Fw: Security Advisory for Bugzilla v2.15 (cvs20020103) and older

Does this affect squid-cache.org/bugs?

Rob
===
----- Original Message -----
From: "Dave Miller" <bugdude1@syndicomm.com>
To: <bugtraq@securityfocus.com>
Sent: Sunday, January 06, 2002 10:45 AM
Subject: Security Advisory for Bugzilla v2.15 (cvs20020103) and older

> All users of Bugzilla, the bug-tracking system from mozilla.org, who
are
> using a version of Bugzilla installed from a downloaded tarball or
package
> file are strongly recommended to update to version 2.14.1.
>
> All users of Bugzilla who are currently using version 2.15 checked out
of
> cvs prior to 15 December 2001 are strongly recommended to use 'cvs
update'
> to obtain the current cvs code.
>
> Bugzilla 2.14.1 is a security update; patches from a number of
> security-related bugs which have already been applied to the working
source
> version 2.15 in cvs, have been applied to Bugzilla 2.14 to create the
new
> stable release 2.14.1, which fixes several security issues discovered
since
> version 2.14 was released, which we believe are too serious to wait
for our
> upcoming 2.16 release.
>
> There are many patches that need to be applied to properly close these
> holes, so they are not included here. If you will not be upgrading
your
> system and instead wish to apply these patches to your existing
> system, a single patch which can be applied to a Bugzilla 2.14
installation
> is available at http://www.bugzilla.org/bugzilla2.14to2.14.1.patch
>
> Complete bug reports for all bugs can be obtained by visiting the
> following URL: http://bugzilla.mozilla.org/show_bug.cgi?id=XXXXX
> where you replace the XXXXX at the end of the URL with a bug number as
> listed below. You may also enter the bug numbers in the "enter a
bug#" box
> on the main page at http://bugzilla.mozilla.org/ or in the footer of
any
> other page on bugzilla.mozilla.org.
>
> *** SECURITY ISSUES RESOLVED ***
>
> - Multiple instances of user-account hijacking capability were fixed
(Bugs
> 54901, 108385, 185516)
>
> - Two occurrences of allowing data protected by Bugzilla's groupset
> restrictions to be visible to users outside of those groups were fixes
> (Bugs 102141, 108821)
>
> - One instance of an untrusted variable being echoed back to a user
via
> HTML was fixed (Bug 98146)
>
> - Multiple instances of untrusted variables being passed to SQL
queries
> were fixed (Bugs 108812, 108822, 109679, 109690)
>
> More detailed summaries of the specific exploits are available in the
> release notes, which are available on the project web site.
>
> General information about the Bugzilla bug-tracking system can be
found at
> http://www.bugzilla.org/
>
> Comments and follow-ups can be directed to the
> netscape.public.mozilla.webtools newsgroup or the mozilla-webtools
mailing
> list (see http://www.mozilla.org/community.html for directions how to
> access these forums).
> --
> Dave Miller
> Lead Software Engineer/System Administrator, Syndicomm Online
> http://www.syndicomm.com/ bugdude1@syndicomm.com
>
Received on Sun Jan 06 2002 - 02:44:22 MST