Closed Bug 443044 Opened 17 years ago Closed 16 years ago

Security Advisory for Bugzilla 3.2 RC1, 3.0.5, 2.22.5

Categories

(Bugzilla :: bugzilla.org, defect)

Product:
Bugzilla
Component:
bugzilla.org
Version:
2.22.4
Type:
defect
Priority:
Not set
Severity:
blocker

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: LpSolit, Assigned: LpSolit)

References

Details

Attachments

(1 file, 2 obsolete files)

security advisory, v2
2.18 KB, text/plain
mkanat
: review+
Details
Bug 437169 has been fixed in 2.22.5 and newer. We need a security advisory for it. No other security bug on the road.
Attached file security advisory, v1 (obsolete) —
I don't know the real name of the reporter. I just sent him an email to get it. I will update the sec adv if he replies on time.
Assignee: website → LpSolit
Status: NEW → ASSIGNED
Attachment #332344 - Flags: review?(mkanat)
Attached file security advisory, v1.1 (obsolete) —
The real name of the reporter is Ilja van Sprundel.
Attachment #332344 - Attachment is obsolete: true
Attachment #332385 - Flags: review?(mkanat)
Attachment #332344 - Flags: review?(mkanat)
Comment on attachment 332385 [details] security advisory, v1.1 >Class: Exposure system information I'm not certain that's the right class... > The security fix makes sure the relative path is always > ignored. Add an additional paragraph: Most Bugzilla installations will not be vulnerable, as they don't use importxml.pl. Our security advisories get reprinted everywhere, and sometimes people write about them, and it's nice to explicitly point out that it's not that bad of a vulnerability because very few installations will be affected.
Attachment #332385 - Flags: review?(mkanat) → review-
Attached file security advisory, v2
Changed class to Directory Traversal, and added the paragraph about the issue not affecting most installations.
Attachment #332385 - Attachment is obsolete: true
Attachment #332425 - Flags: review?(mkanat)
Comment on attachment 332425 [details] security advisory, v2 > Most Bugzilla installations will not be vulnerable, as > they do not use --attach_path with importxml.pl. Most installations don't even use importxml. But this all looks fine.
Attachment #332425 - Flags: review?(mkanat) → review+
Security advisory sent.
Group: bugzilla-security
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: