see below for an explanation). * Keywords, unused flag types, and saved searches could be deleted via cross-site request forgery. Also, a user's preferences could be changed via cross-site request forgery. All affected installations are encouraged to upgrade as soon as possible. Vulnerability Details ===================== Class: Abuse of Functionality (Attachments) Versions: Every version before 2.22.7, 3.0.7, 3.2.1, or 3.3.2 Fixed In: 2.22.7, 3.0.7, 3.2.1, 3.3.2 Description: Bugzilla users can upload HTML or JavaScript attachments that are then viewed by other users in their web browsers. A malicious user could trick another Bugzilla user into viewing a malicious attachment that could then operate as that user. Since Bugzilla would view attachments using the same domain name as the rest of the application, such malicious attachments could access the cookies of the user and perform other activities usually restricted by the cross-site request protections of web browsers. Bugzilla now provides a two-fold solution to this problem: Bugzilla 2.22.7, 3.0.7, 3.2.1, and 3.3.2 now prevent users from viewing attachments in their browsers, by default. There is a new parameter named "allow_attachment_display" that administrators can enable to override this protection. Once this parameter is turned on, Bugzilla 3.0.7, 3.2.1, and 3.3.2 allow administrators to specify that attachments should be viewed using a different domain. This increases safety for the end user by enabling the browser's cross-domain request protections. References: https://bugzilla.mozilla.org/show_bug.cgi?id=38862 https://bugzilla.mozilla.org/show_bug.cgi?id=472206 Class: Cross-Site Request Forgery Versions: Every version before 3.2.1 or 3.3.2 Fixed In: 3.2.1, 3.3.2 Description: Bug updating was vulnerable to a cross-site request forgery, because it did not validate that calls to process_bug.cgi actually came from Bugzilla. Bugzilla now generates a token that is validated when process_bug.cgi is called. This may break automated scripts that call process_bug.cgi directly, unless they first load show_bug.cgi to get a valid token. Unfortunately, a fix for this issue was only possible for 3.2.1 and 3.3.2. Fixing it on earlier branches would have broken Bugzilla's mid-air collision functionality. It should be noted that this issue actually was not a secret--it has been public knowledge for quite some time. It is only included in this security advisory to note that a fix is now available. Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=26257 Class: Cross-Site Request Forgery Versions: All Versions (for keywords and user preferences), 2.17 and higher (for flags), 3.0 and higher (for saved searches) Fixed In: 2.22.7, 3.0.7, 3.2.1, 3.3.2 Description: When deleting saved searches, keywords, or unused (never set on any bug or attachment) flags, or when a user updated their preferences, Bugzilla did not properly validate that the request came from Bugzilla. So, it was possible to trick a user into click on a link that would perform these actions without their consent. References: https://bugzilla.mozilla.org/show_bug.cgi?id=466692 https://bugzilla.mozilla.org/show_bug.cgi?id=466748 https://bugzilla.mozilla.org/show_bug.cgi?id=472362 Vulnerability Solutions ======================= The fix for the security bugs mentioned in this advisory are included in the 3.3.2, 3.2.1, 3.0.7, and 2.22.7 releases (though certain issues are only fixed for certain versions, as noted above). Upgrading to a release with the relevant fix will protect your installation from possible exploits of these issues. Full release downloads, patches to upgrade Bugzilla from previous versions, and CVS upgrade instructions are available at: http://www.bugzilla.org/download/ Credits ======= The Bugzilla team wish to thank the following people/organizations for their assistance in locating, advising us of, and assisting us to fix these issues: Fr?d?ric Buclin Stephen Lee Jesse Ruderman Terry Weissman Max Kanat-Alexander Teemu Mannermaa Mozilla Corporation General information about the Bugzilla bug-tracking system can be found at: http://www.bugzilla.org/ Comments and follow-ups can be directed to the mozilla.support.bugzilla newsgroup or the support-bugzilla mailing list. http://www.bugzilla.org/support/ has directions for accessing these forums. -- Max Kanat-Alexander Release Manager, Bugzilla Project From mkanat at bugzilla.org Tue Feb 3 01:19:36 2009 From: mkanat at bugzilla.org (Max Kanat-Alexander) Date: Mon, 2 Feb 2009 17:19:36 -0800 Subject: [ANN] Security Advisory for Bugzilla 3.2, 3.0.6, 2.22.6, and 3.3.1 Message-ID: <20090202171936.6a896050@everythingsolved.