[EXTERNAL] Re: FW: 192.53.95.20/now .21 and .22
Hunt, Ron (PERATON)
Ronald.Hunt at peraton.com
Wed Dec 11 13:21:53 UTC 2024
Thank you for the quick response.
Ron
From: Dave Miller <justdave at bugzilla.org>
Sent: Wednesday, December 11, 2024 1:21 AM
To: support-list at bugzilla.org; Hunt, Ron (PERATON) <Ronald.Hunt at peraton.com>
Subject: [EXTERNAL] Re: FW: 192.53.95.20/now .21 and .22
Yes, Bugzilla 5.2 did end up including the MySQL 8 support after all. At the point I wrote that email thread to you we thought it wasn't going to land in time, but in the end it did.
On December 10, 2024 11:03:09 AM EST, "Hunt, Ron (PERATON)" <Ronald.Hunt at peraton.com<mailto:Ronald.Hunt at peraton.com>> wrote:
PERATON CONFIDENTIAL AND/OR PROPRIETARY INFORMATION - This email message and/or its attachment contains confidential and/or proprietary information of Peraton Corp. (Peraton) that may only be received, disclosed, or used as authorized by Peraton. The information in this message may be exempt from release under the Freedom of Information Act. If you received this message in error, please delete all copies, and promptly notify the sender.
Hello,
I would like to confirm this fix is working in the current stable 5.2 Bugzilla version?
Thank you,
Ron
From: Barrier, Brie (PERATON) <brie.a.barrier at peraton.com<mailto:brie.a.barrier at peraton.com>>
Sent: Tuesday, December 10, 2024 10:58 AM
To: Hunt, Ron (PERATON) <Ronald.Hunt at peraton.com<mailto:Ronald.Hunt at peraton.com>>; Critzer, Judith (PERATON) <judy.critzer at peraton.com<mailto:judy.critzer at peraton.com>>; Benveniste, Teri (PERATON) <Teri.Benveniste at peraton.com<mailto:Teri.Benveniste at peraton.com>>
Cc: Cyber Vulnerability Management <cybervulnmgmt at peraton.com<mailto:cybervulnmgmt at peraton.com>>; Switzer, Mark L (PERATON) <Mark.L.Switzer at peraton.com<mailto:Mark.L.Switzer at peraton.com>>
Subject: RE: 192.53.95.20/now .21 and .22
PERATON CONFIDENTIAL AND/OR PROPRIETARY INFORMATION - This email message and/or its attachment contains confidential and/or proprietary information of Peraton Corp. (Peraton) that may only be received, disclosed, or used as authorized by Peraton. The information in this message may be exempt from release under the Freedom of Information Act. If you received this message in error, please delete all copies, and promptly notify the sender.
Thanks they show this though as a closed/resolved bug available in version 5.2 deployed to stable 9 months ago.
1592129 - Bugzilla failed after mysql upgrade to 8.0.17 due to "groups" keyword in mysql [bugzilla.mozilla.org]<https://urldefense.proofpoint.com/v2/url?u=https-3A__bugzilla.mozilla.org_show-5Fbug.cgi-3Fid-3D1592129&d=DwMFaQ&c=YC-d702opsuYKpiO2BmlzoCJLBBaYgI2o4jaaBXxW1A&r=_11PJmUyrZSTpWNUTvbOl4XURRwYPDaHjN6ItLonIpk&m=bwEhkLEgS9n2hzbHKZLDB4Pvb97fkE3nTR1FdaQuu6AF1YAmfG-qIAugzZOK_J-5&s=e5YP_p1YafsqdqbfW20kbvCT_Y02Vkxy3Bjq978ZJVA&e=>
And that this is in the patch notes for the 5.2 release as a highlight of fixed.
5.2 - Bugzilla [bugzilla.org]<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.bugzilla.org_releases_5.2_&d=DwMFaQ&c=YC-d702opsuYKpiO2BmlzoCJLBBaYgI2o4jaaBXxW1A&r=_11PJmUyrZSTpWNUTvbOl4XURRwYPDaHjN6ItLonIpk&m=bwEhkLEgS9n2hzbHKZLDB4Pvb97fkE3nTR1FdaQuu6AF1YAmfG-qIAugzZOK_J-5&s=czfz03TsSR_uiG0R7K3GhLanaGaB-IAmFgHHZYOgmWY&e=>
[cid:image004.png at 01DB4AF2.9C251AA0]
The email chain you have is from Jan 2024 unfortunately and is not valid as a documentation showing this is a blocking issue with the contrary documentation.
