Closed Bug 606854 Opened 9 years ago Closed 9 years ago

Security advisory for Bugzilla 4.0rc1, 3.6.3, 3.4.9 and 3.2.9

Categories

(Bugzilla :: Bugzilla-General, defect, blocker)

3.7.3
defect
Not set
blocker

Tracking

()

RESOLVED FIXED
Bugzilla 3.2

People

(Reporter: LpSolit, Assigned: mkanat)

References

Details

Attachments

(1 file, 1 obsolete file)

v2
3.55 KB, text/plain
LpSolit
: review+
Details
Three security bugs will be ready for our next releases. Bug 419014 has pending reviews, but only for backports, so I should get reviews pretty quickly.
Bug 419014 just got r+ for all the backports, so all security bugs are ready for checkin.
Attached file Sec Adv, v1 (obsolete) —
Assignee: general → mkanat
Status: NEW → ASSIGNED
Attachment #487275 - Flags: review?(LpSolit)
Attachment #487275 - Attachment is patch: false
Comment on attachment 487275 [details]
Sec Adv, v1

>* It was possible to see graphs from Old Charts even if you did not
>  have access to a particular product, and you could browse a
>  a particular URL to see all product names.

"a" is duplicated (a a particular URL).


>Class:       HTTP Response Splitting
>Versions:    Every Version Before 3.2.9, 3.4.9, 3.6.3, 4.0rc1
>             (including unreleased 1.x versions of Bugzilla).

I agree that all versions of Bugzilla are affected, as it used the hardcoded string "ThisRandomString" in version 1.1 of buglist.cgi, but I don't remember we ever mentioned Bugzilla 1.x in any security advisory. IMO, it doesn't make sense to mention something which has never been released. I would drop the sentence in parentheses (it looks more like an archaeological news than something useful).



>Description: The Old Charts system generated graphs with
>             predictable names into the "graphs/" directory,
>             which also could be browsed to see its contents.

So what? I think the bug summary was giving more details than this description here. You should mention that it could disclose product names.


>Description: YUI 2.8.1 was vulnerable to a Cross-Site Scripting
>             vulnerability in certain .swf files. The YUI shipped
>             with Bugzilla has been updated to 2.8.2.
>References:  https://bugzilla.mozilla.org/show_bug.cgi?id=606618
>             http://secunia.com/advisories/41955

You should list the YUI Security Bulletin from Yahoo!, which is the original security advisory for this XSS vulnerability:

  http://yuilibrary.com/support/2.8.2/


Otherwise looks good.
Attached file v2
Okay, I fixed all your points.
Attachment #487275 - Attachment is obsolete: true
Attachment #487739 - Flags: review?(LpSolit)
Attachment #487275 - Flags: review?(LpSolit)
Comment on attachment 487739 [details]
v2

thanks! r=LpSolit
Attachment #487739 - Flags: review?(LpSolit) → review+
Advisory sent.
Group: bugzilla-security
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.