Closed
Bug 567670
Opened 14 years ago
Closed 14 years ago
Security Advisory for Bugzilla 3.7.1, 3.6.1, 3.4.7 and 3.2.7
Categories
(Bugzilla :: Bugzilla-General, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: LpSolit, Assigned: mkanat)
References
Details
Attachments
(1 file, 3 obsolete files)
We need a sec adv for bug 309952 and bug 561797.
|
Assignee | |
Comment 1•14 years ago
|
||
|
||
Comment 2•14 years ago
|
||
Comment on attachment 452954 [details] v1 >Class: Local Information Disclosure >Versions: 3.5.1 to 3.6, 3.7 Missing "Fixed In". >Description: <snip> This sentence is way too long: "If $use_suexec was set to "1" in the localconfig file, then the localconfig file's permissions were set as world-readable by checksetup.pl, allowing any user with local shell access to see the contents of the file, including the database password and the site_wide_secret variable used for CSRF protection." Split it in half somehow? >Full release downloads, patches to upgrade Bugzilla from previous >versions, and CVS upgrade instructions are available at: Since we're on bzr now, shouldn't this also include mention of bzr?
Attachment #452954 -
Flags: review?(reed) → review-
|
|
||
Comment 3•14 years ago
|
||
Also, the summary mentions 3.7.1, but the secadv doesn't... Is 3.7.1 being released? If so, it needs to be included in the "Fixed In" and the list of versions at the bottom.
|
|
Assignee | |
Comment 4•14 years ago
|
||
All excellent points. :-)
Attachment #452954 -
Attachment is obsolete: true
Attachment #452959 -
Flags: review?(reed)
|
|
Assignee | |
Updated•14 years ago
|
Attachment #452959 -
Attachment is patch: false
|
|
||
Comment 5•14 years ago
|
||
Comment on attachment 452959 [details] v2 >The fix for these issues are included in the 3.2.7, 3.4.7, and 3.6.1 >releases. Missed this place for mentioning 3.7.1. Just fix it on check-in. r=me with that.
Attachment #452959 -
Flags: review?(reed) → review+
|
Reporter | |
Comment 6•14 years ago
|
||
Comment on attachment 452959 [details] v2 >The Bugzilla team wish to thank the following people/organizations for >their assistance in locating, advising us of, and assisting us to fix >this issue: Shouldn't timello be listed too, as he reviewed one of the sec bugs?
|
|
Assignee | |
Comment 7•14 years ago
|
||
Oh yes, he should be! The fact that he reviewed the bug was newer than this version of the advisory. :-) I'll add him.
|
|
Assignee | |
Comment 8•14 years ago
|
||
Here's a new version that mentions timello.
Attachment #452959 -
Attachment is obsolete: true
Attachment #453588 -
Flags: review?(LpSolit)
|
|
Assignee | |
Comment 9•14 years ago
|
||
Also fix the issue reed noticed.
Attachment #453588 -
Attachment is obsolete: true
Attachment #453590 -
Flags: review?(LpSolit)
Attachment #453588 -
Flags: review?(LpSolit)
|
|
Reporter | |
Comment 10•14 years ago
|
||
Comment on attachment 453590 [details]
v4
r=LpSolit
Attachment #453590 -
Attachment is patch: false
Attachment #453590 -
Flags: review?(LpSolit) → review+
|
|
Reporter | |
Updated•14 years ago
|
Attachment #453588 -
Attachment is patch: false
|
|
Assignee | |
Comment 11•14 years ago
|
||
Security advisory sent.
Group: bugzilla-security
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•