From dkl at mozilla.com Thu Apr 17 22:17:17 2014 From: dkl at mozilla.com (David Lawrence) Date: Thu, 17 Apr 2014 18:17:17 -0400 Subject: [ANN] Release of Bugzilla 4.5.3, 4.4.3, 4.2.8, and 4.0.12 Message-ID: <535052ED.4030408@mozilla.com> Today we are releasing 4.4.3, 4.2.8, 4.0.12, and the unstable development snapshot 4.5.3. All of today's releases contain security fixes. We recommend all Bugzilla administrators to read the Security Advisory linked below. Bugzilla 4.4.3 is our latest stable release. It contains various useful bug fixes, performance improvements and security fixes for the 4.4 branch. Bugzilla 4.2.8 and 4.0.12 are security updates for the 4.2 branch and the 4.0 branches, respectively. 4.2.8 also contains several bug fixes. Note that 4.5.3 is an unstable development release and should not be used in production environments. We are not yet feature-frozen at this time so the features you see in 4.5.3 might not accurately represent the behavior that 5.0 will have. Note that when Bugzilla 5.0 is released (likely later this year), the Bugzilla 4.0.x series will reach end of life. If you are using that series, we encourage you to upgrade to 4.4.3 now. Download -------- Bugzilla is available at: http://www.bugzilla.org/download/ Security Advisory ----------------- There is a security advisory describing the security issues fixed in these releases, at: http://www.bugzilla.org/security/4.0.11/ Release Notes & Changes ----------------------- Before installing or upgrading, you should read the Release Notes for the new version of Bugzilla: 4.4.3: http://www.bugzilla.org/releases/4.4.3/release-notes.html 4.2.8: http://www.bugzilla.org/releases/4.2.8/release-notes.html 4.0.12: http://www.bugzilla.org/releases/4.0.12/release-notes.html To see a list of all changes between your version of Bugzilla and the current version of Bugzilla, you can use the chart at: http://www.bugzilla.org/status/changes.html The Bugzilla Update ------------------- You can see the latest updates from the Bugzilla Project and the status of Bugzilla development on The Bugzilla Update: http://bugzillaupdate.wordpress.com/ Also, you can follow the Bugzilla Project on Twitter for frequent updates on new features being developed in Bugzilla, our current release plans, and much more: http://twitter.com/#!/bugzilla Report Bugs ----------- If you find a bug in Bugzilla, please report it! Instructions are at this URL: http://www.bugzilla.org/developers/reporting_bugs.html Support ------- You can ask questions for free on the mailing lists (or in IRC) about Bugzilla, or you can hire a paid consultant to help you out: Free Support: http://www.bugzilla.org/support/ Paid Support: http://www.bugzilla.org/support/consulting.html About Bugzilla -------------- Bugzilla is a "Defect Tracking System" or "Bug-Tracking System." Defect Tracking Systems allow individuals or groups of developers to keep track of outstanding bugs in their product effectively. Most commercial defect-tracking software vendors charge enormous licensing fees. Despite being "free", Bugzilla has many features its expensive counterparts lack. Consequently, Bugzilla has quickly become a favorite of thousands of organizations across the globe, and is widely regarded as one of the top defect-tracking systems available. See http://www.bugzilla.org/about/ for more details. - David Lawrence Release Manager, Bugzilla Project From lpsolit at gmail.com Thu Apr 17 22:33:20 2014 From: lpsolit at gmail.com (=?ISO-8859-1?Q?Fr=E9d=E9ric_Buclin?=) Date: Fri, 18 Apr 2014 00:33:20 +0200 Subject: Security advisory for Bugzilla 4.5.3, 4.4.3, 4.2.8, and 4.0.12 Message-ID: <535056B0.7030903@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * The login form had no CSRF protection, meaning that an attacker could force the victim to log in using the attacker's credentials. * Dangerous control characters can be inserted into Bugzilla, notably into bug comments, which can then be used to execute local commands. All affected installations are encouraged to upgrade as soon as possible. Vulnerability Details ===================== Class: Cross-Site Request Forgery Versions: Bugzilla 2.0 to 4.4.2, 4.5.1 to 4.5.2 Fixed In: 4.4.3, 4.5.3 Description: The login form had no CSRF protection, meaning that an attacker could force the victim to log in using the attacker's credentials. If the victim then reports a new security sensitive bug, the attacker would get immediate access to this bug. Due to changes involved in the Bugzilla API, this fix is not backported to the 4.0 and 4.2 branches, meaning that Bugzilla 4.0.12 and older, and 4.2.8 and older, will remain vulnerable to this issue. References: https://bugzilla.mozilla.org/show_bug.cgi?id=713926 CVE Number: CVE-2014-1517 Class: Social Engineering Versions: Bugzilla 2.0 to 4.0.11, 4.1.1 to 4.2.7, 4.3.1 to 4.4.2, 4.5.1 to 4.5.2 Fixed In: 4.0.12, 4.2.8, 4.4.3, 4.5.3 Description: Dangerous control characters can be inserted into Bugzilla, notably into bug comments. If the text, which may look safe, is copied into a terminal such as xterm or gnome-terminal, then unexpected commands could be executed on the local machine. References: https://bugzilla.mozilla.org/show_bug.cgi?id=968576 CVE Number: none Vulnerability Solutions ======================= The fixes for these issues are included in the 4.0.12, 4.2.8, 4.4.3 and 4.5.3 releases. Upgrading to a release with the relevant fixes will protect your installation from possible exploits of these issues. If you are unable to upgrade but would like to patch just the individual security vulnerabilities, there are patches available for each issue at the "References" URL for each vulnerability. Full release downloads, patches to upgrade Bugzilla from previous versions, and bzr upgrade instructions are available at: http://www.bugzilla.org/download/ Credits ======= The Bugzilla team wish to thank the following people for their assistance in locating, advising us of, and assisting us to fix these issues: Manish Goregaokar Fr?d?ric Buclin David Lawrence Byron Jones Reed Loden General information about the Bugzilla bug-tracking system can be found at: http://www.bugzilla.org/ Comments and follow-ups can be directed to the mozilla.support.bugzilla newsgroup or the support-bugzilla mailing list. http://www.bugzilla.org/support/ has directions for accessing these forums. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTUFawAAoJEJZXZhv5X1hqP9MQAJIAtfhuMvDPDTILloEAZg3M ixXy5uGoxJ+y/OEuoo2W981DlAQZwq1/35qt4yc58KC55fmMMdxeT6q0s62Ruvbn t9U2zOx97dLfNki6jaKCXmoQtpeekpCQtvKpj0XgN36VDFJe2CWDdpEnd6YoESoq clmc4P3x2Qk1jk7D/LuMmqg92RTCpZnsBjJ3+VcPaK4iovWPgm4lUx11BJer6oLr Loiy9TuoveXYOzPXT9zouM344FRTbcTG16votU+CdJjEZTejqlnMIvExvxdDU13L lkB5KJi76TRvEes0hSabzm2MddUBUSoTyr9aAWqGFpdWp/L49VUhALlNBEMToWv7 fw5W4EhiR+jZ8u2W5tUkG7aCK2DITMy4nypZq09AkG2CvbVRd53CVRiN1nmyRbpp z7+QgpmEuZYmFnPyMxp4ovtvFW5PH7xyBFrL2rAbwFqjHWs8sVDpdoWeUa3m3QOk 37OIrqh5dd5eTr8QMm2ZErgAvyjWUAmLleMY/HsMaxuGSmnvAaNINYGOWA4qvtzI 7S2JpWr4jr1le2AMn+auU10AS5SvkOSJYgQhPFhE/jegyFz5cN2CuA4dzXDw9VCJ V73PdwxDb9wSs3VbN7sHKcto7CbCOBWDm5UXFtitJS2yyf+POAOnDwldY/ROH2qR bxxPQ6Tz5apnTMGUcnZb =0mk7 -----END PGP SIGNATURE----- From dkl at mozilla.com Sat Apr 19 13:04:20 2014 From: dkl at mozilla.com (David Lawrence) Date: Sat, 19 Apr 2014 09:04:20 -0400 Subject: [ANN] Release of Bugzilla 4.5.4, 4.4.4, 4.2.9, and 4.0.13 Message-ID: <53527454.8030302@mozilla.com> Today we are releasing 4.4.4, 4.2.9, 4.0.13, and the unstable development snapshot 4.5.4. All releases fix a regression discovered since the last release. Bugzilla 4.4.4 is our latest stable release. Bugzilla 4.4.4, 4.2.9 and 4.0.13 are bug fix updates for the 4.4, 4.2, and the 4.0 branches, respectively. Note that 4.5.4 is an unstable development release and should not be used in production environments. We are not yet feature-frozen at this time so the features you see in 4.5.4 might not accurately represent the behavior that 5.0 will have. Note that when Bugzilla 5.0 is released (likely later this year), the Bugzilla 4.0.x series will reach end of life. If you are using that series, we encourage you to upgrade to 4.4.4 now. Download -------- Bugzilla is available at: http://www.bugzilla.org/download/ Release Notes & Changes ----------------------- Before installing or upgrading, you should read the Release Notes for the new version of Bugzilla: 4.4.4: http://www.bugzilla.org/releases/4.4.4/release-notes.html 4.2.9: http://www.bugzilla.org/releases/4.2.9/release-notes.html 4.0.13: http://www.bugzilla.org/releases/4.0.13/release-notes.html To see a list of all changes between your version of Bugzilla and the current version of Bugzilla, you can use the chart at: http://www.bugzilla.org/status/changes.html The Bugzilla Update ------------------- You can see the latest updates from the Bugzilla Project and the status of Bugzilla development on The Bugzilla Update: http://bugzillaupdate.wordpress.com/ Also, you can follow the Bugzilla Project on Twitter for frequent updates on new features being developed in Bugzilla, our current release plans, and much more: http://twitter.com/#!/bugzilla Report Bugs ----------- If you find a bug in Bugzilla, please report it! Instructions are at this URL: http://www.bugzilla.org/developers/reporting_bugs.html Support ------- You can ask questions for free on the mailing lists (or in IRC) about Bugzilla, or you can hire a paid consultant to help you out: Free Support: http://www.bugzilla.org/support/ Paid Support: http://www.bugzilla.org/support/consulting.html About Bugzilla -------------- Bugzilla is a "Defect Tracking System" or "Bug-Tracking System." Defect Tracking Systems allow individuals or groups of developers to keep track of outstanding bugs in their product effectively. Most commercial defect-tracking software vendors charge enormous licensing fees. Despite being "free", Bugzilla has many features its expensive counterparts lack. Consequently, Bugzilla has quickly become a favorite of thousands of organizations across the globe, and is widely regarded as one of the top defect-tracking systems available. See http://www.bugzilla.org/about/ for more details. - David Lawrence Release Manager, Bugzilla Project