Re: Fw: Security Advisory for Bugzilla v2.15 (cvs20020103) and older

On Sun, Jan 06, 2002, Robert Collins wrote:
> Does this affect squid-cache.org/bugs?

Probably. I'll look at it tonight.

>
> Rob
> ===
> ----- Original Message -----
> From: "Dave Miller" <bugdude1@syndicomm.com>
> To: <bugtraq@securityfocus.com>
> Sent: Sunday, January 06, 2002 10:45 AM
> Subject: Security Advisory for Bugzilla v2.15 (cvs20020103) and older
>
>
> > All users of Bugzilla, the bug-tracking system from mozilla.org, who
> are
> > using a version of Bugzilla installed from a downloaded tarball or
> package
> > file are strongly recommended to update to version 2.14.1.
> >
> > All users of Bugzilla who are currently using version 2.15 checked out
> of
> > cvs prior to 15 December 2001 are strongly recommended to use 'cvs
> update'
> > to obtain the current cvs code.
> >
> > Bugzilla 2.14.1 is a security update; patches from a number of
> > security-related bugs which have already been applied to the working
> source
> > version 2.15 in cvs, have been applied to Bugzilla 2.14 to create the
> new
> > stable release 2.14.1, which fixes several security issues discovered
> since
> > version 2.14 was released, which we believe are too serious to wait
> for our
> > upcoming 2.16 release.
> >
> > There are many patches that need to be applied to properly close these
> > holes, so they are not included here. If you will not be upgrading
> your
> > system and instead wish to apply these patches to your existing
> > system, a single patch which can be applied to a Bugzilla 2.14
> installation
> > is available at http://www.bugzilla.org/bugzilla2.14to2.14.1.patch
> >
> > Complete bug reports for all bugs can be obtained by visiting the
> > following URL: http://bugzilla.mozilla.org/show_bug.cgi?id=XXXXX
> > where you replace the XXXXX at the end of the URL with a bug number as
> > listed below. You may also enter the bug numbers in the "enter a
> bug#" box
> > on the main page at http://bugzilla.mozilla.org/ or in the footer of
> any
> > other page on bugzilla.mozilla.org.
> >
> > *** SECURITY ISSUES RESOLVED ***
> >
> > - Multiple instances of user-account hijacking capability were fixed
> (Bugs
> > 54901, 108385, 185516)
> >
> > - Two occurrences of allowing data protected by Bugzilla's groupset
> > restrictions to be visible to users outside of those groups were fixes
> > (Bugs 102141, 108821)
> >
> > - One instance of an untrusted variable being echoed back to a user
> via
> > HTML was fixed (Bug 98146)
> >
> > - Multiple instances of untrusted variables being passed to SQL
> queries
> > were fixed (Bugs 108812, 108822, 109679, 109690)
> >
> > More detailed summaries of the specific exploits are available in the
> > release notes, which are available on the project web site.
> >
> > General information about the Bugzilla bug-tracking system can be
> found at
> > http://www.bugzilla.org/
> >
> > Comments and follow-ups can be directed to the
> > netscape.public.mozilla.webtools newsgroup or the mozilla-webtools
> mailing
> > list (see http://www.mozilla.org/community.html for directions how to
> > access these forums).
> > --
> > Dave Miller
> > Lead Software Engineer/System Administrator, Syndicomm Online
> > http://www.syndicomm.com/ bugdude1@syndicomm.com
> >
>
Received on Mon Jan 07 2002 - 00:59:57 MST