Closed Bug 1042093 Opened 10 years ago Closed 10 years ago

Security advisory for Bugzilla 4.5.5, 4.4.5, 4.2.10, and 4.0.14

Categories

(Bugzilla :: Documentation, defect)

Product:
Bugzilla
Component:
Documentation
Type:
defect
Priority:
Not set
Severity:
blocker

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: dkl, Assigned: dkl)

References

Details

Attachments

(1 file, 1 obsolete file)

sec_adv_4.0.13.txt
2.16 KB, patch
dkl
: review+
Details | Diff | Splinter Review 
One or more security fixes exists for Bugzilla 4.5.5, 4.4.5, 4.2.10, and 4.0.14 and will need a security advisory.
Flags: blocking4.4.5?
Flags: blocking4.2.10?
Flags: blocking4.0.14?
Depends on: CVE-2014-1546
Flags: blocking4.4.5?
Flags: blocking4.4.5+
Flags: blocking4.2.10?
Flags: blocking4.2.10+
Flags: blocking4.0.14?
Flags: blocking4.0.14+
Attached file sec_adv_4.0.13.txt (obsolete) — 

        Attachment #8460843 -
        Flags: review?(glob)

    
    

    
  
Comment on attachment 8460843 [details]
sec_adv_4.0.13.txt

>Credits
>=======
>
>The Bugzilla team wish to thank the following people/organizations for
>their assistance in locating, advising us of, and assisting us in fixing
>these issues:
>
>Mario Gomes


We usually also credit the patch author and reviewer.

    
    

    
  
Comment on attachment 8460843 [details]
sec_adv_4.0.13.txt

> We usually also credit the patch author and reviewer.

thanks lpsolit -- please add reed, sgreen, and myself.

otherwise it looks good.

        Attachment #8460843 -
        Flags: review?(glob) → review+

    
    

    
  
Comment on attachment 8460843 [details]
sec_adv_4.0.13.txt

>Versions:    3.7 to 4.0.13, 4.1.1 to 4.2.11, 4.3.1 to 4.4.5, 4.5.1 to 4.5.5

Err wait, these versions are wrong. It must be:

Versions:    3.7.1 to 4.0.13, 4.1.1 to 4.2.9, 4.3.1 to 4.4.4, 4.5.1 to 4.5.4

This is the list of *affected* releases, and so 3.7 doesn't exist (the first release with this bug was 3.7.1, see bug 550727), nor does 4.2.11 (where does this version come from?), and 4.5.5 and 4.4.5 are fixed, not affected.


>Description: Adobe does not properly restrict the SWF file format, which allows
>             remote attackers to conduct cross-site request forgery (CSRF) attacks
>             against Bugzilla's JSONP endpoint, possibly obtaining sensitive
>             bug information, via a crafted OBJECT element with SWF content satisfying
>             the character-set requirements of a callback API.

These lines are longer than the 72 characters we usually use as hard limit to prevent wrapping in some email clients.


>The fixes for these issues are included in the 4.0.14, 4.2.10, and 4.4.5
>releases.

You forgot to mention 4.5.5, which is also fixed.


Also, you forgot to credit some people, see the previous comments.


I know I'm no longer a reviewer, but r- anyway.

        Attachment #8460843 -
        Flags: review-

    
    

    
  


  
Fixed all comments. Moving forward r+.

        Attachment #8460843 -
        Attachment is obsolete: true

        Attachment #8461605 -
        Flags: review+

    
    

    
  
Sec advisory sent.
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED

    
  
Group: bugzilla-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: