Closed Bug 567670 Opened 15 years ago Closed 15 years ago

Security Advisory for Bugzilla 3.7.1, 3.6.1, 3.4.7 and 3.2.7

Categories

(Bugzilla :: Bugzilla-General, defect)

Product:
Bugzilla
Component:
Bugzilla-General
Type:
defect
Priority:
Not set
Severity:
blocker

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: LpSolit, Assigned: mkanat)

References

Details

Attachments

(1 file, 3 obsolete files)

v4
3.00 KB, text/plain
LpSolit
: review+
Details
We need a sec adv for bug 309952 and bug 561797.
Attached file v1 (obsolete) —
Assignee: general → mkanat
Status: NEW → ASSIGNED
Attachment #452954 - Flags: review?(reed)
Comment on attachment 452954 [details] v1 >Class: Local Information Disclosure >Versions: 3.5.1 to 3.6, 3.7 Missing "Fixed In". >Description: <snip> This sentence is way too long: "If $use_suexec was set to "1" in the localconfig file, then the localconfig file's permissions were set as world-readable by checksetup.pl, allowing any user with local shell access to see the contents of the file, including the database password and the site_wide_secret variable used for CSRF protection." Split it in half somehow? >Full release downloads, patches to upgrade Bugzilla from previous >versions, and CVS upgrade instructions are available at: Since we're on bzr now, shouldn't this also include mention of bzr?
Attachment #452954 - Flags: review?(reed) → review-
Also, the summary mentions 3.7.1, but the secadv doesn't... Is 3.7.1 being released? If so, it needs to be included in the "Fixed In" and the list of versions at the bottom.
Attached file v2 (obsolete) —
All excellent points. :-)
Attachment #452954 - Attachment is obsolete: true
Attachment #452959 - Flags: review?(reed)
Attachment #452959 - Attachment is patch: false
Comment on attachment 452959 [details] v2 >The fix for these issues are included in the 3.2.7, 3.4.7, and 3.6.1 >releases. Missed this place for mentioning 3.7.1. Just fix it on check-in. r=me with that.
Attachment #452959 - Flags: review?(reed) → review+
Comment on attachment 452959 [details] v2 >The Bugzilla team wish to thank the following people/organizations for >their assistance in locating, advising us of, and assisting us to fix >this issue: Shouldn't timello be listed too, as he reviewed one of the sec bugs?
Oh yes, he should be! The fact that he reviewed the bug was newer than this version of the advisory. :-) I'll add him.
Attached file v3 (obsolete) —
Here's a new version that mentions timello.
Attachment #452959 - Attachment is obsolete: true
Attachment #453588 - Flags: review?(LpSolit)
Attached file v4
Also fix the issue reed noticed.
Attachment #453588 - Attachment is obsolete: true
Attachment #453590 - Flags: review?(LpSolit)
Attachment #453588 - Flags: review?(LpSolit)
Comment on attachment 453590 [details] v4 r=LpSolit
Attachment #453590 - Attachment is patch: false
Attachment #453590 - Flags: review?(LpSolit) → review+
Attachment #453588 - Attachment is patch: false
Security advisory sent.
Group: bugzilla-security
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: