| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 21 Oct 2014 10:40:00 +0200 From: security@...driva.com To: bugtraq@...urityfocus.com Subject: [ MDVSA-2014:200 ] bugzilla -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:200 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : bugzilla Date : October 21, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated bugzilla packages fix security vulnerabilities: If a new comment was marked private to the insider group, and a flag was set in the same transaction, the comment would be visible to flag recipients even if they were not in the insider group (CVE-2014-1571). An attacker creating a new Bugzilla account can override certain parameters when finalizing the account creation that can lead to the user being created with a different email address than originally requested. The overridden login name could be automatically added to groups based on the group's regular expression setting (CVE-2014-1572). During an audit of the Bugzilla code base, several places were found where cross-site scripting exploits could occur which could allow an attacker to access sensitive information (CVE-2014-1573). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1571 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1572 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1573 http://advisories.mageia.org/MGASA-2014-0412.html _______________________________________________________________________ Updated Packages: Mandriva Business Server 1/X86_64: 82519cd1ae8e30bd8666177ef6d3ca7a mbs1/x86_64/bugzilla-4.2.11-1.mbs1.noarch.rpm 1125bb52dca150266d3158885046b779 mbs1/x86_64/bugzilla-contrib-4.2.11-1.mbs1.noarch.rpm 599d60fb857f0f7fab476c5601cea828 mbs1/SRPMS/bugzilla-4.2.11-1.mbs1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFURg3jmqjQ0CJFipgRAopCAJ0a4tEDNGcSpqvuvXXzLSCKMIJxsgCfbE2J 69zUcm+AVnN8HSOcexqodeQ= =HGiL -----END PGP SIGNATURE-----
Powered by blists - more mailing lists