Closed Bug 515454 Opened 16 years ago Closed 16 years ago

Security Advisory for Bugzilla 3.0.9, 3.2.5, and 3.4.2

Categories

(Bugzilla :: bugzilla.org, defect)

Product:
Bugzilla
Component:
bugzilla.org
Type:
defect
Priority:
Not set
Severity:
blocker

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: LpSolit, Assigned: mkanat)

References

Details

Attachments

(1 file, 4 obsolete files)

v5 (All CVEs Included)
4.97 KB, text/plain
mkanat
: review+
Details
There are some very critical security bugs we are going to fix in the coming releases + some less critical ones, see the dependency list.
Summary: Security Advisory for Bugzilla 3.0.9, 3.2.5, 3.4.2 and 3.5.1 → Security Advisory for Bugzilla 3.0.9, 3.2.5, and 3.4.2
I'm just going to assume that bug 314871 (which is a very minor issue) isn't going to make this release, because we have a lot of other work to do for the release, and I don't want to check in too many security bugs at once and have various unknown regressions from their interactions.
No longer depends on: CVE-2009-3989
Attached file v1 (No CVEs) (obsolete) —
Assignee: general → mkanat
Status: NEW → ASSIGNED
Attachment #399611 - Flags: review?(LpSolit)
Component: Bugzilla-General → bugzilla.org
Use CVE-2009-3125 for the first SQL injection vuln. I've put in a follow-up request for two more. Hopefully, will have them either later tonight or tomorrow, but I wouldn't hold the release for them, if it needs to rushed.
Attached file v2 (obsolete) —
Here's a second version. This one has the first CVE that reed has given us, and also has a note that you can just apply the security patches if you need to.
Attachment #399611 - Attachment is obsolete: true
Attachment #399637 - Flags: review?(LpSolit)
Attachment #399611 - Flags: review?(LpSolit)
No longer depends on: 513593, 515328
Comment on attachment 399637 [details] v2 >Versions: 3.3.2 to 3.4.2, 3.5 to 3.4.1 >Class: SQL Injection >Versions: You forgot to fill Versions. >Versions: 2.23.4 to 3.0.8, 3.1.1 to 3.2.4, 3.3.1 to 3.4.1 I don't know which bug regressed this. Which one is this? I don't think the 3.0.x and 3.2.x branches are affected as you cannot log in from the token.cgi page itself. >The fix for this issue in is included in the 3.4.2, 3.2.5, and 3.0.9 There are several fixes and issues.
Attachment #399637 - Flags: review?(LpSolit) → review-
Attached file v3 (obsolete) —
Attachment #399637 - Attachment is obsolete: true
Attachment #399912 - Flags: review?(LpSolit)
Attached file v4 (obsolete) —
I added a note that you can't insert additional statements with semicolons (because this information may be useful for press or security institutions who are writing about this vulnerability), and also re-worded some information to make it clear that this *is* exploitable, just not (as far as we know) to delete or modify existing data.
Attachment #399912 - Attachment is obsolete: true
Attachment #399917 - Flags: review?(LpSolit)
Attachment #399912 - Flags: review?(LpSolit)
Comment on attachment 399917 [details] v4 >Class: Sensitive Data Exposure >Versions: 3.4rc1 to 3.4.1 The mini-login form has been introduced in bug 476090, meaning that 3.3.4 is also affected. r=LpSolit with s/3.4rc1/3.3.4/.
Attachment #399917 - Flags: review?(LpSolit) → review+
(In reply to comment #8) > The mini-login form has been introduced in bug 476090, meaning that 3.3.4 is > also affected. No, it's caused by the fact that param() is including both GET and POST variables, which means they get included in -query => 1, which started happening in rc1.
CVE-2009-3125 SQL Injection in Bug.search CVE-2009-3165 SQL Injection in Bug.create CVE-2009-3166 Sensitive Data Exposure
Attached file v5 (All CVEs Included)
Attachment #399917 - Attachment is obsolete: true
Attachment #400055 - Flags: review+
Security advisory sent.
Group: bugzilla-security
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: