Closed Bug 611201 Opened 11 years ago Closed 11 years ago

Interim Security Advisory for CGI.pm issue

Categories

(Bugzilla :: bugzilla.org, defect)

defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 620540

People

(Reporter: mkanat, Assigned: mkanat)

References

Details

Attachments

(1 file, 2 obsolete files)

v3
2.39 KB, text/plain
LpSolit
: review+
reed
: review-
Details
Recently, the CGI.pm team did a release that fixes an important security issue in Bugzilla. The fix only requires installing a newer version of CGI.pm, so we're going to release a Security Advisory immediately, and then bump the CGI.pm requirements in the next releases of Bugzilla, later.fixes
Attached file v1 (obsolete) —
Assignee: website → mkanat
Status: NEW → ASSIGNED
Attachment #489721 - Flags: review?(LpSolit)
I think you need to make it very clear that the bug is in CGI.pm, not Bugzilla. As it currently reads, it seems like this is just another Bugzilla vulnerability.
Attached file v2 (obsolete) —
Good point.
Attachment #489721 - Attachment is obsolete: true
Attachment #489737 - Flags: review?(reed)
Attachment #489721 - Flags: review?(LpSolit)
Comment on attachment 489737 [details]
v2

>Bugzilla is a Web-based bug-tracking system used by a large number of
>software projects. The following security issues have been discovered
>in Bugzilla:

This sentence should be singular. There is only one security issue in this advisory.


>* Due to a bug in the CGI.pm module

Nit: shouldn't we be clearer that this is not Bugzilla/CGI.pm, but the CGI module on CPAN? I know you clarify this later, so this is only a nit.


>However, Windows users who are using ActiveState Perl must instead do:
>
>  ppm upgrade

ActiveState Perl provides a GUI for years. This is much easier to use than using a CLI.


>(Different versions of ActiveState Perl may require different 
>commands--refer to ActiveState's documentation on how to upgrade a
>Perl module.)

That's exactly why you shouldn't use the CLI.
Comment on attachment 489737 [details]
v2

All of LpSolit's comments should be addressed, plus a few things below:

>Fixed In:    Upcoming releases: 3.2.10, 3.4.10, 3.6.4, 4.0

I think this line is just going to confuse people into thinking they need to upgrade to a new Bugzilla version. Sadly, people have a habit of not reading the entire advisory and only looking at specific version information like this. I'm actually wondering if we shouldn't just remove this line completely. We could possibly add an ending line to the description saying "Upcoming releases of Bugzilla for the 3.6 and 4.0 branches will require this newer CGI.pm module be installed." or something. Thoughts?

>If you would like to immediately patch Bugzilla so that it will warn
>you,  there are patches available for this issue at the 
>bugzilla.mozilla.org "References" URL for the vulnerability.

Extra space between the comma and "there".
Attachment #489737 - Flags: review?(reed) → review-
(In reply to comment #5)
> I'm actually wondering if we shouldn't just remove this line completely. We
> could possibly add an ending line to the description saying "Upcoming releases
> of Bugzilla for the 3.6 and 4.0 branches will require this newer CGI.pm module
> be installed." or something. Thoughts?

I agree with reed that 3.2.10 and 3.4.10 won't fix anything, only suggest to install a newer CGI.pm.
Attached file v3
Good points, all of them! Here's an updated version that addresses them all.
Attachment #489737 - Attachment is obsolete: true
Attachment #489963 - Flags: review?(LpSolit)
Comment on attachment 489963 [details]
v3

>If you would like to immediately patch Bugzilla so that it will warn
>you, there are patches available for this issue at the 
>bugzilla.mozilla.org "References" URL for the vulnerability.

I wonder if this sentence makes sense at all. Someone reading this security advisory and wanting to fix the problem will upgrade CGI, rather than patch Bugzilla to let it warn him about something he already knows. I think we could (should?) simply remove this sentence.

Otherwise looks good. r=LpSolit
Attachment #489963 - Flags: review?(LpSolit) → review+
> * Due to a bug in Perl's CGI.pm module, there was a way to inject both
>   headers and content to users, causing a serious Cross-Site Scripting

s/to users/into consumers/

> All affected installations are encouraged to upgrade as soon as
> possible.

This is the heading the part people actually read, you should say upgrade CGI.pm.

> The next versions of Bugzilla will also notify the user that they
> should update their CGI.pm to protect them from this security issue,
> but these releases are not out yet.

s/The next/Future/
s/the user/administrators/ ? -- note that 'user' here is probably not the same as 'user' at the top of this comment/advisory.

> If you would like to immediately patch Bugzilla so that it will warn
> you,

warn you about what?

s/you/you if your version of CGI.pm is vulnerable/ ?
Comment on attachment 489963 [details]
v3

If we decide to use this, need to update it to also list CVE-2010-4411.
Attachment #489963 - Flags: review-
We don't need this bug anymore. It will be included in the sec adv.
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 620540
Security advisory sent. Removing the security flag.
Group: bugzilla-security
You need to log in before you can comment on or make changes to this bug.