From mkanat at bugzilla.org Thu Sep 10 00:06:08 2009 From: mkanat at bugzilla.org (Max Kanat-Alexander) Date: Wed, 09 Sep 2009 17:06:08 -0700 Subject: [ANN] Warning: Major Security Release Coming Soon Message-ID: <4AA842F0.8080608@bugzilla.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 A major security issue has been discovered in versions of Bugzilla back to 3.0. We will be releasing a version of Bugzilla which fixes the issue within 48 hours (possibly within 24 hours), and all administrators should be ready to perform the upgrade (which does not require any database changes) shortly after the new version is released. If you do not wish to do a full upgrade, patches for just the security issue will be available. The patches are relatively small and do not modify very much of Bugzilla. -Max Kanat-Alexander Release Manager, Bugzilla Project -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkqoQvAACgkQaL2D/aEJPK5nrwCgv8X/S0OvOdODNWuT6UzVhXck 7w8AoOgPfbeYiPwmDPGak2uX2RF4vu3z =/zqj -----END PGP SIGNATURE----- From mkanat at bugzilla.org Fri Sep 11 17:51:32 2009 From: mkanat at bugzilla.org (Max Kanat-Alexander) Date: Fri, 11 Sep 2009 10:51:32 -0700 Subject: [ANN] Security Advisory for Bugzilla 3.4.1, 3.2.4, and 3.0.8 Message-ID: <4AAA8E24.3010400@bugzilla.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system, used by a large number of software projects. * Two SQL injection attacks have been discovered in Bugzilla. One only affects the 3.4 series, while the other affects the 3.0, 3.2, and 3.4 series. These are extremely serious vulnerabilities that must be patched immediately. * When a user would change his password, his new password would be exposed in the URL field of the browser if he logged in right after changing his password. All affected installations are encouraged to upgrade immediately. Vulnerability Details ===================== Class: SQL Injection Versions: 3.3.2 to 3.4.1, 3.5 Fixed In: 3.4.2 Description: It is possible to inject raw SQL into the Bugzilla database via the Bug.search WebService function. This could be used to expose any data stored in the Bugzilla database, including confidential bugs. It is also possible that an attacker could modify or delete any data stored in the Bugzilla database (though we haven't discovered a working exploit that modifies or deletes data). The danger of this exploit is slightly lessened by the fact that Bugzilla's backend does not accept multiple statements separated by a semicolon, so you cannot add additional SQL statements (such as a DELETE or INSERT) using the exploit. However, this is still an extremely critical issue which administrators should patch immediately. References: https://bugzilla.mozilla.org/show_bug.cgi?id=515191 CVE Number: CVE-2009-3125 Class: SQL Injection Versions: 2.23.4 to 3.0.8, 3.1.1 to 3.2.4, 3.3.1 to 3.4.1 Fixed In: 3.0.9, 3.2.5, 3.4.2 Description: It is possible to inject raw SQL into the Bugzilla database via the Bug.create WebService function. This could be used to expose any data stored in the Bugzilla database, including confidential bugs. It is also possible that an attacker could modify or delete any data stored in the Bugzilla database (though we haven't discovered a working exploit that modifies or deletes existing data). The danger of this exploit is slightly lessened by the fact that Bugzilla's backend does not accept multiple statements separated by a semicolon, so you cannot add additional SQL statements (such as a DELETE or UPDATE) using the exploit. This particular hole is much more difficult to exploit than the Bug.search one, due to the fact that the SQL around the insertion point is highly random, making it difficult for an attacker to craft a successful attack. However, even considering these factors, this is still an extremely critical issue which administrators should patch immediately. References: https://bugzilla.mozilla.org/show_bug.cgi?id=515191 CVE Number: CVE-2009-3165 Class: Sensitive Data Exposure Versions: 3.4rc1 to 3.4.1 Fixed In: 3.4.2 Description: When a user reset their password and then logged in immediately afterward, their password would appear in the URL of their browser, which also possibly means that that password would appear in the Bugzilla webserver's logs and in the Referer header of any page whose link was clicked immediately after logging in (although by default Bugzilla only links to itself, on that page). References: https://bugzilla.mozilla.org/show_bug.cgi?id=508189 CVE Number: CVE-2009-3166 Vulnerability Solutions ======================= The fixes for these issues are included in the 3.4.2, 3.2.5, and 3.0.9 releases. Upgrading to a release with the relevant fixes will protect your installation from possible exploits of these issues. If you are unable to upgrade but would like to patch just the individual security vulnerabilities, there are patches available for the individual issues in the Reference URLs of each advisory. Note that if you are running the (unreleased) 3.5 series, it is also affected by all these vulnerabilities and you should update from CVS to get the fixes. Full release downloads, patches to upgrade Bugzilla from previous versions, and CVS upgrade instructions are available at: http://www.bugzilla.org/download/ Credits ======= The Bugzilla team wish to thank the following people/organizations for their assistance in locating, advising us of, and assisting us to fix these issues: Max Kanat-Alexander Bradley Baetz Fr?d?ric Buclin General information about the Bugzilla bug-tracking system can be found at: http://www.bugzilla.org/ Comments and follow-ups can be directed to the mozilla.support.bugzilla newsgroup or the support-bugzilla mailing list. http://www.bugzilla.org/support/ has directions for accessing these forums. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkqqjiQACgkQaL2D/aEJPK4D8QCgxuabVKEUH/3p0L5vA8EKJrFt f7kAoJFN7ctlpMUSAX0D34GPcQBr11FA =zYbL -----END PGP SIGNATURE----- From mkanat at bugzilla.org Fri Sep 11 17:51:26 2009 From: mkanat at bugzilla.org (Max Kanat-Alexander) Date: Fri, 11 Sep 2009 10:51:26 -0700 Subject: [ANN] Release of Bugzilla 3.4.2, 3.2.5, and 3.0.9 Message-ID: <4AAA8E1E.5020903@bugzilla.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Today the Bugzilla Project is releasing Bugzilla 3.4.2, 3.2.5, and 3.0.9. All of these releases contain a VERY IMPORTANT SECURITY FIX. See the Security Advisory for details. If you are running 2.23 or later, you should upgrade immediately. If you are unable to update to the latest version, then please apply the patches for the issues as described in the Security Advisory. Bugzilla 3.4.2 is our latest stable release, and in addition to the security fixes, it contains various useful bug fixes and minor improvements. Bugzilla 3.2.5 is primarily a security-fix release for users who are still using the 3.2.x series. However, 3.2.5 does contain a few minor bug fixes over 3.2.4. Bugzilla 3.0.9 is purely a security-fix release for users who are still using the 3.0.x series. Download - -------- Bugzilla is available at: http://www.bugzilla.org/download/ Security Advisory - ----------------- The security advisory contains details of the security issues fixed in these releases: http://www.bugzilla.org/security/3.0.8/ Release Notes & Changes - ----------------------- Before installing or upgrading, you should read the Release Notes for the version of Bugzilla you are installing or upgrading to: 3.4.2: http://www.bugzilla.org/releases/3.4.2/release-notes.html 3.2.5: http://www.bugzilla.org/releases/3.2.5/release-notes.html 3.0.9: http://www.bugzilla.org/releases/3.0.9/release-notes.html It is particularly important to read the Release Notes if you are upgrading from one major version to another (like 3.2.x to 3.4). To see a list of all changes between your version of Bugzilla and the current version of Bugzilla, you can use the chart at: http://www.bugzilla.org/status/changes.html Report Bugs - ----------- If you find a bug in Bugzilla, please report it! Instructions are at this URL: http://www.bugzilla.org/developers/reporting_bugs.html Support - ------- You can ask questions for free on the mailing lists (or in IRC) about Bugzilla, or you can hire a paid consultant to help you out: Free Support: http://www.bugzilla.org/support/ Paid Support: http://www.bugzilla.org/support/consulting.html About Bugzilla - -------------- Bugzilla is a "Defect Tracking System" or "Bug-Tracking System." Defect Tracking Systems allow individuals or groups of developers to keep track of outstanding bugs in their product effectively. Most commercial defect-tracking software vendors charge enormous licensing fees. Despite being "free", Bugzilla has many features its expensive counterparts lack. Consequently, Bugzilla has quickly become a favorite of thousands of organizations across the globe, and is widely regarded as one of the top defect-tracking systems available. See http://www.bugzilla.org/about/ for more details. -Max Kanat-Alexander Release Manager, Bugzilla Project -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkqqjh4ACgkQaL2D/aEJPK4meQCfROauO++GLNlvtSfzJgdO1lLd e04AoPPBVdo1aSOHHvkSXhCul+Q1KWqy =sqs+ -----END PGP SIGNATURE-----