Bug#331206: bugzilla: Two information disclosure vulnerabilities in Bugzilla

2005-10-02 Thread Moritz Muehlenhoff 
Package: bugzilla
Version: 2.18.3-2
Severity: grave
Tags: security
Justification: user security hole

Two information disclosure vulnerabilities have been found in Bugzilla:

+ It is possible to bypass the user visibility groups restrictions
  if user-matching is turned on in substring mode.
+ config.cgi exposes information to users who aren't logged in, even
  when requirelogin is turned on in Bugzilla.

Please see http://www.bugzilla.org/security/2.18.4/ for the full advisory.
2.18.4 fixes these issue.

Cheers,
Moritz

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.4.29-vs1.2.10
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages bugzilla depends on:
pn  apache | roxen2 | apache-ssl Not found.
ii  debconf   1.4.30.13  Debian configuration management sy
ii  exim4-daemon-light [mail-tran 4.50-8 lightweight exim MTA (v4) daemon
ii  libdbd-mysql-perl 2.9006-1   A Perl5 database interface to the 
ii  libtimedate-perl  1.1600-4   Time and date functions for Perl


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#331206: bugzilla: Two information disclosure vulnerabilities in Bugzilla

2005-10-02 Thread Alexis Sukrieh 
tags 331206 + confirmed
thanks

* Moritz Muehlenhoff ([EMAIL PROTECTED]) disait :
 [...]

 Please see http://www.bugzilla.org/security/2.18.4/ for the full advisory.
 2.18.4 fixes these issue.

Ok, I'll then package 2.18.4 as soon as possible for closing those issues.
Thanks for the report.

--
Alexis Sukrieh


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Processed: Re: Bug#331206: bugzilla: Two information disclosure vulnerabilities in Bugzilla

2005-10-02 Thread Debian Bug Tracking System 
Processing commands for [EMAIL PROTECTED]:

 tags 331206 + confirmed
Bug#331206: bugzilla: Two information disclosure vulnerabilities in Bugzilla
Tags were: security
Tags added: confirmed

 thanks
Stopping processing here.

Please contact me if you need assistance.

Debian bug tracking system administrator
(administrator, Debian Bugs database)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]