Gentoo Archives: gentoo-announce

From: Alex Legler <a3li@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 201006-19 ] Bugzilla: Multiple vulnerabilities
Date: Fri, 04 Jun 2010 06:32:33
Message-Id: 20100604071502.549552fb@mail.a3li.li
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201006-19:02
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: Bugzilla: Multiple vulnerabilities
9 Date: June 04, 2010
10 Updated: June 04, 2010
11 Bugs: #239564, #258592, #264572, #284824, #303437, #303725
12 ID: 201006-19:02
13
14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15
16 Synopsis
17 ========
18
19 Bugzilla is prone to multiple medium severity vulnerabilities.
20
21 Background
22 ==========
23
24 Bugzilla is a bug tracking system from the Mozilla project.
25
26 Affected packages
27 =================
28
29 -------------------------------------------------------------------
30 Package / Vulnerable / Unaffected
31 -------------------------------------------------------------------
32 1 www-apps/bugzilla < 3.2.6 >= 3.2.6
33
34 Description
35 ===========
36
37 Multiple vulnerabilities have been reported in Bugzilla. Please review
38 the CVE identifiers referenced below for details.
39
40 Impact
41 ======
42
43 A remote attacker might be able to disclose local files, bug
44 information, passwords, and other data under certain circumstances.
45 Furthermore, a remote attacker could conduct SQL injection, Cross-Site
46 Scripting (XSS) or Cross-Site Request Forgery (CSRF) attacks via
47 various vectors.
48
49 Workaround
50 ==========
51
52 There is no known workaround at this time.
53
54 Resolution
55 ==========
56
57 All Bugzilla users should upgrade to an unaffected version:
58
59 # emerge --sync
60 # emerge --ask --oneshot --verbose ">=www-apps/bugzilla-3.2.6"
61
62 Bugzilla 2.x and 3.0 have reached their end of life. There will be no
63 more security updates. All Bugzilla 2.x and 3.0 users should update to
64 a supported Bugzilla 3.x version.
65
66 References
67 ==========
68
69 [ 1 ] CVE-2008-4437
70 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4437
71 [ 2 ] CVE-2008-6098
72 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6098
73 [ 3 ] CVE-2009-0481
74 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0481
75 [ 4 ] CVE-2009-0482
76 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0482
77 [ 5 ] CVE-2009-0483
78 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0483
79 [ 6 ] CVE-2009-0484
80 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0484
81 [ 7 ] CVE-2009-0485
82 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0485
83 [ 8 ] CVE-2009-0486
84 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0486
85 [ 9 ] CVE-2009-1213
86 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1213
87 [ 10 ] CVE-2009-3125
88 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3125
89 [ 11 ] CVE-2009-3165
90 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3165
91 [ 12 ] CVE-2009-3166
92 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3166
93 [ 13 ] CVE-2009-3387
94 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3387
95 [ 14 ] CVE-2009-3989
96 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3989
97
98 Availability
99 ============
100
101 This GLSA and any updates to it are available for viewing at
102 the Gentoo Security Website:
103
104 http://security.gentoo.org/glsa/glsa-201006-19.xml
105
106 Concerns?
107 =========
108
109 Security is a primary focus of Gentoo Linux and ensuring the
110 confidentiality and security of our users machines is of utmost
111 importance to us. Any security concerns should be addressed to
112 security@g.o or alternatively, you may file a bug at
113 https://bugs.gentoo.org.
114
115 License
116 =======
117
118 Copyright 2010 Gentoo Foundation, Inc; referenced text
119 belongs to its owner(s).
120
121 The contents of this document are licensed under the
122 Creative Commons - Attribution / Share Alike license.
123
124 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature