Closed Bug 532517 Opened 15 years ago Closed 15 years ago

Security Advisory for Bugzilla 3.5.3, 3.4.5, 3.2.6 and 3.0.11

Categories

(Bugzilla :: Bugzilla-General, defect)

Product:
Bugzilla
Component:
Bugzilla-General
Version:
3.4.4
Type:
defect
Priority:
Not set
Severity:
blocker

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: LpSolit, Assigned: LpSolit)

References

Details

Attachments

(1 file, 2 obsolete files)

sec adv, v2.1
3.27 KB, text/plain
LpSolit
: review+
Details
Sec Adv required due to bug 532493.
Summary: Security Advisory for Bugzilla 3.5.3 an 3.4.5 → Security Advisory for Bugzilla 3.5.3 and 3.4.5
Bug 314871 is also ready for checkin, but means we will also have to release 3.2.6 and 3.0.11.
Depends on: CVE-2009-3989
Summary: Security Advisory for Bugzilla 3.5.3 and 3.4.5 → Security Advisory for Bugzilla 3.5.3, 3.4.5, 3.2.6 and 3.0.11
Depends on: 434801
Assignee: general → LpSolit
Attached file sec adv, v1 (obsolete) —
Attachment #423327 - Flags: review?(mkanat)
Comment on attachment 423327 [details] sec adv, v1 >+ Some files stored on the web server are not correctly protected against > external access and can be viewed from a web browser despite they are Hmm, let's just trim the part starting with "despite" and to the end of the sentence. >Issue 1 >------- >Class: Information leak >Versions: all versions We should specify "all versions before" so that it specifies what versions fixed this. >Description: Bugzilla lets you view the content of files being in the CVS/, Bugzilla allows web browsers to serve the contents of files in the CVS/, > contrib/, docs/en/xml/, and t/ directories, as well as the > old-params.txt file, from a web browser. And then remove "from a web browser". >Class: Information leak >Versions: 3.3.1 and above Let's say "and later" instead of "and above". >Description: When moving a bug from one product to another one, an Just "another" is more normal, instead of "another one". > intermediate page is displayed letting you select the groups > the bug should be restricted to in the new product. But a Instead of "But", say "However," (with the comma).
Attachment #423327 - Flags: review?(mkanat) → review-
Comment on attachment 423327 [details] sec adv, v1 Oh, also, include the CVE number for the second issue.
Attached file sec adv, v2 (obsolete) —
Attachment #423327 - Attachment is obsolete: true
Attachment #423346 - Flags: review?(mkanat)
Comment on attachment 423346 [details] sec adv, v2 Looks good! :-)
Attachment #423346 - Flags: review?(mkanat) → review+
Comment on attachment 423346 [details] sec adv, v2 >Issue 1 >------- >Class: Information leak >Versions: all versions before 3.0.11, 3.2.6, 3.4.5, and 3.5.3 >Description: Bugzilla allows web browsers to serve the contents of files > in the CVS/, contrib/, docs/en/xml/, and t/ directories, as > well as the old-params.txt file. > These files do not contain sensitive data by default, but > custom installations may have added scripts or files into > these directories which contain e.g. passwords or some other > sensitive information. We now forbird access to these > directories from a web browser as a preventive measure. >References: https://bugzilla.mozilla.org/show_bug.cgi?id=314871 > https://bugzilla.mozilla.org/show_bug.cgi?id=434801 Please use CVE-2009-3989 for this.
Attached file sec adv, v2.1
I added the CVE number to the first issue.
Attachment #423346 - Attachment is obsolete: true
Attachment #424499 - Flags: review+
Security advisory sent, removing from security group.
Group: bugzilla-security
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: