From mkanat at bugzilla.org Tue Mar 31 05:01:28 2009 From: mkanat at bugzilla.org (Max Kanat-Alexander) Date: Mon, 30 Mar 2009 22:01:28 -0700 Subject: [ANN] Release of Bugzilla 3.2.3 and 3.3.4 Message-ID: <20090330220128.54222617@bugzilla.org> Today we have two new versions of Bugzilla for you. Bugzilla 3.2.3 is our latest stable release. It contains various useful bug fixes and security improvements. Bugzilla 3.3.4 is an unstable development release. This release has not received QA testing from the Bugzilla Project, and should not be used in production environments. If you find a bug in this development release (or you don't like how some feature works) please tell us by filing a bug. Both of today's releases contain a security fix. Please see our latest Security Advisory for details. Note that older versions of Bugzilla are also affected by this security issue, but it was not possible to fix the issue in those releases, so you may want to read the Advisory even if you are not running a 3.2.x or 3.3.x release, to see if an upgrade to 3.2.3 is warranted for your older installation. Download -------- Bugzilla is available at: http://www.bugzilla.org/download/ Security Advisory ----------------- We recommend that all Bugzilla administrators (and particularly those upgrading to these releases) read the Security Advisory that we are sending out along with these releases: http://www.bugzilla.org/security/3.2.2/ Release Notes & Changes ----------------------- Before installing or upgrading, you should read the Release Notes for the version of Bugzilla you are installing: 3.2.3: http://www.bugzilla.org/releases/3.2.3/release-notes.html It is particularly important to read the Release Notes if you are upgrading from one major version to another (like 3.0.x to 3.2.x). To see a list of all changes between your version of Bugzilla and the current version of Bugzilla, you can use the chart at: http://www.bugzilla.org/status/changes.html Status Update ------------- Our latest Status Update has all kinds of useful information about our latest development release: http://www.bugzilla.org/status/2009-03-30.html Report Bugs ----------- If you find a bug in Bugzilla, please report it! Instructions are at this URL: http://www.bugzilla.org/developers/reporting_bugs.html Try Out Bugzilla ---------------- If you'd like to test-drive Bugzilla, you can use the demo installations of Bugzilla at: http://landfill.bugzilla.org/ Support ------- You can ask questions for free on the mailing lists (or in IRC) about Bugzilla, or you can hire a paid consultant to help you out: Free Support: http://www.bugzilla.org/support/ Paid Support: http://www.bugzilla.org/support/consulting.html About Bugzilla -------------- Bugzilla is a "Defect Tracking System" or "Bug-Tracking System." Defect Tracking Systems allow individuals or groups of developers to keep track of outstanding bugs in their product effectively. Most commercial defect-tracking software vendors charge enormous licensing fees. Despite being "free", Bugzilla has many features its expensive counterparts lack. Consequently, Bugzilla has quickly become a favorite of hundreds of organizations across the globe, and is widely regarded as one of the top defect-tracking systems available. See http://www.bugzilla.org/about/ for more details. -Max Kanat-Alexander Release Manager, Bugzilla Project From mkanat at bugzilla.org Tue Mar 31 05:03:53 2009 From: mkanat at bugzilla.org (Max Kanat-Alexander) Date: Mon, 30 Mar 2009 22:03:53 -0700 Subject: [ANN] Security Advisory for Bugzilla versions prior to 3.2.3 and 3.3.4 Message-ID: <20090330220353.1923f8d6@bugzilla.org> Summary ======= Bugzilla is a Web-based bug-tracking system, used by a large number of software projects. This advisory covers one security issue that has recently been fixed in the Bugzilla code: * Attachment editing was vulnerable to a cross-site request forgery. Note that this issue was only fixed for 3.2.3 and 3.3.4 even though all versions of Bugzilla are affected (see below for an explanation). All affected installations are encouraged to upgrade as soon as possible. Vulnerability Details ===================== Class: Cross-Site Request Forgery Versions: Every version before 3.2.3 or 3.3.4 Fixed In: 3.2.3, 3.3.4 Description: Attachment editing was vulnerable to a cross-site request forgery, because it did not validate that calls to attachment.cgi actually came from Bugzilla. Bugzilla now generates a token that is validated when an attachment is edited. Unfortunately, a fix for this issue was only possible for 3.2.3 and 3.3.4. Fixing it on earlier branches was not possible as attachment timestamps are not available to generate and validate tokens. Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=476603 Vulnerability Solutions ======================= The fix for the security bug mentioned in this advisory is included in the 3.3.4 and 3.2.3 releases. Upgrading to one of these releases will protect your installation from possible exploits of this issue. Full release downloads, patches to upgrade Bugzilla from previous versions, and CVS upgrade instructions are available at: http://www.bugzilla.org/download/ Credits ======= The Bugzilla team wish to thank the following people/organizations for their assistance in locating, advising us of, and assisting us to fix these issues: Reed Loden Fr?d?ric Buclin Dave Miller General information about the Bugzilla bug-tracking system can be found at: http://www.bugzilla.org/ Comments and follow-ups can be directed to the mozilla.support.bugzilla newsgroup or the support-bugzilla mailing list. http://www.bugzilla.org/support/ has directions for accessing these forums. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: not available URL: