Closed Bug 713348 Opened 13 years ago Closed 13 years ago

Security advisory for Bugzilla 4.2rc1, 4.0.3, 3.6.7 and 3.4.13

Categories

(Bugzilla :: bugzilla.org, defect)

Product:
Bugzilla
Component:
bugzilla.org
Version:
4.1.3
Type:
defect
Priority:
Not set
Severity:
blocker

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: LpSolit, Assigned: LpSolit)

References

Details

Attachments

(1 file, 2 obsolete files)

sec adv, v1.2
4.13 KB, text/plain
LpSolit
: review+
Details 
Two security bugs will be patched in these releases, see the dependency list. Some security enhancements have also been made. They should also be mentioned, but no CVE number is needed for them as they are not considered as bugs.
Flags: blocking4.2+
Attached file sec adv, v1 (obsolete) — 

        Attachment #584476 -
        Flags: review?(mkanat)

    
  

        Attachment #584476 -
        Attachment is patch: false

    
    

    
  
Comment on attachment 584476 [details]
sec adv, v1

>Description: The User.offer_account_by_email WebService method ignores
>             the user_can_create_account setting of the authentication
>             method and generates an email with a token in it which the
>             user can use to create an account. Depending on the
>             authentication method being active, this could allow the
>             user to log in using this account.

  Does clearing createemailregexp still prevent users from creating accounts? This should be mentioned, if so.

>             in an HTML page and the user visits this page. This
>             behavior is intentional to let third-party applications

  This behavior was intentional (not is)

        Attachment #584476 -
        Flags: review?(mkanat) → review+

    
    

    
  

      
      
      
      

        Attached file
          
        sec adv, v1.1 (obsolete)
        — 
      

    


  
Fixed both comments. Carrying mkanat's r+ forward (per IRC discussion).

        Attachment #584476 -
        Attachment is obsolete: true

        Attachment #584480 -
        Flags: review+

    
    

    
  

      
      
      
      

        Attached file
          
        sec adv, v1.2
      

    


  
Adding dkl to the credits list as he reviewed backports for bug 711714 a few minutes ago.

        Attachment #584480 -
        Attachment is obsolete: true

        Attachment #584500 -
        Flags: review+

    
    

    
  
Any reason why bug 705474 wasn't mentioned?

    
    

    
  
(In reply to Reed Loden [:reed] (very busy) from comment #5)
> Any reason why bug 705474 wasn't mentioned?

It has no sec flag set, and so went out of my radar. Also, I don't think it worths being mentioned in the sec adv.

    
    

    
  
The sec adv is now live on the bugzilla.org website, and has been sent per email.
Group: bugzilla-security
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED

    
    

    
  
Added CVE numbers for bug 703975 and bug 703983.

Checking in src/security/3.4.12/index.html;
/www/bugzilla-org/src/security/3.4.12/index.html,v  <--  index.html
new revision: 1.3; previous revision: 1.2
done
Depends on: CVE-2011-3668, CVE-2011-3669

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: