From dkl at mozilla.com Thu Jul 24 21:26:08 2014 From: dkl at mozilla.com (David Lawrence) Date: Thu, 24 Jul 2014 17:26:08 -0400 Subject: [ANN] Release of Bugzilla 4.5.5, 4.4.5, 4.2.10, and 4.0.14 Message-ID: <53D179F0.5060100@mozilla.com> Today we are releasing 4.4.5, 4.2.10, 4.0.14, and the unstable development snapshot 4.5.5. All releases fix a security issue found since the last release. Bugzilla 4.4.5 is our latest stable release. Bugzilla 4.4.5, 4.2.10 and 4.0.14 are security updates for the 4.4, 4.2, and the 4.0 branches, respectively. Note that 4.5.5 is an unstable development release and should not be used in production environments. We are not yet feature-frozen at this time so the features you see in 4.5.5 might not accurately represent the behavior that 5.0 will have. Note that when Bugzilla 5.0 is released (likely later this year), the Bugzilla 4.0.x series will reach end of life. If you are using that series, we encourage you to upgrade to 4.4.5 now. Download -------- Bugzilla is available at: http://www.bugzilla.org/download/ Release Notes & Changes ----------------------- Before installing or upgrading, you should read the Release Notes for the new version of Bugzilla: 4.4.5: http://www.bugzilla.org/releases/4.4.5/release-notes.html 4.2.10: http://www.bugzilla.org/releases/4.2.10/release-notes.html 4.0.14: http://www.bugzilla.org/releases/4.0.14/release-notes.html To see a list of all changes between your version of Bugzilla and the current version of Bugzilla, you can use the chart at: http://www.bugzilla.org/status/changes.html The Bugzilla Update ------------------- You can see the latest updates from the Bugzilla Project and the status of Bugzilla development on The Bugzilla Update: http://bugzillaupdate.wordpress.com/ Also, you can follow the Bugzilla Project on Twitter for frequent updates on new features being developed in Bugzilla, our current release plans, and much more: http://twitter.com/#!/bugzilla Report Bugs ----------- If you find a bug in Bugzilla, please report it! Instructions are at this URL: http://www.bugzilla.org/developers/reporting_bugs.html Support ------- You can ask questions for free on the mailing lists (or in IRC) about Bugzilla, or you can hire a paid consultant to help you out: Free Support: http://www.bugzilla.org/support/ Paid Support: http://www.bugzilla.org/support/consulting.html About Bugzilla -------------- Bugzilla is a "Defect Tracking System" or "Bug-Tracking System." Defect Tracking Systems allow individuals or groups of developers to keep track of outstanding bugs in their product effectively. Most commercial defect-tracking software vendors charge enormous licensing fees. Despite being "free", Bugzilla has many features its expensive counterparts lack. Consequently, Bugzilla has quickly become a favorite of thousands of organizations across the globe, and is widely regarded as one of the top defect-tracking systems available. See http://www.bugzilla.org/about/ for more details. - David Lawrence Release Manager, Bugzilla Project From dkl at mozilla.com Thu Jul 24 21:27:12 2014 From: dkl at mozilla.com (David Lawrence) Date: Thu, 24 Jul 2014 17:27:12 -0400 Subject: Security advisory for Bugzilla 4.5.5, 4.4.5, 4.2.10, and 4.0.14 Message-ID: <53D17A30.4090108@mozilla.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issue has been discovered in Bugzilla: * An attacker can get access to some bug information using the victim's credentials using a specially crafted HTML page. All affected installations are encouraged to upgrade as soon as possible. Vulnerability Details ===================== Class: Cross Site Request Forgery Versions: 3.7.1 to 4.0.13, 4.1.1 to 4.2.9, 4.3.1 to 4.4.4, 4.5.1 to 4.5.4 Fixed In: 4.0.14, 4.2.10, 4.4.5, 4.5.5 Description: Adobe does not properly restrict the SWF file format, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks against Bugzilla's JSONP endpoint, possibly obtaining sensitive bug information, via a crafted OBJECT element with SWF content satisfying the character-set requirements of a callback API. References: https://bugzilla.mozilla.org/show_bug.cgi?id=1036213 CVE Number: CVE-2014-1546 Vulnerability Solutions ======================= The fixes for these issues are included in the 4.0.14, 4.2.10, 4.4.5, and 4.5.5 releases. Upgrading to a release with the relevant fixes will protect your installation from possible exploits of this issue. If you are unable to upgrade but would like to patch just these individual security vulnerabilities, there are patches available for the issues at the "References" URL for each vulnerability. Full release downloads, patches to upgrade Bugzilla from previous versions, and CVS/bzr upgrade instructions are available at: http://www.bugzilla.org/download/ Credits ======= The Bugzilla team wish to thank the following people/organizations for their assistance in locating, advising us of, and assisting us in fixing these issues: Mario Gomes Reed Loden Simon Green Byron Jones General information about the Bugzilla bug-tracking system can be found at: http://www.bugzilla.org/ Comments and follow-ups can be directed to the mozilla.support.bugzilla newsgroup or the support-bugzilla mailing list. http://www.bugzilla.org/support/ has directions for accessing these forums. - -- David Lawrence dkl at mozilla.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJT0XowAAoJEAtNfRpsX1hD2/0H/REgiknEC4+MjHUF00uFmdD7 bkIB4XCHCE+Yihjv9yb45O4DMJI0wHcOpZu4EyK46gd8vgNHYeD6532RHBfMPkbH 8g8pssLPax8SUnhXXV5VELehAdHqkbJRZIqq4VXGrP6fr5pzPrRUa7pPYorUzAWs aBmBLhQt/1GgkyVhFK64++BeUofMxh1+OAP9Yhfy2gD1Um6TtStByUBBoPtYm4vZ 41NFGj5IpdwyNEagf9ws7j6t0vPYgoYABVfX/EqwVtaOXqdXph+mnC3wmVE1RR2j R+y582a/lOXWTNWARx0gq/Ti21yIHi3G5vIlRxXY3ugDPf6nszgcbNZK72C92hU= =eWKy -----END PGP SIGNATURE-----