Thanks,
Brie Barrier
Pronouns: She/Her/Hers
Manager, Vulnerability Management Team
Office: (571)508-4192
[cid:image001.png at 01DB4AF2.6954FC80]
[cid:image002.png at 01DB4AF2.6954FC80]This is a Safe Space.
From: Hunt, Ron (PERATON) <Ronald.Hunt at peraton.com<mailto:Ronald.Hunt at peraton.com>>
Sent: Tuesday, December 10, 2024 10:51 AM
To: Barrier, Brie (PERATON) <brie.a.barrier at peraton.com<mailto:brie.a.barrier at peraton.com>>; Critzer, Judith (PERATON) <judy.critzer at peraton.com<mailto:judy.critzer at peraton.com>>; Benveniste, Teri (PERATON) <Teri.Benveniste at peraton.com<mailto:Teri.Benveniste at peraton.com>>; Hunt, Ron (PERATON) <Ronald.Hunt at peraton.com<mailto:Ronald.Hunt at peraton.com>>
Cc: Cyber Vulnerability Management <cybervulnmgmt at peraton.com<mailto:cybervulnmgmt at peraton.com>>
Subject: RE: 192.53.95.20/now .21 and .22
PERATON CONFIDENTIAL AND/OR PROPRIETARY INFORMATION - This email message and/or its attachment contains confidential and/or proprietary information of Peraton Corp. (Peraton) that may only be received, disclosed, or used as authorized by Peraton. The information in this message may be exempt from release under the Freedom of Information Act. If you received this message in error, please delete all copies, and promptly notify the sender.
Currently Bugizlla is at Stable release 5.2 and not 5.2+. 5.2 doesn’t work with MySql 8.0 and thus doesn’t work with RHEL 8. So hopefully the NEXT Bugzilla release will include the fixes that allows Bugzilla to work correctly with MySql 8.
Per the Bugzilla support email:
Here is the email string between Bugziila support and myself:
Bugzilla doesn't currently work with MySQL 8.
We're hoping to have MySQL 8 supported again in version 5.2.1 or so (5.2 which is about to be released will probably have MySQL 8 blocklisted because the compatibility fixes aren't quite ready to land yet, it's an extremely invasive patch)
On January 2, 2024 7:37:08 AM EST, "Hunt, Ron (PERATON)" <Ronald.Hunt at peraton.com<mailto:Ronald.Hunt at peraton.com>> wrote:
Good morning,
I am currently in the process of upgrading my current RHEL 7 – MySql57 – Bugzilla 5.0.6 to RHEL 8 – MySql8.0 – Bugzilla 5.0.6 due to RHEL 7 moving to end of life status.
Once I have everything installed and ran the .checksetup.pl script, I am getting the following error due to MySql8.0 using “group” preventing Bugzilla to use it as a primary key:
DBD::mysql::db selectrow_array failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'groups where name = ''' at line 1 [for Statement "SELECT id FROM groups where name = ''"] at Bugzilla/Install/DB.pm line 2497.
Bugzilla::Install::DB::_fix_group_with_empty_name() called at Bugzilla/Install/DB.pm line 358
Bugzilla::Install::DB::update_table_definitions(HASH(0x55dd82199cc8)) called at ./checksetup.pl line 175
Any suggestions on how to resolve this issue?
So as soon as the next release is available I should then be able to upgrade Apache, RHEL, MySql and Bugzilla without conflict.
Please let me know if you need additional information regarding this issue.
Thanks,
Ron
From: Barrier, Brie (PERATON) <brie.a.barrier at peraton.com<mailto:brie.a.barrier at peraton.com>>
Sent: Tuesday, December 10, 2024 10:45 AM
To: Hunt, Ron (PERATON) <Ronald.Hunt at peraton.com<mailto:Ronald.Hunt at peraton.com>>; Critzer, Judith (PERATON) <judy.critzer at peraton.com<mailto:judy.critzer at peraton.com>>; Benveniste, Teri (PERATON) <Teri.Benveniste at peraton.com<mailto:Teri.Benveniste at peraton.com>>
Cc: Cyber Vulnerability Management <cybervulnmgmt at peraton.com<mailto:cybervulnmgmt at peraton.com>>
Subject: RE: 192.53.95.20/now .21 and .22
PERATON CONFIDENTIAL AND/OR PROPRIETARY INFORMATION - This email message and/or its attachment contains confidential and/or proprietary information of Peraton Corp. (Peraton) that may only be received, disclosed, or used as authorized by Peraton. The information in this message may be exempt from release under the Freedom of Information Act. If you received this message in error, please delete all copies, and promptly notify the sender.
Thanks, for clarification documentation states versions 2.2.x and 2.4.x are fully supported 3.5.2. Apache on Windows — Bugzilla 5.2+ documentation [bugzilla.readthedocs.io]<https://urldefense.proofpoint.com/v2/url?u=https-3A__bugzilla.readthedocs.io_en_latest_installing_apache-2Dwindows.html&d=DwMFaQ&c=YC-d702opsuYKpiO2BmlzoCJLBBaYgI2o4jaaBXxW1A&r=_11PJmUyrZSTpWNUTvbOl4XURRwYPDaHjN6ItLonIpk&m=bwEhkLEgS9n2hzbHKZLDB4Pvb97fkE3nTR1FdaQuu6AF1YAmfG-qIAugzZOK_J-5&s=GNyPpU-B78Oe-z1ktUkapBpmi7oTNLNegpVtPl1_d48&e=>
With that documentation what is the issue preventing deployment of version 2.4.62? Ill need links to the documentation if there is a bug I missed preventing that deployment and I can then file the risk exception with that documentation.
Previously the hold up was due to MYSQL 8 not being supported (march 6th email)but with version 5.0.6/previous stable but with 5.2 it now is supported5.2 - Bugzilla [bugzilla.org]<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.bugzilla.org_releases_5.2_&d=DwMFaQ&c=YC-d702opsuYKpiO2BmlzoCJLBBaYgI2o4jaaBXxW1A&r=_11PJmUyrZSTpWNUTvbOl4XURRwYPDaHjN6ItLonIpk&m=bwEhkLEgS9n2hzbHKZLDB4Pvb97fkE3nTR1FdaQuu6AF1YAmfG-qIAugzZOK_J-5&s=czfz03TsSR_uiG0R7K3GhLanaGaB-IAmFgHHZYOgmWY&e=>
Thanks,
Brie Barrier
Pronouns: She/Her/Hers
Manager, Vulnerability Management Team
Office: (571)508-4192
[cid:image001.png at 01DB4AF2.6954FC80]
[cid:image002.png at 01DB4AF2.6954FC80]This is a Safe Space.
From: Hunt, Ron (PERATON) <Ronald.Hunt at peraton.com<mailto:Ronald.Hunt at peraton.com>>
Sent: Tuesday, December 10, 2024 9:49 AM
To: Barrier, Brie (PERATON) <brie.a.barrier at peraton.com<mailto:brie.a.barrier at peraton.com>>; Critzer, Judith (PERATON) <judy.critzer at peraton.com<mailto:judy.critzer at peraton.com>>; Hunt, Ron (PERATON) <Ronald.Hunt at peraton.com<mailto:Ronald.Hunt at peraton.com>>; Benveniste, Teri (PERATON) <Teri.Benveniste at peraton.com<mailto:Teri.Benveniste at peraton.com>>
Cc: Cyber Vulnerability Management <cybervulnmgmt at peraton.com<mailto:cybervulnmgmt at peraton.com>>
Subject: RE: 192.53.95.20/now .21 and .22
PERATON CONFIDENTIAL AND/OR PROPRIETARY INFORMATION - This email message and/or its attachment contains confidential and/or proprietary information of Peraton Corp. (Peraton) that may only be received, disclosed, or used as authorized by Peraton. The information in this message may be exempt from release under the Freedom of Information Act. If you received this message in error, please delete all copies, and promptly notify the sender.
Brie,
We are still waiting for the Bugzilla release that will work with the updated Apache and RHEL versions. We are currently up to 5.2 and waiting for either 5.2.1 or higher to become the “Stable” version for public use.
[cid:image003.png at 01DB4AF2.6954FC80]
What actions do I need to take to refile this for a risk exception?
Thank you,
Ron
From: Barrier, Brie (PERATON) <brie.a.barrier at peraton.com<mailto:brie.a.barrier at peraton.com>>
Sent: Tuesday, December 10, 2024 9:17 AM
To: Hunt, Ron (PERATON) <Ronald.Hunt at peraton.com<mailto:Ronald.Hunt at peraton.com>>; Critzer, Judith (PERATON) <judy.critzer at peraton.com<mailto:judy.critzer at peraton.com>>
Cc: Cyber Vulnerability Management <cybervulnmgmt at peraton.com<mailto:cybervulnmgmt at peraton.com>>
Subject: RE: 192.53.95.20/now .21 and .22
PERATON CONFIDENTIAL AND/OR PROPRIETARY INFORMATION - This email message and/or its attachment contains confidential and/or proprietary information of Peraton Corp. (Peraton) that may only be received, disclosed, or used as authorized by Peraton. The information in this message may be exempt from release under the Freedom of Information Act. If you received this message in error, please delete all copies, and promptly notify the sender.