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system, used by a large number of software projects. This advisory covers three security issues that have recently been fixed in the Bugzilla code: * It was possible for users to upload a malicious attachment to that would run in the context of Bugzilla's domain (thus circumventing cross-site request protections in browsers). * Bug updating was vulnerable to a cross-site request forgery. Note that this issue was only fixed for 3.2.1 and 3.3.2 even though all versions of Bugzilla are affected (see below for an explanation). * Keywords, unused flag types, and saved searches could be deleted via cross-site request forgery. Also, a user's preferences could be changed via cross-site request forgery. All affected installations are encouraged to upgrade as soon as possible. Vulnerability Details ===================== Class: Abuse of Functionality (Attachments) Versions: Every version before 2.22.7, 3.0.7, 3.2.1, or 3.3.2 Fixed In: 2.22.7, 3.0.7, 3.2.1, 3.3.2 Description: Bugzilla users can upload HTML or JavaScript attachments that are then viewed by other users in their web browsers. A malicious user could trick another Bugzilla user into viewing a malicious attachment that could then operate as that user. Since Bugzilla would view attachments using the same domain name as the rest of the application, such malicious attachments could access the cookies of the user and perform other activities usually restricted by the cross-site request protections of web browsers. Bugzilla now provides a two-fold solution to this problem: Bugzilla 2.22.7, 3.0.7, 3.2.1, and 3.3.2 now prevent users from viewing attachments in their browsers, by default. There is a new parameter named "allow_attachment_display" that administrators can enable to override this protection. Once this parameter is turned on, Bugzilla 3.0.7, 3.2.1, and 3.3.2 allow administrators to specify that attachments should be viewed using a different domain. This increases safety for the end user by enabling the browser's cross-domain request protections. References: https://bugzilla.mozilla.org/show_bug.cgi?id=38862 https://bugzilla.mozilla.org/show_bug.cgi?id=472206 Class: Cross-Site Request Forgery Versions: Every version before 3.2.1 or 3.3.2 Fixed In: 3.2.1, 3.3.2 Description: Bug updating was vulnerable to a cross-site request forgery, because it did not validate that calls to process_bug.cgi actually came from Bugzilla. Bugzilla now generates a token that is validated when process_bug.cgi is called. This may break automated scripts that call process_bug.cgi directly, unless they first load show_bug.cgi to get a valid token. Unfortunately, a fix for this issue was only possible for 3.2.1 and 3.3.2. Fixing it on earlier branches would have broken Bugzilla's mid-air collision functionality. It should be noted that this issue actually was not a secret--it has been public knowledge for quite some time. It is only included in this security advisory to note that a fix is now available. Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=26257 Class: Cross-Site Request Forgery Versions: All Versions (for keywords and user preferences), 2.17 and higher (for flags), 3.0 and higher (for saved searches) Fixed In: 2.22.7, 3.0.7, 3.2.1, 3.3.2 Description: When deleting saved searches, keywords, or unused (never set on any bug or attachment) flags, or when a user updated their preferences, Bugzilla did not properly validate that the request came from Bugzilla. So, it was possible to trick a user into click on a link that would perform these actions without their consent. References: https://bugzilla.mozilla.org/show_bug.cgi?id=466692 https://bugzilla.mozilla.org/show_bug.cgi?id=466748 https://bugzilla.mozilla.org/show_bug.cgi?id=472362 Vulnerability Solutions ======================= The fix for the security bugs mentioned in this advisory are included in the 3.3.2, 3.2.1, 3.0.7, and 2.22.7 releases (though certain issues are only fixed for certain versions, as noted above). Upgrading to a release with the relevant fix will protect your installation from possible exploits of these issues. Full release downloads, patches to upgrade Bugzilla from previous versions, and CVS upgrade instructions are available at: http://www.bugzilla.org/download/ Credits ======= The Bugzilla team wish to thank the following people/organizations for their assistance in locating, advising us of, and assisting us to fix these issues: Fr?d?ric Buclin Stephen Lee Jesse Ruderman Terry Weissman Max Kanat-Alexander Teemu Mannermaa Mozilla Corporation General information about the Bugzilla bug-tracking system can be found