From mkanat at bugzilla.org  Tue Jan 25 01:06:59 2011
From: mkanat at bugzilla.org (Max Kanat-Alexander)
Date: Mon, 24 Jan 2011 17:06:59 -0800
Subject: [ANN] Security Advisory for Bugzilla 3.2.9, 3.4.9, 3.6.3, and 4.0rc1
Message-ID: <4D3E2233.1000907@bugzilla.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Summary
=======

Bugzilla is a Web-based bug-tracking system used by a large number of
software projects.

Recently, Mozilla expanded its security bug bounty program to include web
applications (http://www.mozilla.org/security/bug-bounty.html). As a result,
several new security issues affecting Bugzilla were discovered:

* A weakness in Bugzilla could allow a user to gain unauthorized access
  to another Bugzilla account.

* A weakness in the Perl CGI.pm module allows injecting HTTP headers
  and content to users via several pages in Bugzilla.

* The new user autocomplete functionality in Bugzilla 4.0 is vulnerable
  to a cross-site scripting attack.

* The new automatic duplicate detection functionality in Bugzilla 4.0
  is vulnerable to a cross-site scripting attack.

* If you put a harmful "javascript:" or "data:" URL into Bugzilla's
  "URL" field, then there are multiple situations in which Bugzilla
  will unintentionally make that link clickable.

* Various pages lack protection against cross-site request forgeries.

All affected installations are encouraged to upgrade as soon as
possible.

Vulnerability Details
=====================

Class:       Account Compromise
Versions:    2.14 to 3.2.9, 3.4.9, 3.6.3, 4.0rc1
Fixed In:    3.2.10, 3.4.10, 3.6.4, 4.0rc2
Description: It was possible for a user to gain unauthorized access to
             any Bugzilla account in a very short amount of time (short
             enough that the attack is highly effective). This is a
             critical vulnerability that should be patched immediately
             by all Bugzilla installations.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=621591
             https://bugzilla.mozilla.org/show_bug.cgi?id=619594
CVE Number:  CVE-2010-4568

Class:       HTTP Response Splitting
Versions:    Every Version Before 3.2.10, 3.4.10, 3.6.4, 4.0rc2
Fixed In:    3.2.10, 3.4.10, 3.6.4, 4.0rc2
Description: By inserting particular strings into certain URLs, it was
             possible to inject both headers and content to any
             browser.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=591165
             https://bugzilla.mozilla.org/show_bug.cgi?id=621572
             http://avatraxiom.livejournal.com/104105.html
             http://cwe.mitre.org/data/definitions/113.html
CVE Number:  CVE-2010-2761, CVE-2010-4411, CVE-2010-4572

Class:       Cross-Site Scripting
Versions:    3.7.1 to 4.0rc1
Fixed In:    4.0rc2
Description: Bugzilla 3.7.x and 4.0rc1 have a new client-side
             autocomplete mechanism for all fields where a username
             is entered. This mechanism was vulnerable to a cross-site
             scripting attack.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=619637
CVE Number:  CVE-2010-4569

Class:       Cross-Site Scripting
Versions:    3.7.1 to 4.0rc1
Fixed In:    4.0rc2
Description: Bugzilla 3.7.x and 4.0rc1 have a new mechanism on the
             bug entry page for automatically detecting if the bug
             you are filing is a duplicate of another existing bug.
             This mechanism was vulnerable to a cross-site scripting
             attack.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=619648
CVE Number:  CVE-2010-4570

Class:       Cross-Site Scripting
Versions:    Every Version Before 3.2.10, 3.4.10, 3.6.4, 4.0rc2
Fixed In:    3.2.10, 3.4.10, 3.6.4, 4.0rc2
Description: Bugzilla has a "URL" field that can contain several types
             of URL, including "javascript:" and "data:" URLs. However,
             it does not make "javascript:" and "data:" URLs into
             clickable links, to protect against cross-site scripting
             attacks or other attacks. It was possible to bypass this
             protection by adding spaces into the URL in places that
             Bugzilla did not expect them. Also, "javascript:" and
             "data:" links were *always* shown as clickable to
             logged-out users.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=619588
             https://bugzilla.mozilla.org/show_bug.cgi?id=628034
CVE Number:  CVE-2010-4567, CVE-2011-0048

Class:       Cross-Site Request Forgery
Versions:    Every Version Before 3.2.10, 3.4.10, 3.6.4, 4.0rc2
Fixed In:    3.2.10, 3.4.10, 3.6.4, 4.0rc2
Description: Various pages were vulnerable to Cross-Site Request
             Forgery attacks. Most of these issues are not as serious
             as previous CSRF vulnerabilities. Some of these issues
             were only addressed on more recent branches of Bugzilla
             and not fixed in earlier branches, in order to avoid
             changing behavior that external applications may depend
             on. The links below in "References" describe which issues
             were fixed on which branches.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=621090
             https://bugzilla.mozilla.org/show_bug.cgi?id=621105
             https://bugzilla.mozilla.org/show_bug.cgi?id=621107
             https://bugzilla.mozilla.org/show_bug.cgi?id=621108
             https://bugzilla.mozilla.org/show_bug.cgi?id=621109
             https://bugzilla.mozilla.org/show_bug.cgi?id=621110
CVE Number:  CVE-2011-0046

Vulnerability Solutions
=======================

The fixes for these issues are included in the 3.2.10, 3.4.10, 3.6.4,
and 4.0rc2 releases. Upgrading to a release with the relevant fixes
will protect your installation from possible exploits of these issues.