No problem thanks for taking a look and let us know either way/if it cant be mitigated we will likely want to file this again for a risk exception.
Thanks,
Brie Barrier
Pronouns: She/Her/Hers
Manager, Vulnerability Management Team
Office: (571)508-4192
[cid:image001.png at 01DB4AF2.6954FC80]
[cid:image002.png at 01DB4AF2.6954FC80]This is a Safe Space.
From: Hunt, Ron (PERATON) <Ronald.Hunt at peraton.com<mailto:Ronald.Hunt at peraton.com>>
Sent: Tuesday, December 10, 2024 9:12 AM
To: Barrier, Brie (PERATON) <brie.a.barrier at peraton.com<mailto:brie.a.barrier at peraton.com>>; Critzer, Judith (PERATON) <judy.critzer at peraton.com<mailto:judy.critzer at peraton.com>>; Hunt, Ron (PERATON) <Ronald.Hunt at peraton.com<mailto:Ronald.Hunt at peraton.com>>
Cc: Cyber Vulnerability Management <cybervulnmgmt at peraton.com<mailto:cybervulnmgmt at peraton.com>>
Subject: RE: 192.53.95.20/now .21 and .22
PERATON CONFIDENTIAL AND/OR PROPRIETARY INFORMATION - This email message and/or its attachment contains confidential and/or proprietary information of Peraton Corp. (Peraton) that may only be received, disclosed, or used as authorized by Peraton. The information in this message may be exempt from release under the Freedom of Information Act. If you received this message in error, please delete all copies, and promptly notify the sender.
Good morning Brie and thank you for your patience in this matter. I will check and see if we can now move up to the latest Apache version along with RHEL without conflict with Bugzilla.
More to follow.
Thanks,
Ron
From: Barrier, Brie (PERATON) <brie.a.barrier at peraton.com<mailto:brie.a.barrier at peraton.com>>
Sent: Tuesday, December 10, 2024 8:38 AM
To: Hunt, Ron (PERATON) <Ronald.Hunt at peraton.com<mailto:Ronald.Hunt at peraton.com>>; Critzer, Judith (PERATON) <judy.critzer at peraton.com<mailto:judy.critzer at peraton.com>>
Cc: Cyber Vulnerability Management <cybervulnmgmt at peraton.com<mailto:cybervulnmgmt at peraton.com>>
Subject: RE: 192.53.95.20/now .21 and .22
PERATON CONFIDENTIAL AND/OR PROPRIETARY INFORMATION - This email message and/or its attachment contains confidential and/or proprietary information of Peraton Corp. (Peraton) that may only be received, disclosed, or used as authorized by Peraton. The information in this message may be exempt from release under the Freedom of Information Act. If you received this message in error, please delete all copies, and promptly notify the sender.
Good morning! Reaching out to check the status of updates on the GEX systems we observe in xpanse.
192.53.95.22:443 and 192.53.95.21:443 are flagging for outdated Apache webservers and are exposed publicly. Is it possible to update them to the latest versions? Full details attached.
192.53.95.21:Version detected 2.4.37
This issue flags Apache HTTP Servers that are known to be below the current up-to-date secured versions suggested by Apache. Specifically, this issue flags versions prior to 2.4.62. Versions of Apache HTTP Server flagged by this policy are likely vulnerable to multiple known exploits, including CVE-2021-41773, CVE-2021-34798, CVE-2022-23943, CVE-2023-25690, CVE-2024-27316, and CVE-2024-40725. Version 2.4.62 addresses vulnerabilities that were present in 2.4.61 and below. Note: This issue policy extracts Apache's self reported version in the 'Server' header. Certain Linux/Unix vendors like Red Hat, CentOS, Debian, Ubuntu backport versions of open source packages like Apache, OpenSSH, PHP and BIND. The term backporting describes the action of taking a fix for a security flaw out of the most recent version of an upstream software package and applying that fix to an older version of the package distributed by these Linux/Unix vendors. If the 'Server' header reports the underlying OS, this policy implies a potentially insecure version which may be backported.