at: http://www.bugzilla.org/ Comments and follow-ups can be directed to the mozilla.support.bugzilla newsgroup or the support-bugzilla mailing list. http://www.bugzilla.org/support/ has directions for accessing these forums. - -- Max Kanat-Alexander Release Manager, Bugzilla Project -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkmHm60ACgkQaL2D/aEJPK4IMQCg4rh/B+QFqCzZIJ2D1jw5z/6m N00AoIyBzpzB+sHoZzmhl486gf4/lmVk =Vef9 -----END PGP SIGNATURE----- From mkanat at bugzilla.org Tue Feb 3 01:37:17 2009 From: mkanat at bugzilla.org (Max Kanat-Alexander) Date: Mon, 2 Feb 2009 17:37:17 -0800 Subject: [ANN] Release of Bugzilla 3.2.1, 3.0.7, 2.22.7, and 3.3.2 Message-ID: <20090202173717.2a4e95ea@bugzilla.org> Today we have some major security improvements for Bugzilla in the form of four releases. We strongly recommend that all Bugzilla administrators read the Security Advisory for these releases, which is linked below in this email. Bugzilla 3.2.1 is our latest stable release. It contains various useful bug fixes in addition to major security improvements. Bugzilla 3.0.7 and Bugzilla 2.22.7 are security updates for their branches. Bugzilla 3.3.2 is an unstable development release. In addition to the security fixes that all the other releases contain, this release contains numerous new features and improvements. For details on what's new, see our latest Status Update, linked below in this email. Note that 3.3.2 is very unstable and should not be used in a production environment. Download -------- Bugzilla is available at: http://www.bugzilla.org/download/ Security Advisory ----------------- We recommend that all Bugzilla administrators (and particularly those upgrading to these releases) read the Security Advisory that we are sending out along with these releases: http://www.bugzilla.org/security/2.22.6/ Release Notes & Changes ----------------------- Before installing or upgrading, you should read the Release Notes for the version of Bugzilla you are installing: 3.2.1: http://www.bugzilla.org/releases/3.2.1/release-notes.html 3.0.7: http://www.bugzilla.org/releases/3.0.7/release-notes.html 2.22.7: http://www.bugzilla.org/releases/2.22.7/release-notes.html It is particularly important to read the Release Notes if you are upgrading from one major version to another (like 3.0.x to 3.2.x). To see a list of all changes between your version of Bugzilla and the current version of Bugzilla, you can use the chart at: http://www.bugzilla.org/status/changes.html Status Update ------------- Our latest Status Update has all kinds of useful information about our latest development release: http://www.bugzilla.org/status/2009-02-02.html Report Bugs ----------- If you find a bug in Bugzilla, please report it! Instructions are at this URL: http://www.bugzilla.org/developers/reporting_bugs.html Try Out Bugzilla ---------------- If you'd like to test-drive Bugzilla, you can use the demo installations of Bugzilla at: http://landfill.bugzilla.org/ Support ------- You can ask questions for free on the mailing lists (or in IRC) about Bugzilla, or you can hire a paid consultant to help you out: Free Support: http://www.bugzilla.org/support/ Paid Support: http://www.bugzilla.org/support/consulting.html About Bugzilla -------------- Bugzilla is a "Defect Tracking System" or "Bug-Tracking System." Defect Tracking Systems allow individuals or groups of developers to keep track of outstanding bugs in their product effectively. Most commercial defect-tracking software vendors charge enormous licensing fees. Despite being "free", Bugzilla has many features its expensive counterparts lack. Consequently, Bugzilla has quickly become a favorite of hundreds of organizations across the globe, and is widely regarded as one of the top defect-tracking systems available. See http://www.bugzilla.org/about/ for more details. -Max Kanat-Alexander Release Manager, Bugzilla Project From mkanat at bugzilla.org Tue Feb 3 10:34:46 2009 From: mkanat at bugzilla.org (Max Kanat-Alexander) Date: Tue, 3 Feb 2009 02:34:46 -0800 Subject: [ANN] Security Advisory for Bugzilla 3.2.1, 3.3.2, and 3.0.7 Message-ID: <20090203023446.64294558@bugzilla.