If you are unable to upgrade but would like to patch just the
individual security vulnerabilities, there are patches available for
each issue at the bugzilla.mozilla.org "References" URLs for the
vulnerabilities.

Full release downloads, patches to upgrade Bugzilla from previous
versions, and CVS/bzr upgrade instructions are available at:

  http://www.bugzilla.org/download/

Credits
=======

The Bugzilla team wish to thank the following people/organizations for
their assistance in locating, advising us of, and assisting us to fix
this issue:

Willem Pinckaers
Anonymous ("mozilla11")
Michal Zalewski
Michael Brooks (Sitewatch)
Jos? A. V?zquez
Reed Loden
Fr?d?ric Buclin
Max Kanat-Alexander
David Lawrence
Mark Stosberg
Byron Jones
Guy Pyrzak

We would especially like to thank Willem Pinckaers of Pine Digital
Security for discovering--and providing a proof-of-concept exploit
for--the rather complex but very serious Account Compromise issue.

General information about the Bugzilla bug-tracking system can be found
at:

  http://www.bugzilla.org/

Comments and follow-ups can be directed to the mozilla.support.bugzilla
newsgroup or the support-bugzilla mailing list.
http://www.bugzilla.org/support/ has directions for accessing these
forums.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk0+IjMACgkQaL2D/aEJPK585wCgg7W3cFl7Qdr3KOBV/kYvXuxW
BHEAoOOhesJ3vKAM7Y2Swa3a/0IIYbo6
=XS9t
-----END PGP SIGNATURE-----


From mkanat at bugzilla.org  Tue Jan 25 01:07:06 2011
From: mkanat at bugzilla.org (Max Kanat-Alexander)
Date: Mon, 24 Jan 2011 17:07:06 -0800
Subject: [ANN] Release of Bugzilla 3.2.10, 3.4.10, 3.6.4, and 4.0rc2
Message-ID: <4D3E223A.40501@bugzilla.org>

  Some serious security issues were discovered in Bugzilla, and as a
result we have four security releases for you today. We recommend that
all Bugzilla administrators read the Security Advisory that was
published along with these releases, and we also recommend that you
update as soon as possible.

  Bugzilla 4.0rc2 is our second Release Candidate for Bugzilla 4.0.
This release has received QA testing and should be considerably more
stable than the development releases before it. It is still not
considered fully stable, and so you should understand that if you use
it, you use it at your own risk.

  If feedback from this release candidate indicates that it is mostly
stable, then Bugzilla 4.0 will be released in a few weeks. If feedback
indicates that more extensive fixes are needed, there may be another
release candidate after this one.

  Bugzilla 3.6.4 is our latest stable release. It contains various
useful bug fixes in addition to the security patches. This is likely to
be the last bug-fix release in the 3.6 series. Once Bugzilla 4.0 is
released, the 3.6 series will only get security fixes.

  Bugzilla 3.4.10 and 3.2.10 are security updates for the 3.4
branch and the 3.2 branch, respectively.

  As a reminder, once Bugzilla 4.0 is released, the Bugzilla 3.2.x
series will reach End Of Life, meaning that no new updates will
be released for 3.2.x, even if there are serious security issues found
in that series. All installations running 3.2.x are strongly encouraged
to update to 3.6.4 or 4.0 (once it is released).

Download
--------
Bugzilla is available at:

  http://www.bugzilla.org/download/


Release Notes & Changes
-----------------------
Before installing or upgrading, you should read the Release Notes for
this version of Bugzilla:

  4.0rc2: http://www.bugzilla.org/releases/4.0/release-notes.html
  3.6.4:  http://www.bugzilla.org/releases/3.6.4/release-notes.html
  3.4.10: http://www.bugzilla.org/releases/3.4.10/release-notes.html
  3.2.10: http://www.bugzilla.org/releases/3.2.10/release-notes.html

It is VERY IMPORTANT to read the Release Notes if you are
upgrading from one major version to another (such as 3.4.x to 3.6.x).

To see a list of all changes between your version of Bugzilla and
the current version of Bugzilla, you can use the chart at:

  http://www.bugzilla.org/status/changes.html


The Bugzilla Update
-------------------
You can see the latest updates from the Bugzilla Project and
the status of Bugzilla development on The Bugzilla Update:

  http://bugzillaupdate.wordpress.com/

Also, you can follow the Bugzilla Project on Twitter for frequent
updates on new features being developed in Bugzilla, our current
release plans, and general up-to-the-minute news on what's happening
with the Bugzilla Project:

  http://twitter.com/bugzilla


Report Bugs
-----------
If you find a bug in Bugzilla, please report it! Instructions are
at this URL:

  http://www.bugzilla.org/developers/reporting_bugs.html


Support
-------
You can ask questions for free on the mailing lists (or in IRC)
about Bugzilla, or you can hire a paid consultant to help you out:

  Free Support: http://www.bugzilla.org/support/
  Paid Support: http://www.bugzilla.org/support/consulting.html


About Bugzilla
--------------
  Bugzilla is a "Defect Tracking System" or "Bug-Tracking System."
Defect Tracking Systems allow individuals or groups of developers
to keep track of outstanding bugs in their product effectively.
Most commercial defect-tracking software vendors charge enormous
licensing fees. Despite being "free", Bugzilla has many features
its expensive counterparts lack. Consequently, Bugzilla has quickly
become a favorite of thousands of organizations across the globe, and
is widely regarded as one of the top defect-tracking systems available.

  See http://www.bugzilla.org/about/ for more details.

  -Max Kanat-Alexander
  Release Manager, Bugzilla Project
-- 
http://www.bugzillasource.com/
Competent, Friendly Bugzilla, Perl, and IT Services