192.53.95.22: Version detected 2.4.6
Apache HTTP Server, commonly called Apache, is an open-source cross-platform web server for Unix and Windows that is among the most widely used web servers. Apache is developed and maintained by the Apache Software Foundation. This issue flags Apache HTTP Servers that are known to be below the current up-to-date secured versions suggested by Apache. Specifically, this issue flags versions prior to 2.4.62. Versions of Apache HTTP Server flagged by this policy are likely vulnerable to multiple known exploits, including CVE-2021-41773, CVE-2021-34798, CVE-2022-23943, CVE-2023-25690, CVE-2024-27316, and CVE-2024-40725. Version 2.4.62 addresses vulnerabilities that were present in 2.4.61 and below. Note: This issue policy extracts Apache's self reported version in the 'Server' header. Certain Linux/Unix vendors like Red Hat, CentOS, Debian, Ubuntu backport versions of open source packages like Apache, OpenSSH, PHP and BIND. The term backporting describes the action of taking a fix for a security flaw out of the most recent version of an upstream software package and applying that fix to an older version of the package distributed by these Linux/Unix vendors. If the 'Server' header reports the underlying OS, this policy implies a potentially insecure version which may be backported.
Thanks,
Brie Barrier
Pronouns: She/Her/Hers
Manager, Vulnerability Management Team
Office: (571)508-4192
[cid:image001.png at 01DB4AF2.6954FC80]
[cid:image002.png at 01DB4AF2.6954FC80]This is a Safe Space.
From: Hunt, Ron (PERATON) <Ronald.Hunt at peraton.com<mailto:Ronald.Hunt at peraton.com>>
Sent: Wednesday, March 6, 2024 3:25 PM
To: Barrier, Brie (PERATON) <brie.a.barrier at peraton.com<mailto:brie.a.barrier at peraton.com>>; Critzer, Judith (PERATON) <judy.critzer at peraton.com<mailto:judy.critzer at peraton.com>>
Cc: Cyber Vulnerability Management <cybervulnmgmt at peraton.com<mailto:cybervulnmgmt at peraton.com>>; Hunt, Ron (PERATON) <Ronald.Hunt at peraton.com<mailto:Ronald.Hunt at peraton.com>>
Subject: RE: 192.53.95.20
PERATON CONFIDENTIAL AND/OR PROPRIETARY INFORMATION - This email message and/or its attachment contains confidential and/or proprietary information of Peraton Corp. (Peraton) that may only be received, disclosed, or used as authorized by Peraton. The information in this message may be exempt from release under the Freedom of Information Act. If you received this message in error, please delete all copies, and promptly notify the sender.
Brie,
Currently there is no information on the projected release date for 5.1.2. Here is the information from the Bugzilla website on their releases:
Release Information
Current Releases and Change Policy
* Current Stable Release (5.0.6 [bugzilla.org]<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.bugzilla.org_releases_5.0.6_&d=DwMFaQ&c=YC-d702opsuYKpiO2BmlzoCJLBBaYgI2o4jaaBXxW1A&r=_11PJmUyrZSTpWNUTvbOl4XURRwYPDaHjN6ItLonIpk&m=bwEhkLEgS9n2hzbHKZLDB4Pvb97fkE3nTR1FdaQuu6AF1YAmfG-qIAugzZOK_J-5&s=JQzJaj7gtHKrWlIFsYifKF3XeI1Xf3RAqd3O2IpwzBE&e=>)
* Includes bug fixes and performance improvements only
* No new features or large scale performance improvements
* No database schema changes
* May contain documentation changes
* No changes to templates that aren't part of bug fix, other than typos or grammatical fixes
* Trunk (5.1.2 [bugzilla.org]<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.bugzilla.org_releases_6.0_&d=DwMFaQ&c=YC-d702opsuYKpiO2BmlzoCJLBBaYgI2o4jaaBXxW1A&r=_11PJmUyrZSTpWNUTvbOl4XURRwYPDaHjN6ItLonIpk&m=bwEhkLEgS9n2hzbHKZLDB4Pvb97fkE3nTR1FdaQuu6AF1YAmfG-qIAugzZOK_J-5&s=ObyKlRqBV1bOtaaIqeopIr2_S-dhLta9OqR9e2W2svU&e=>)
* Approved changes added constantly
* Occasional development snapshots are released
* Old Stable Release (4.4.13 [bugzilla.org]<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.bugzilla.org_releases_4.4.13_&d=DwMFaQ&c=YC-d702opsuYKpiO2BmlzoCJLBBaYgI2o4jaaBXxW1A&r=_11PJmUyrZSTpWNUTvbOl4XURRwYPDaHjN6ItLonIpk&m=bwEhkLEgS9n2hzbHKZLDB4Pvb97fkE3nTR1FdaQuu6AF1YAmfG-qIAugzZOK_J-5&s=P5YuU45lbrr1T2vsFmgPdN_UrEGUES2ot-6izGcCgu4&e=>)
* Current policy is that 4 months after the next major release, support for the oldest stable release will be dropped. The other stable release will still be supported until four months after the next major release.
* Contains security, crash, data loss, and selected critical fixes only
* No documentation changes unrelated to the above changes allowed
Any release prior to the old stable release is unsupported.
