Closed Bug 606854 Opened 14 years ago Closed 14 years ago

Security advisory for Bugzilla 4.0rc1, 3.6.3, 3.4.9 and 3.2.9

Categories

(Bugzilla :: Bugzilla-General, defect)

Product:
Bugzilla
Component:
Bugzilla-General
Version:
3.7.3
Type:
defect
Priority:
Not set
Severity:
blocker

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 3.2

People

(Reporter: LpSolit, Assigned: mkanat)

References

Details

Attachments

(1 file, 1 obsolete file)

v2
3.55 KB, text/plain
LpSolit
: review+
Details 
Three security bugs will be ready for our next releases. Bug 419014 has pending reviews, but only for backports, so I should get reviews pretty quickly.
Bug 419014 just got r+ for all the backports, so all security bugs are ready for checkin.
Attached file Sec Adv, v1 (obsolete) — 
Assignee: general → mkanat
Status: NEW → ASSIGNED

        Attachment #487275 -
        Flags: review?(LpSolit)

    
  

        Attachment #487275 -
        Attachment is patch: false

    
    

    
  
Comment on attachment 487275 [details]
Sec Adv, v1

>* It was possible to see graphs from Old Charts even if you did not
>  have access to a particular product, and you could browse a
>  a particular URL to see all product names.

"a" is duplicated (a a particular URL).


>Class:       HTTP Response Splitting
>Versions:    Every Version Before 3.2.9, 3.4.9, 3.6.3, 4.0rc1
>             (including unreleased 1.x versions of Bugzilla).

I agree that all versions of Bugzilla are affected, as it used the hardcoded string "ThisRandomString" in version 1.1 of buglist.cgi, but I don't remember we ever mentioned Bugzilla 1.x in any security advisory. IMO, it doesn't make sense to mention something which has never been released. I would drop the sentence in parentheses (it looks more like an archaeological news than something useful).



>Description: The Old Charts system generated graphs with
>             predictable names into the "graphs/" directory,
>             which also could be browsed to see its contents.

So what? I think the bug summary was giving more details than this description here. You should mention that it could disclose product names.


>Description: YUI 2.8.1 was vulnerable to a Cross-Site Scripting
>             vulnerability in certain .swf files. The YUI shipped
>             with Bugzilla has been updated to 2.8.2.
>References:  https://bugzilla.mozilla.org/show_bug.cgi?id=606618
>             http://secunia.com/advisories/41955

You should list the YUI Security Bulletin from Yahoo!, which is the original security advisory for this XSS vulnerability:

  http://yuilibrary.com/support/2.8.2/


Otherwise looks good.

    
    

    
  

      
      
      
      

        Attached file
          
        v2
      

    


  
Okay, I fixed all your points.

        Attachment #487275 -
        Attachment is obsolete: true

        Attachment #487739 -
        Flags: review?(LpSolit)

        Attachment #487275 -
        Flags: review?(LpSolit)

    
    

    
  
Comment on attachment 487739 [details]
v2

thanks! r=LpSolit

        Attachment #487739 -
        Flags: review?(LpSolit) → review+

    
    

    
  
Advisory sent.
Group: bugzilla-security
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: