Security Advisory for Bugzilla 3.0.10, 3.2.5, 3.4.4, and 3.5.2
Summary === Bugzilla is a Web-based bug-tracking system, used by a large number of software projects. This advisory covers two security issues that have recently been fixed in the Bugzilla code: + Some files stored on the web server are not correctly protected against external access and can be viewed from a web browser. + Restricting a bug to a group while moving the bug to another product has no effect if the group is not used by both products. The bug may become public if no other group restriction applies. All affected installations are encouraged to upgrade as soon as possible. Vulnerability Details = Issue 1 --- Class: Information leak Versions:all versions before 3.0.11, 3.2.6, 3.4.5, and 3.5.3 Description: Bugzilla allows web browsers to serve the contents of files in the CVS/, contrib/, docs/en/xml/, and t/ directories, as well as the old-params.txt file. These files do not contain sensitive data by default, but custom installations may have added scripts or files into these directories which contain e.g. passwords or some other sensitive information. We now forbird access to these directories from a web browser as a preventive measure. References: https://bugzilla.mozilla.org/show_bug.cgi?id=314871 https://bugzilla.mozilla.org/show_bug.cgi?id=434801 CVE Number: CVE-2009-3989 Issue 2 --- Class: Information leak Versions:3.3.1 to 3.4.4, 3.5.1, 3.5.2 Description: When moving a bug from one product to another, an intermediate page is displayed letting you select the groups the bug should be restricted to in the new product. However, a regression in the 3.4.x series made it ignore all groups which are not available in both products. As a workaround, you had to move the bug to the new product first and then restrict it to the desired groups, in two distinct steps, which could make the bug temporarily public. Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=532493 CVE Number: CVE-2009-3387 Vulnerability Solutions === The fixes for all of the security bugs mentioned in this advisory are included in the 3.0.11, 3.2.6, 3.4.5, and 3.5.3 releases. Upgrading to these releases will protect installations from possible exploits of these issues. Full release downloads, patches to upgrade Bugzilla from previous versions, and CVS upgrade instructions are available at: http://www.bugzilla.org/download/ Specific patches for each of the individual issues can be found on the corresponding bug reports for each issue, at the URL given in the reference for that issue in the list above. Credits === The Bugzilla team wish to thank the following people for their assistance in locating, advising us of, and assisting us to fix these situations: Max Kanat-Alexander Frédéric Buclin Reed Loden Joel Peshkin General information about the Bugzilla bug-tracking system can be found at: http://www.bugzilla.org/ Comments and follow-ups can be directed to the mozilla.support.bugzilla newsgroup or the support-bugzilla mailing list. http://www.bugzilla.org/support/ has directions for accessing these forums.
Security Advisory for Bugzilla 3.2.1, 3.0.7, and 3.3.2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Summary === Bugzilla is a Web-based bug-tracking system, used by a large number of software projects. Bugzilla 3.2.1, 3.0.7, and 3.3.2, when running under mod_perl, generated insufficiently random numbers, resulting in all random tokens being the same, all CSRF protection being defeated, and the new attachment_base functionality being compromised. Only these releases were affected--earlier releases are not affected. All affected installations are encouraged to upgrade as soon as possible. Vulnerability Details = Class: Insufficiently Random Numbers Versions:3.2.1, 3.0.7, and 3.3.2 Fixed In:3.2.2, 3.0.8, 3.3.3 Description: Bugzilla was calling srand() at compile time. Under mod_perl, this led to all Apache children having the same random seed, meaning that they all generated identical "random" strings instead of actually random strings. This means that all tokens were highly predictable, all CSRF protection was easily circumvented, and any installation using the new attachment_base functionality could possibly have any private attachment viewed without the user even logging in. Versions before 3.2.1, 3.0.7, and 3.3.2 were not affected. Installations that are not using mod_perl for Bugzilla are not affected. References: https://bugzilla.mozilla.org/show_bug.cgi?id=476594 Vulnerability Solutions === The fix for this issue in is included in the 3.3.3, 3.2.2, and 3.0.8 releases. Upgrading to a release with the relevant fix will protect your installation from possible exploits of this issue. Full release downloads, patches to upgrade Bugzilla from previous versions, and CVS upgrade instructions are available at: http://www.bugzilla.org/download/ Credits === The Bugzilla team wish to thank the following people/organizations for their assistance in locating, advising us of, and assisting us to fix these issues: Philippe M. Chiasson Dave Miller Max Kanat-Alexander General information about the Bugzilla bug-tracking system can be found at: http://www.bugzilla.org/ Comments and follow-ups can be directed to the mozilla.support.bugzilla newsgroup or the support-bugzilla mailing list. http://www.bugzilla.org/support/ has directions for accessing these forums. - -- Max Kanat-Alexander Release Manager, Bugzilla Project -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkmIHcoACgkQaL2D/aEJPK4heQCgr6JIKQlgRWtUL+ISeOgWzCZ9 IIEAnA2nPUknQi0QIQuhzx59gL5LGcHd =zVkI -END PGP SIGNATURE-
Security Advisory for Bugzilla 3.0.3, 3.1.3, 2.22.3, and 2.20.5
Summary === Bugzilla is a Web-based bug-tracking system, used by a large number of software projects. This advisory covers three security issues that have recently been fixed in the Bugzilla code: * Users without the "canconfirm" privilege could enter a bug as NEW or ASSIGNED by using the XML-RPC interface. * When viewing several bugs at once, there was a Cross-Site Scripting hole. * The inbound email interface allowed you to set the Reporter via the text of the email, instead of just using the From header. All affected installations are encouraged to upgrade as soon as possible. Vulnerability Details = Class: Unauthorized Bug Change Versions:3.1.3 Description: Users normally need the "canconfirm" privilege to put bugs in the NEW or ASSIGNED state. However, users were being allowed to create bugs in the NEW or ASSIGNED state if they were creating the bug through the XML-RPC interface. Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=415471 Class: Cross-Site Scripting Versions:2.17.2 and higher Description: When using the "Format for Printing" view of a bug (or the "Long Format" of a bug list, which is the same thing), there was a cross-site scripting hole--arbitrary text from a particular URL parameter could be injected into the page without filtering. Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=425665 Class: Account Impersonation (Minor) Versions:2.23.4 and higher Description: By design, email_in.pl always believes the "From" header as the user making changes or uses that as the reporter of the bug. However, you could also specify the changer/reporter in the body of the email and override the "From" header, possibly bypassing some security checks set up by administrators against the "From" header. For most installations this is a minor or inconsequential issue, as the documentation of email_in.pl already explains that it does not do any user authentication (it just believes the "From" header), so installations using it should not have been expecting user account security (though they may have had checks against the "From" header--that is what makes this a security issue). Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=419188 Vulnerability Solutions === The fixes for the security bugs mentioned in this advisory are included in the 3.0.4, 3.1.4, 2.22.4, and 2.20.6 releases. Upgrading to these releases will protect installations from possible exploits of these issues. Full release downloads, patches to upgrade Bugzilla from previous versions, and CVS upgrade instructions are available at: http://www.bugzilla.org/download/ Credits === The Bugzilla team wish to thank the following people for their assistance in locating, advising us of, and assisting us to fix these issues: Frédéric Buclin Max Kanat-Alexander Bradley Baetz Loren Butler Marc Schumann General information about the Bugzilla bug-tracking system can be found at: http://www.bugzilla.org/ Comments and follow-ups can be directed to the mozilla.support.bugzilla newsgroup or the support-bugzilla mailing list. http://www.bugzilla.org/support/ has directions for accessing these forums.
Security Advisory for Bugzilla 3.0.1 and 3.1.1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Summary === Bugzilla is a Web-based bug-tracking system, used by a large number of software projects. This advisory covers a critical security issue that has recently been fixed in the Bugzilla code: * Even with account creation disabled, users can use the WebService to create an account. We strongly advise that 2.23.x and 3.0.x users upgrade to 3.0.2 immediately. Users of CVS HEAD or 3.1.1 should upgrade to 3.1.2 immediately. This is critical if you have a "requirelogin" installation and also have the WebService enabled. Vulnerability Details = Class: Unauthorized Access Versions:2.23.3 and above. Description: Bugzilla::WebService::User::offer_account_by_email does not check the "createemailregexp" parameter, and thus allows users to create accounts who would normally be denied account creation. The "emailregexp" parameter is still checked. If you do not have the SOAP::Lite Perl module installed on your Bugzilla system, your system is not vulnerable (because the Bugzilla WebService will not be enabled). Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=395632 Vulnerability Solutions === The fix for the security bug mentioned in this advisory is included in the 3.0.2 and 3.1.2 releases. Upgrading to these releases will protect installations from possible exploits of this issue. Full release downloads, patches to upgrade Bugzilla from previous versions, and CVS upgrade instructions are available at: http://www.bugzilla.org/download/ If you are unable to upgrade, you should IMMEDIATELY apply the appropriate patch for your version: 2.23.x & 3.0.x: https://bugzilla.mozilla.org/attachment.cgi?id=280385 3.1.x: https://bugzilla.mozilla.org/attachment.cgi?id=280316 Credits === The Bugzilla team wish to thank the following people for their assistance in locating, advising us of, and assisting us to fix this issue: Sascha Jensen Frédéric Buclin Max Kanat-Alexander Marc Schumann General information about the Bugzilla bug-tracking system can be found at: http://www.bugzilla.org/ Comments and follow-ups can be directed to the mozilla.support.bugzilla newsgroup or the support-bugzilla mailing list. http://www.bugzilla.org/support/ has directions for accessing these forums. - -Max Kanat-Alexander Release Manager, Bugzilla Project -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFG8aCnaL2D/aEJPK4RAmvIAKDV/8QLPzBh3FIquCISug1SScQIQwCg568R sDrDqfbLXfcjA/MQ+rTdPLM= =CH0G -END PGP SIGNATURE-
Security Advisory for Bugzilla 3.0, 2.22.1, and 2.20.4
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Summary === Bugzilla is a Web-based bug-tracking system, used by a large number of software projects. This advisory covers three security issues that have recently been fixed in the Bugzilla code: + A possible cross-site scripting (XSS) vulnerability when filing bugs using the guided form. + When using email_in.pl, insufficiently escaped data may be passed to sendmail. + Users using the WebService interface may access Bugzilla's time-tracking fields even if they normally cannot see them. We strongly advise that 2.20.x and 2.22.x users should upgrade to 2.20.5 and 2.22.3 respectively. 3.0 users, and users of 2.18.x or below, should upgrade to 3.0.1. Vulnerability Details = Issue 1 - --- Class: Cross-Site Scripting Versions:2.17.1 and above Description: Bugzilla does not properly escape the 'buildid' field in the guided form when filing bugs. From 2.17.1 till 2.23.3, this field was based exclusively on the User-Agent string returned by your web browser. Since 2.23.4, this parameter can be defined in the URL passed to enter_bug.cgi, overwriting the User-Agent string and may lead to cross-site scripting. The guided form is not usually used by Bugzilla installations, as it is shipped only as an example to be modified for their own use. Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=386942 Issue 2 - --- Class: Command Injection Versions:2.23.4 and above Description: Bugzilla 2.23.4 and newer use the Email:: modules instead of the Mail:: and MIME:: ones. The argument passed to the - -f option of Email::Send::Sendmail() is insufficiently escaped and may lead to limited command injection when called from email_in.pl, a script which was also introduced in 2.23.4. Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=386860 Issue 3 - --- Class: Information Leak Versions:2.23.3 and above Description: Bugzilla's WebService (XML-RPC) interface allows you to access the time-tracking fields (such as Deadline, Estimated Time, etc.) on all bugs, even if you normally cannot access time-tracking fields. Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=382056 Vulnerability Solutions === The fixes for all of the security bugs mentioned in this advisory are included in the 2.20.5, 2.22.3, 3.0.1 and 3.1.1 releases. Upgrading to these releases will protect installations from possible exploits of these issues. Full release downloads, patches to upgrade Bugzilla from previous versions, and CVS upgrade instructions are available at: http://www.bugzilla.org/download/ Specific patches for each of the individual issues can be found on the corresponding bug reports for each issue, at the URL given in the reference for that issue in the list above. Credits === The Bugzilla team wish to thank the following people for their assistance in locating, advising us of, and assisting us to fix these situations: Frédéric Buclin Max Kanat-Alexander Dave Miller Loïc Minier Masahiro Yamada General information about the Bugzilla bug-tracking system can be found at: http://www.bugzilla.org/ Comments and follow-ups can be directed to the mozilla.support.bugzilla newsgroup or the support-bugzilla mailing list. http://www.bugzilla.org/support/ has directions for accessing these forums. - -Max Kanat-Alexander Release Manager, Bugzilla Project -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGzfUyaL2D/aEJPK4RAg45AJ9BbvXDxCo8BDHtXmYwcQmJk2LVAgCgwlH9 DICuj3dpooF9hOx8d3yLJmE= =vqUf -END PGP SIGNATURE-
Security Advisory for Bugzilla 2.20.3, 2.22.1, and 2.23.3
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Summary === Bugzilla is a Web-based bug-tracking system, used by a large number of software projects. This advisory covers two security issues that have recently been fixed in the Bugzilla code: + A possible cross-site scripting (XSS) vulnerability in Atom feeds produced by Bugzilla. + Web server settings given by Bugzilla which provide security settings to protect data files from access via the web are overridden by the mod_perl startup script when running under mod_perl (development snapshot only). We strongly advise that 2.20.x users should upgrade to 2.20.4. 2.22 users, and users of 2.16.x or below, should upgrade to 2.22.2. Versions 2.18.x are not affected by either of these vulnerabilities. Development snapshots of 2.23 before 2.23.4 are also vulnerable to all of these issues. If you are using a development snapshot, you should upgrade to 2.23.4, use CVS to update, or apply the patches from the specific bugs listed below. Vulnerability Details = Issue 1 - --- Class: Cross-Site Scripting Versions:2.20.1 and above Description: Bugzilla does not properly escape some fields in generated Atom feeds, which leads to the potential for cross-site scripting in feed readers that support javascript and properly implement the Atom feed specification. Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=367674 Issue 2 - --- Class: Database password disclosure Versions:2.23.3 only Description: Bugzilla development snapshot version 2.23.3 introduced the ability to run Bugzilla under mod_perl on Apache. The mod_perl initialization script included with Bugzilla defines a new block in the Apache configuration for the directory containing Bugzilla. This block fails to include permission for .htaccess files to override file access permissions. The .htaccess file shipped with Bugzilla prohibits access by web browsers to read the localconfig file, which contains the username and password for connecting to the database server. If you are not running Bugzilla under mod_perl, then this does not affect you. Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=367071 Vulnerability Solutions === The fixes for all of the security bugs mentioned in this advisory are included in the 2.20.4, 2.22.2, and 2.23.4 releases. Upgrading to these releases will protect installations from possible exploits of these issues. Full release downloads, patches to upgrade Bugzilla from previous versions, and CVS upgrade instructions are available at: http://www.bugzilla.org/download/ Specific patches for each of the individual issues can be found on the corresponding bug reports for each issue, at the URL given in the reference for that issue in the list above. Credits === The Bugzilla team wish to thank the following people for their assistance in locating, advising us of, and assisting us to fix these situations: Frédéric Buclin Dave Miller Olav Vitters Max Kanat-Alexander General information about the Bugzilla bug-tracking system can be found at: http://www.bugzilla.org/ Comments and follow-ups can be directed to the mozilla.support.bugzilla newsgroup or the support-bugzilla mailing list. http://www.bugzilla.org/support/ has directions for accessing these forums. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFFw96laL2D/aEJPK4RAnNoAJ0R0Gz0Q8B5FkVx6NeMu5ReMtyhMACeOQ+P AOlfSHsEKMJRrL1WV6Xl+VY= =RcCp -END PGP SIGNATURE-
Security Advisory for Bugzilla 2.18.5, 2.20.2, 2.22, and 2.23.2
Summary === Bugzilla is a Web-based bug-tracking system, used by a large number of software projects. This advisory covers six security issues that have recently been fixed in the Bugzilla code: + Sometimes the information put into the and tags in Bugzilla was not properly escaped, leading to a possible XSS vulnerability. + Bugzilla administrators were allowed to put raw, unfiltered HTML into many fields in Bugzilla, leading to a possible XSS vulnerability. Now, the HTML allowed in those fields is limited. + attachment.cgi could leak the names of private attachments + The "deadline" field was visible in the XML format of a bug, even to users who were not a member of the "timetrackinggroup." + A malicious user could pass a URL to an admin, and make the admin delete or change something that he had not intended to delete or change. + It is possible to inject arbitrary HTML into the showdependencygraph.cgi page, allowing for a cross-site scripting attack. We strongly advise that 2.18.x users upgrade to 2.18.6. 2.20.x users should upgrade to 2.20.3. 2.22 users, and users of 2.16.x or below, should upgrade to 2.22.1. Development snapshots of 2.23 before 2.23.3 are also vulnerable to all of these issues. If you are using a development snapshot, you should upgrade to 2.23.3, use CVS to update, or apply the patches from the specific bugs listed below. Vulnerability Details = Issue 1 --- Class: Cross-Site Scripting Versions:2.15 and above Description: Bugzilla sometimes displays admin-provided data in page headers (meaning the and HTML tags of a page). Sometimes, this data was not properly escaped, leading to the possibility of a Cross-Site Scripting vulnerability. For the most part, this was only exploitable by administrators, and so is not of critical severity. Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=330555 Issue 2 --- Class: Cross-Site Scripting Versions:2.0 and above Description: Bugzilla allows administrators to put HTML in the descriptions of products, components, and other items. It also allows HTML in certain other fields. Before the most recent releases of Bugzilla, this HTML was completely unfiltered. These fields are only editable by certain users, who are specified by the admin. This makes this vulnerability less severe. However, these users could use this exploit to perform Cross-Site Scripting attacks on nearly all users of a particular Bugzilla (including users with higher permission levels than themselves). Bugzilla now allows only certain HTML tags in those fields, protecting users from a Cross-Site Scripting attack. Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=206037 Issue 3 --- Class: Information Leak Versions:2.17 and above Description: When viewing an attachment in "Diff" mode, a user who is not in the "insidergroup" (the group required to view private attachments) can read the one-line descriptions of all attachments, even "private" attachments. Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=346086 Issue 4 --- Class: Information Leak Versions:2.19.2 and above Description: Bugzilla has a "deadline" field, which is usually only visible to people in the "timetrackinggroup" group. However, it was exposed in the XML format of a bug to all users. Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=346564 Issue 5 --- Class: Security Enhancement Versions:2.0 and above Description: Bugzilla updates, deletes, and creates data through a web interface. Administrators update things like user accounts through this interface. All of these pages accept URL variables in both GET and POST formats. A malicious user could craft a URL that would edit a user (or any other admin-protected item), and then using a service like TinyURL, could obscure the URL so that an administrator couldn't tell what it was. Then, getting the administrator to click on that URL, the action would be performed, against the administrator's will. This is now prevented. Bugzilla will only accept changes on administrative pages if they come from Bugzilla's own forms. That is, you have to use the form to make changes-- you now cannot just click a URL and accidentally make an administrative change to Bugzilla. Although technically this affects all versions of Bugzilla, it has only been fixed on our most recent release (2.22.1 and our latest development snapshot, 2
[BUGZILLA] Security Advisory for Bugzilla 2.20, 2.21.1, and 2.18.4
Summary === Bugzilla is a Web-based bug-tracking system, used by a large number of software projects. This advisory covers three security bugs that have recently been discovered and fixed in the Bugzilla code: + The 'whinedays' and 'mostfreqthreshold' parameters are not correctly validated in editparams.cgi. The first one can lead to SQL injection. + Escaped HTML markup in titles of RSS feeds are incorrectly decoded by some RSS readers and could potentially lead to XSS vulnerabilities. + The login form on the home page, in conjuction with very specific configuation settings and a specially formed URL, may redirect you outside the Bugzilla installation, allowing the login name and password to be stolen. All Bugzilla installations are advised to upgrade to the latest stable version of Bugzilla, 2.20.1. Development snapshots of 2.21 before 2.22rc1 are also vulnerable. If you are using a development snapshot, you should upgrade to 2.22rc1, use CVS to update, or apply the patches from the specific bugs listed below. None of these vulnerabilities affect the old Bugzilla 2.16.x versions. Vulnerability Details = Issue 1 --- Class: SQL injection Versions:2.17.1 and above Description: The 'whinedays' parameter, editable from editparams.cgi, is not validated before being saved. This can lead to SQL injection in the whineatnews.pl script. This injection requires administrative privileges. The validation for the 'mostfreqthreshold' parameter is also missing, but this is not exploitable. Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=312498 Issue 2 --- Class: Cross Site Scripting Versions:2.20rc1 - 2.20, 2.21.1 Description: Some RSS readers incorrectly decode escaped HTML markup in feed titles and this could be used to inject some scripts. Although this is not a Bugzilla bug, we prefer to shift to Atom feeds, where the RFC is unambiguous about HTML markup in feed titles. Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=313441 Issue 3 --- Class: Sensitive Data Exposure Versions:2.19.3 and above Description: When the Bugzilla login page is at a subdirectory of the web server and the subdirectory name is a resolvable host on the victim's local network, it is possible to craft a URL that, when used to login to Bugzilla, would send the user's credentials to this host. These conditions make this flaw very difficult to exploit. Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=325079 Vulnerability Solutions === The fixes for all of the security bugs mentioned in this advisory are included in the 2.18.5, 2.20.1, and 2.22rc1 releases. Upgrading to these releases will protect installations from possible exploits of these issues. Full release downloads, patches to upgrade Bugzilla from previous versions, and CVS upgrade instructions are available at: http://www.bugzilla.org/download.html Specific patches for each of the individual issues can be found on the corresponding bug reports for each issue, at the URL given in the reference for that issue in the list above. Credits === The Bugzilla team wish to thank the following people for their assistance in locating, advising us of, and assisting us to fix these situations: Frédéric Buclin Phil Ringnalda Myk Melez Teemu Mannermaa General information about the Bugzilla bug-tracking system can be found at http://www.bugzilla.org/ Comments and follow-ups can be directed to the netscape.public.mozilla.webtools newsgroup or the mozilla-webtools mailing list; http://www.bugzilla.org/support/ has directions for accessing these forums.