Release Dates
Here is a list of the release dates of every version of Bugzilla sorted by its branch. You can click on the version number for a list of release notes, download links, and security advisories relevant to that release.
* 5.0
* 5.0.6 [bugzilla.org]<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.bugzilla.org_releases_5.0.6_&d=DwMFaQ&c=YC-d702opsuYKpiO2BmlzoCJLBBaYgI2o4jaaBXxW1A&r=_11PJmUyrZSTpWNUTvbOl4XURRwYPDaHjN6ItLonIpk&m=bwEhkLEgS9n2hzbHKZLDB4Pvb97fkE3nTR1FdaQuu6AF1YAmfG-qIAugzZOK_J-5&s=JQzJaj7gtHKrWlIFsYifKF3XeI1Xf3RAqd3O2IpwzBE&e=> Feb 09, 2019
Please let me know if there is anything else I can provide on this issue.
Thanks,
Ron
From: Barrier, Brie (PERATON) <brie.a.barrier at peraton.com<mailto:brie.a.barrier at peraton.com>>
Sent: Wednesday, March 6, 2024 3:21 PM
To: Hunt, Ron (PERATON) <Ronald.Hunt at peraton.com<mailto:Ronald.Hunt at peraton.com>>; Critzer, Judith (PERATON) <judy.critzer at peraton.com<mailto:judy.critzer at peraton.com>>
Cc: Cyber Vulnerability Management <cybervulnmgmt at peraton.com<mailto:cybervulnmgmt at peraton.com>>
Subject: RE: 192.53.95.20
PERATON CONFIDENTIAL AND/OR PROPRIETARY INFORMATION - This email message and/or its attachment contains confidential and/or proprietary information of Peraton Corp. (Peraton) that may only be received, disclosed, or used as authorized by Peraton. The information in this message may be exempt from release under the Freedom of Information Act. If you received this message in error, please delete all copies, and promptly notify the sender.
Thanks for those details, yes it can be a bit of an issue. Because of that blocker and documentation do they have an estimate on the release date of the 5.2.1 version that may support the updated mysql? That way then I can put in a risk exception for tracking while we await a official vendor fix.
Thanks,
Brie Barrier
Pronouns: She/Her/Hers
Lead, Vulnerability Management Team
Office: (571)508-4192
[cid:image001.png at 01DB4AF2.6954FC80]
[cid:image002.png at 01DB4AF2.6954FC80]This is a Safe Space.
From: Hunt, Ron (PERATON) <Ronald.Hunt at peraton.com<mailto:Ronald.Hunt at peraton.com>>
Sent: Wednesday, March 6, 2024 3:12 PM
To: Barrier, Brie (PERATON) <brie.a.barrier at peraton.com<mailto:brie.a.barrier at peraton.com>>; Critzer, Judith (PERATON) <judy.critzer at peraton.com<mailto:judy.critzer at peraton.com>>
Cc: Cyber Vulnerability Management <cybervulnmgmt at peraton.com<mailto:cybervulnmgmt at peraton.com>>; Hunt, Ron (PERATON) <Ronald.Hunt at peraton.com<mailto:Ronald.Hunt at peraton.com>>
Subject: RE: 192.53.95.20
PERATON CONFIDENTIAL AND/OR PROPRIETARY INFORMATION - This email message and/or its attachment contains confidential and/or proprietary information of Peraton Corp. (Peraton) that may only be received, disclosed, or used as authorized by Peraton. The information in this message may be exempt from release under the Freedom of Information Act. If you received this message in error, please delete all copies, and promptly notify the sender.
Hello Brie,
So we are currently on RHEL 7 for our Bugzilla server which only supports Apache (httpd 2.4.6). RHEL 8 is available, however RHEL 8 has a problem with our MySql Database which stores our Bugzilla application. Bugzilla software is working on a solution but has yet to deploy it for public use. Long story short is that I am currently stuck between Bugzilla and RedHat regarding the server version until one is working well with the other.
Here is the email string between Bugziila support and myself:
Bugzilla doesn't currently work with MySQL 8.
We're hoping to have MySQL 8 supported again in version 5.2.1 or so (5.2 which is about to be released will probably have MySQL 8 blocklisted because the compatibility fixes aren't quite ready to land yet, it's an extremely invasive patch)
On January 2, 2024 7:37:08 AM EST, "Hunt, Ron (PERATON)" <Ronald.Hunt at peraton.com<mailto:Ronald.Hunt at peraton.com>> wrote:
Good morning,
I am currently in the process of upgrading my current RHEL 7 – MySql57 – Bugzilla 5.0.6 to RHEL 8 – MySql8.0 – Bugzilla 5.0.6 due to RHEL 7 moving to end of life status.
Once I have everything installed and ran the .checksetup.pl script, I am getting the following error due to MySql8.0 using “group” preventing Bugzilla to use it as a primary key:
DBD::mysql::db selectrow_array failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'groups where name = ''' at line 1 [for Statement "SELECT id FROM groups where name = ''"] at Bugzilla/Install/DB.pm line 2497.
Bugzilla::Install::DB::_fix_group_with_empty_name() called at Bugzilla/Install/DB.pm line 358
Bugzilla::Install::DB::update_table_definitions(HASH(0x55dd82199cc8)) called at ./checksetup.pl line 175
Any suggestions on how to resolve this issue?
Thank you,
Ron
I am still waiting on the latest release from Bugzilla to attempt to clear this issue.
Thanks,
Ron
From: Barrier, Brie (PERATON) <brie.a.barrier at peraton.com<mailto:brie.a.barrier at peraton.com>>
Sent: Wednesday, March 6, 2024 1:43 PM
To: Hunt, Ron (PERATON) <Ronald.Hunt at peraton.com<mailto:Ronald.Hunt at peraton.com>>; Critzer, Judith (PERATON) <judy.critzer at peraton.com<mailto:judy.critzer at peraton.com>>
Cc: Cyber Vulnerability Management <cybervulnmgmt at peraton.com<mailto:cybervulnmgmt at peraton.com>>
Subject: RE: 192.53.95.20
PERATON CONFIDENTIAL AND/OR PROPRIETARY INFORMATION - This email message and/or its attachment contains confidential and/or proprietary information of Peraton Corp. (Peraton) that may only be received, disclosed, or used as authorized by Peraton. The information in this message may be exempt from release under the Freedom of Information Act. If you received this message in error, please delete all copies, and promptly notify the sender.
Great thank you!
Thanks,
Brie Barrier
Pronouns: She/Her/Hers
Lead, Vulnerability Management Team
Office: (571)508-4192
[cid:image001.png at 01DB4AF2.6954FC80]
[cid:image002.png at 01DB4AF2.6954FC80]This is a Safe Space.
From: Hunt, Ron (PERATON) <Ronald.Hunt at peraton.com<mailto:Ronald.Hunt at peraton.com>>
Sent: Wednesday, March 6, 2024 12:14 PM
To: Barrier, Brie (PERATON) <brie.a.barrier at peraton.com<mailto:brie.a.barrier at peraton.com>>; Critzer, Judith (PERATON) <judy.critzer at peraton.com<mailto:judy.critzer at peraton.com>>
Cc: Cyber Vulnerability Management <cybervulnmgmt at peraton.com<mailto:cybervulnmgmt at peraton.com>>
Subject: RE: 192.53.95.20
PERATON CONFIDENTIAL AND/OR PROPRIETARY INFORMATION - This email message and/or its attachment contains confidential and/or proprietary information of Peraton Corp. (Peraton) that may only be received, disclosed, or used as authorized by Peraton. The information in this message may be exempt from release under the Freedom of Information Act. If you received this message in error, please delete all copies, and promptly notify the sender.
Good morning Brie,
Yes, I will take a look and see if I can get this resolved ASAP.
Thanks,
Ron
From: Barrier, Brie (PERATON) <brie.a.barrier at peraton.com<mailto:brie.a.barrier at peraton.com>>
Sent: Wednesday, March 6, 2024 12:08 PM
To: Hunt, Ron (PERATON) <Ronald.Hunt at peraton.com<mailto:Ronald.Hunt at peraton.com>>; Critzer, Judith (PERATON) <judy.critzer at peraton.com<mailto:judy.critzer at peraton.com>>
Cc: Cyber Vulnerability Management <cybervulnmgmt at peraton.com<mailto:cybervulnmgmt at peraton.com>>
Subject: 192.53.95.20
PERATON CONFIDENTIAL AND/OR PROPRIETARY INFORMATION - This email message and/or its attachment contains confidential and/or proprietary information of Peraton Corp. (Peraton) that may only be received, disclosed, or used as authorized by Peraton. The information in this message may be exempt from release under the Freedom of Information Act. If you received this message in error, please delete all copies, and promptly notify the sender.
Good morning!
