Closed Bug 515454 Opened 13 years ago Closed 13 years ago
Security Advisory for Bugzilla 3
.0 .9, 3 .2 .5, and 3 .4 .2
There are some very critical security bugs we are going to fix in the coming releases + some less critical ones, see the dependency list.
Summary: Security Advisory for Bugzilla 3.0.9, 3.2.5, 3.4.2 and 3.5.1 → Security Advisory for Bugzilla 3.0.9, 3.2.5, and 3.4.2
I'm just going to assume that bug 314871 (which is a very minor issue) isn't going to make this release, because we have a lot of other work to do for the release, and I don't want to check in too many security bugs at once and have various unknown regressions from their interactions.
No longer depends on: CVE-2009-3989
Assignee: general → mkanat
Status: NEW → ASSIGNED
Attachment #399611 - Flags: review?(LpSolit)
Use CVE-2009-3125 for the first SQL injection vuln. I've put in a follow-up request for two more. Hopefully, will have them either later tonight or tomorrow, but I wouldn't hold the release for them, if it needs to rushed.
Here's a second version. This one has the first CVE that reed has given us, and also has a note that you can just apply the security patches if you need to.
Comment on attachment 399637 [details] v2 >Versions: 3.3.2 to 3.4.2, 3.5 to 3.4.1 >Class: SQL Injection >Versions: You forgot to fill Versions. >Versions: 2.23.4 to 3.0.8, 3.1.1 to 3.2.4, 3.3.1 to 3.4.1 I don't know which bug regressed this. Which one is this? I don't think the 3.0.x and 3.2.x branches are affected as you cannot log in from the token.cgi page itself. >The fix for this issue in is included in the 3.4.2, 3.2.5, and 3.0.9 There are several fixes and issues.
Attachment #399637 - Flags: review?(LpSolit) → review-
I added a note that you can't insert additional statements with semicolons (because this information may be useful for press or security institutions who are writing about this vulnerability), and also re-worded some information to make it clear that this *is* exploitable, just not (as far as we know) to delete or modify existing data.
Comment on attachment 399917 [details] v4 >Class: Sensitive Data Exposure >Versions: 3.4rc1 to 3.4.1 The mini-login form has been introduced in bug 476090, meaning that 3.3.4 is also affected. r=LpSolit with s/3.4rc1/3.3.4/.
Attachment #399917 - Flags: review?(LpSolit) → review+
(In reply to comment #8) > The mini-login form has been introduced in bug 476090, meaning that 3.3.4 is > also affected. No, it's caused by the fact that param() is including both GET and POST variables, which means they get included in -query => 1, which started happening in rc1.
CVE-2009-3125 SQL Injection in Bug.search CVE-2009-3165 SQL Injection in Bug.create CVE-2009-3166 Sensitive Data Exposure
Security advisory sent.
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.