[ANN] Security Advisory for Bugzilla 3.4.3 and 3.5.1

Max Kanat-Alexander mkanat at bugzilla.org
Thu Nov 19 04:58:10 UTC 2009

Hash: SHA1


Bugzilla is a Web-based bug-tracking system used by a large number of
software projects.

* Aliases of hidden bugs would show up in the "Depends On" and "Blocks"
  list of other bugs, even if you didn't have permission to see the
  hidden bugs.

All affected installations are encouraged to upgrade as soon as

Vulnerability Details

Class:       Information Leak
Versions:    3.3.2 to 3.4.3, 3.5 to 3.5.1
Fixed In:    3.4.4, 3.5.2
Description: When a bug is in a group, none of its information
             (other than its status and resolution) should be visible
             to users outside that group. It was discovered that
             as of 3.3.2, Bugzilla was showing the alias of the bug
             (a very short string used as a shortcut for looking up
             the bug) to users outside of the group, if the protected
             bug ended up in the "Depends On" or "Blocks" list of any
             other bug.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=529416
CVE Number:  CVE-2009-3386

Vulnerability Solutions

The fix for this issue is included in the 3.4.4 and 3.5.2
releases. Upgrading to a release with the relevant fix will protect
your installation from possible exploits of this issue.

If you are unable to upgrade but would like to patch just the
individual security vulnerability, there is a patch available for
the issue in the Reference URL of the advisory.

Full release downloads, patches to upgrade Bugzilla from previous
versions, and CVS upgrade instructions are available at:



The Bugzilla team wish to thank the following people/organizations for
their assistance in locating, advising us of, and assisting us to fix
this issue:

Dave Miller
Frédéric Buclin
Max Kanat-Alexander
Jesse Ruderman

General information about the Bugzilla bug-tracking system can be found


Comments and follow-ups can be directed to the mozilla.support.bugzilla
newsgroup or the support-bugzilla mailing list.
http://www.bugzilla.org/support/ has directions for accessing these
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/


More information about the announce mailing list