Bugtraq mailing list archives
[ GLSA 201006-19 ] Bugzilla: Multiple vulnerabilities
From: Alex Legler <a3li () gentoo org>
Date: Fri, 4 Jun 2010 07:15:02 +0200
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201006-19:02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Bugzilla: Multiple vulnerabilities Date: June 04, 2010 Updated: June 04, 2010 Bugs: #239564, #258592, #264572, #284824, #303437, #303725 ID: 201006-19:02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Bugzilla is prone to multiple medium severity vulnerabilities. Background ========== Bugzilla is a bug tracking system from the Mozilla project. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-apps/bugzilla < 3.2.6 >= 3.2.6 Description =========== Multiple vulnerabilities have been reported in Bugzilla. Please review the CVE identifiers referenced below for details. Impact ====== A remote attacker might be able to disclose local files, bug information, passwords, and other data under certain circumstances. Furthermore, a remote attacker could conduct SQL injection, Cross-Site Scripting (XSS) or Cross-Site Request Forgery (CSRF) attacks via various vectors. Workaround ========== There is no known workaround at this time. Resolution ========== All Bugzilla users should upgrade to an unaffected version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-apps/bugzilla-3.2.6" Bugzilla 2.x and 3.0 have reached their end of life. There will be no more security updates. All Bugzilla 2.x and 3.0 users should update to a supported Bugzilla 3.x version. References ========== [ 1 ] CVE-2008-4437 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4437 [ 2 ] CVE-2008-6098 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6098 [ 3 ] CVE-2009-0481 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0481 [ 4 ] CVE-2009-0482 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0482 [ 5 ] CVE-2009-0483 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0483 [ 6 ] CVE-2009-0484 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0484 [ 7 ] CVE-2009-0485 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0485 [ 8 ] CVE-2009-0486 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0486 [ 9 ] CVE-2009-1213 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1213 [ 10 ] CVE-2009-3125 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3125 [ 11 ] CVE-2009-3165 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3165 [ 12 ] CVE-2009-3166 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3166 [ 13 ] CVE-2009-3387 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3387 [ 14 ] CVE-2009-3989 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3989 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201006-19.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security () gentoo org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2010 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5
Attachment:
signature.asc
Description:
Current thread:
- [ GLSA 201006-19 ] Bugzilla: Multiple vulnerabilities Alex Legler (Jun 04)