All users were logged out of Bugzilla on October 13th, 2018
One or more security fixes exists for Bugzilla 5.0rc1, 4.4.7, 4.2.12, and 4.0.16 and will need a security advisory.
No CVE required for 1090275 as only a small subset of harmless methods were able to be exploited and the whitelist was added to future proof any new code changes later. We will not that in the security advisory. dkl
Created attachment 8551878 [details] sec_adv_4.0.15.txt
Comment on attachment 8551878 [details] sec_adv_4.0.15.txt Sorry. Forgot to add the credits. New version coming up.
Created attachment 8551886 [details] sec_adv_4.0.15_2.txt
Comment on attachment 8551886 [details] sec_adv_4.0.15_2.txt >* An user with editcomponents permissions could possibly inject system s/An user/A user/ >Class: Command Injection >Versions: 2.17.1 to 4.0.15, 4.1.1 to 4.2.11, 4.3.1 to 4.4.6, 4.5.1 to 4.5.6 I'm not sure about 2.17.1. I would say "All versions before 4.0.16, 4.1.1 to ..." >Description: Some code in Bugzilla did not properly utilize 3 argument form for 3 arguments (plural)? Also, I think using the present rather than the past to write the sec adv would be better. >Class: Information Leak >Versions: 2.17.1 to 4.0.14, 4.1.1 to 4.2.10, 4.3.1 to 4.4.5, 4.5.1 to 4.5.6 Webservices has been implemented in 2.23.3. Also, all "end" versions are wrong (that's those from an older sec adv). > functions from other non-WebService modules. A whitelist has been > added that list explicit methods that can be executed via the API. s/that list/that lists/ ? > http://www.bugzilla.org/download/ s/http/https/ Same for other links to bugzilla.org.
Attachment #8551886 - Flags: review?(LpSolit) → review-
Created attachment 8552010 [details] sec_adv_4.0.15_3.txt Thanks. Changes applied.
Comment on attachment 8552010 [details] sec_adv_4.0.15_3.txt r=LpSolit
Attachment #8552010 - Flags: review?(LpSolit) → review+
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.