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system, used by a large number of software projects. Bugzilla 3.2.1, 3.0.7, and 3.3.2, when running under mod_perl, generated insufficiently random numbers, resulting in all random tokens being the same, all CSRF protection being defeated, and the new attachment_base functionality being compromised. Only these releases were affected--earlier releases are not affected. All affected installations are encouraged to upgrade as soon as possible. Vulnerability Details ===================== Class: Insufficiently Random Numbers Versions: 3.2.1, 3.0.7, and 3.3.2 Fixed In: 3.2.2, 3.0.8, 3.3.3 Description: Bugzilla was calling srand() at compile time. Under mod_perl, this led to all Apache children having the same random seed, meaning that they all generated identical "random" strings instead of actually random strings. This means that all tokens were highly predictable, all CSRF protection was easily circumvented, and any installation using the new attachment_base functionality could possibly have any private attachment viewed without the user even logging in. Versions before 3.2.1, 3.0.7, and 3.3.2 were not affected. Installations that are not using mod_perl for Bugzilla are not affected. References: https://bugzilla.mozilla.org/show_bug.cgi?id=476594 Vulnerability Solutions ======================= The fix for this issue in is included in the 3.3.3, 3.2.2, and 3.0.8 releases. Upgrading to a release with the relevant fix will protect your installation from possible exploits of this issue. Full release downloads, patches to upgrade Bugzilla from previous versions, and CVS upgrade instructions are available at: http://www.bugzilla.org/download/ Credits ======= The Bugzilla team wish to thank the following people/organizations for their assistance in locating, advising us of, and assisting us to fix these issues: Philippe M. Chiasson Dave Miller Max Kanat-Alexander General information about the Bugzilla bug-tracking system can be found at: http://www.bugzilla.org/ Comments and follow-ups can be directed to the mozilla.support.bugzilla newsgroup or the support-bugzilla mailing list. http://www.bugzilla.org/support/ has directions for accessing these forums. - -- Max Kanat-Alexander Release Manager, Bugzilla Project -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkmIHcoACgkQaL2D/aEJPK4heQCgr6JIKQlgRWtUL+ISeOgWzCZ9 IIEAnA2nPUknQi0QIQuhzx59gL5LGcHd =zVkI -----END PGP SIGNATURE----- From mkanat at bugzilla.org Tue Feb 3 10:36:05 2009 From: mkanat at bugzilla.org (Max Kanat-Alexander) Date: Tue, 3 Feb 2009 02:36:05 -0800 Subject: [ANN] Release of Bugzilla 3.2.2, 3.0.8, and 3.3.3 Message-ID: <20090203023605.45ce7e8f@bugzilla.org> Bugzilla 3.2.1, 3.0.7, and 3.3.2 contained a bug that was critical for any installation running under mod_perl, due to an unintentional interaction between the various security fixes in those releases. We are releasing three new releases today to fix the critical issue: 3.2.2, 3.0.8, and 3.3.3. They are identical to the previous release except that they have this one fix for installations running under mod_perl. Download -------- Bugzilla is available at: http://www.bugzilla.org/download/ Security Advisory ----------------- Details of the fix are in the Security Advisory: http://www.bugzilla.org/security/3.0.7/ Release Notes & Changes ----------------------- Before installing or upgrading, you should read the Release Notes for the version of Bugzilla you are installing: 3.2.2: http://www.bugzilla.org/releases/3.2.2/release-notes.html 3.0.8: http://www.bugzilla.org/releases/3.0.8/release-notes.html It is particularly important to read the Release Notes if you are upgrading from one major version to another (like 3.0.x to 3.2.x). To see a list of all changes between your version of Bugzilla and the current version of Bugzilla, you can use the chart at: http://www.bugzilla.org/status/changes.html Report Bugs ----------- If you find a bug in Bugzilla, please report it! Instructions are at this URL: http://www.bugzilla.org/developers/reporting_bugs.html Try Out Bugzilla ---------------- If you'd like to test-drive Bugzilla, you can use the demo installations of Bugzilla at: http://landfill.bugzilla.org/ Support ------- You can ask questions for free on the mailing lists (or in IRC) about Bugzilla, or you can hire a paid consultant to help you out: Free Support: http://www.bugzilla.org/support/ Paid Support: http://www.bugzilla.org/support/consulting.html About Bugzilla -------------- Bugzilla is a "Defect Tracking System" or "Bug-Tracking System." Defect Tracking Systems allow individuals or groups of developers to keep track of outstanding bugs in their product effectively. Most commercial defect-tracking software vendors charge enormous licensing fees. Despite being "free", Bugzilla has many features its expensive counterparts lack. Consequently, Bugzilla has quickly become a favorite of hundreds of organizations across the globe, and is widely regarded as one of the top defect-tracking systems available. See http://www.bugzilla.org/about/ for more details. -Max Kanat-Alexander Release Manager, Bugzilla Project