lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 10 Nov 2003 01:04:38 -0500
From: David Miller <justdave@...zilla.org>
To: bugtraq@...urityfocus.com, announce@...zilla.org,
   mozilla-announce@...illa.org, mozilla-webtools@...illa.org
Subject: [BUGZILLA] Security Advisory - information leak


Bugzilla Security Advisory

November 9, 2003

Summary
=======

Bugzilla is a Web-based bug-tracking system, currently used by a large
number of software projects.

This advisory covers a security bug which was accidently introduced in
development version 2.17.5 and subsequently fixed in the Bugzilla code
involving unprivileged access to restricted data.

All Bugzilla installations who have upgraded to the 2.17.5 development
snapshot are encouraged to obtain version 2.17.6 or apply the relevant
patch.

The current stable version of Bugzilla is 2.16.4, and is not affected
by this advisory.


Vulnerability Details
=====================

Class:       Information leak
Versions:    2.17.5 is the only version affected.
Description: A new feature was introduced in version 2.17.5 which allows
             remote websites to build tooltips and other dynamically
             generated data using current bug information retrieved from
             Bugzilla.  A security lapse in the initial implementation
             of this feature allows the remote site to obtain that
             information from Bugzilla using the privileges of the
             client user.
Reference:   http://bugzilla.mozilla.org/show_bug.cgi?id=195530


Vulnerability Solutions
=======================

The fix for the security bug mentioned in this advisory is included in
the 2.17.6 release.  Upgrading to this release will protect
installations from this issue.  As stated above, this only affects
Bugzilla 2.17.5, and does not affect the stable version 2.16.4.

Full release downloads of Bugzilla 2.17.6 and CVS upgrade instructions
can be found at:
  http://www.bugzilla.org/download.html

A specific patch for this issue can be found on the corresponding bug
report, at the URL given in the reference for the issue in the
Vulnerability Details section above.


Credits
=======

The Bugzilla team wish to thank Gervase Markham for discovering and
fixing this promptly after he introduced it.


General information about the Bugzilla bug-tracking system can be found
at http://www.bugzilla.org/

Comments and follow-ups can be directed to the
netscape.public.mozilla.webtools newsgroup or the mozilla-webtools
mailing list; http://www.bugzilla.org/discussion.html has directions for
accessing these forums.

-30-
-- 
Dave Miller      Project Leader, Bugzilla Bug Tracking System
http://www.justdave.net/             http://www.bugzilla.org/

Powered by blists - more mailing lists