Closed Bug 713348 Opened 11 years ago Closed 11 years ago
Security advisory for Bugzilla 4
.2rc1, 4 .0 .3, 3 .6 .7 and 3 .4 .13
Two security bugs will be patched in these releases, see the dependency list. Some security enhancements have also been made. They should also be mentioned, but no CVE number is needed for them as they are not considered as bugs.
Comment on attachment 584476 [details] sec adv, v1 >Description: The User.offer_account_by_email WebService method ignores > the user_can_create_account setting of the authentication > method and generates an email with a token in it which the > user can use to create an account. Depending on the > authentication method being active, this could allow the > user to log in using this account. Does clearing createemailregexp still prevent users from creating accounts? This should be mentioned, if so. > in an HTML page and the user visits this page. This > behavior is intentional to let third-party applications This behavior was intentional (not is)
Attachment #584476 - Flags: review?(mkanat) → review+
Fixed both comments. Carrying mkanat's r+ forward (per IRC discussion).
Adding dkl to the credits list as he reviewed backports for bug 711714 a few minutes ago.
Any reason why bug 705474 wasn't mentioned?
(In reply to Reed Loden [:reed] (very busy) from comment #5) > Any reason why bug 705474 wasn't mentioned? It has no sec flag set, and so went out of my radar. Also, I don't think it worths being mentioned in the sec adv.
The sec adv is now live on the bugzilla.org website, and has been sent per email.
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Added CVE numbers for bug 703975 and bug 703983. Checking in src/security/3.4.12/index.html; /www/bugzilla-org/src/security/3.4.12/index.html,v <-- index.html new revision: 1.3; previous revision: 1.2 done
You need to log in before you can comment on or make changes to this bug.