Your Bugzilla site at 192.53.95.20 popped for a few security issues recently so I was hoping you could take a look to review. All the issues seem to tie back to the apache http server supporting bugzilla
The critical issues
CVE-2022-22720 : Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the reque (cvedetails.com) [cvedetails.com]<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.cvedetails.com_cve_CVE-2D2022-2D22720&d=DwMFaQ&c=YC-d702opsuYKpiO2BmlzoCJLBBaYgI2o4jaaBXxW1A&r=_11PJmUyrZSTpWNUTvbOl4XURRwYPDaHjN6ItLonIpk&m=bwEhkLEgS9n2hzbHKZLDB4Pvb97fkE3nTR1FdaQuu6AF1YAmfG-qIAugzZOK_J-5&s=4fTViLhekOTQc2hFaOSmpCXe7H9bJmQAUtFEy91vq0o&e=>
CVE-2021-39275 : ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted d (cvedetails.com) [cvedetails.com]<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.cvedetails.com_cve_CVE-2D2021-2D39275&d=DwMFaQ&c=YC-d702opsuYKpiO2BmlzoCJLBBaYgI2o4jaaBXxW1A&r=_11PJmUyrZSTpWNUTvbOl4XURRwYPDaHjN6ItLonIpk&m=bwEhkLEgS9n2hzbHKZLDB4Pvb97fkE3nTR1FdaQuu6AF1YAmfG-qIAugzZOK_J-5&s=5VcQ0TFiFL3Gh_McTL7R0hj6N8yjS8-77L2hA4ximeQ&e=>
CVE-2022-22721 : If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer ov (cvedetails.com) [cvedetails.com]<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.cvedetails.com_cve_CVE-2D2022-2D22721&d=DwMFaQ&c=YC-d702opsuYKpiO2BmlzoCJLBBaYgI2o4jaaBXxW1A&r=_11PJmUyrZSTpWNUTvbOl4XURRwYPDaHjN6ItLonIpk&m=bwEhkLEgS9n2hzbHKZLDB4Pvb97fkE3nTR1FdaQuu6AF1YAmfG-qIAugzZOK_J-5&s=ZGKyr0w9EPd9sdunWVGkN-HLNRxnwK-VwoY9b5gkKNk&e=>
High issues
CVE-2021-34798 : Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and (cvedetails.com) [cvedetails.com]<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.cvedetails.com_cve_CVE-2D2021-2D34798&d=DwMFaQ&c=YC-d702opsuYKpiO2BmlzoCJLBBaYgI2o4jaaBXxW1A&r=_11PJmUyrZSTpWNUTvbOl4XURRwYPDaHjN6ItLonIpk&m=bwEhkLEgS9n2hzbHKZLDB4Pvb97fkE3nTR1FdaQuu6AF1YAmfG-qIAugzZOK_J-5&s=bKEvPl-tkAYtAnUmN9IYVBc42gj4J5rXy_ouYjE7fLM&e=>
CVE-2022-22719 : A carefully crafted request body can cause a read to a random memory area which could cause the process to crash. This i (cvedetails.com) [cvedetails.com]<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.cvedetails.com_cve_CVE-2D2022-2D22719&d=DwMFaQ&c=YC-d702opsuYKpiO2BmlzoCJLBBaYgI2o4jaaBXxW1A&r=_11PJmUyrZSTpWNUTvbOl4XURRwYPDaHjN6ItLonIpk&m=bwEhkLEgS9n2hzbHKZLDB4Pvb97fkE3nTR1FdaQuu6AF1YAmfG-qIAugzZOK_J-5&s=K23DrpC6p0gD4qn6iu3BO5aVt5dUqGxQg2-PmmdoS3Y&e=>
The latest release for apache 2.4 appears to be 2.4.58 which came out in October, could it be applied to clear these issues?
Apache HTTP Server Project [downloads.apache.org]<https://urldefense.proofpoint.com/v2/url?u=https-3A__downloads.apache.org_httpd_Announcement2.4.html&d=DwMFaQ&c=YC-d702opsuYKpiO2BmlzoCJLBBaYgI2o4jaaBXxW1A&r=_11PJmUyrZSTpWNUTvbOl4XURRwYPDaHjN6ItLonIpk&m=bwEhkLEgS9n2hzbHKZLDB4Pvb97fkE3nTR1FdaQuu6AF1YAmfG-qIAugzZOK_J-5&s=UWbCPNKJbq3O910rti_t-tcsYL9Lbd-ZNjWOfnNF8VA&e=>
Thanks,
Brie Barrier
Pronouns: She/Her/Hers
Lead, Vulnerability Management Team
Office: (571)508-4192
[cid:image001.png at 01DB4AF2.6954FC80]
[cid:image002.png at 01DB4AF2.6954FC80]This is a Safe Space.
--
Sent from my Android phone with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bugzilla.org/pipermail/support-list/attachments/20241211/bea08d9e/attachment-0001.html>
More information about the support-list
mailing list