Package: bugzilla
Version: 2.18.3-2
Severity: grave
Tags: security
Justification: user security hole
Two information disclosure vulnerabilities have been found in Bugzilla:
+ It is possible to bypass the user visibility groups restrictions
if user-matching is turned on in substring mode.
+ config.cgi exposes information to users who aren't logged in, even
when requirelogin is turned on in Bugzilla.
Please see http://www.bugzilla.org/security/2.18.4/ for the full advisory.
2.18.4 fixes these issue.
Cheers,
Moritz
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.4.29-vs1.2.10
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages bugzilla depends on:
pn apache | roxen2 | apache-ssl Not found.
ii debconf 1.4.30.13 Debian configuration management sy
ii exim4-daemon-light [mail-tran 4.50-8 lightweight exim MTA (v4) daemon
ii libdbd-mysql-perl 2.9006-1 A Perl5 database interface to the
ii libtimedate-perl 1.1600-4 Time and date functions for Perl
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]