Closed Bug 713348 Opened 10 years ago Closed 10 years ago

Security advisory for Bugzilla 4.2rc1, 4.0.3, 3.6.7 and 3.4.13

Categories

(Bugzilla :: bugzilla.org, defect)

4.1.3
defect
Not set
blocker

Tracking

()

RESOLVED FIXED

People

(Reporter: LpSolit, Assigned: LpSolit)

References

Details

Attachments

(1 file, 2 obsolete files)

Two security bugs will be patched in these releases, see the dependency list. Some security enhancements have also been made. They should also be mentioned, but no CVE number is needed for them as they are not considered as bugs.
Flags: blocking4.2+
Attached file sec adv, v1 (obsolete) —
Attachment #584476 - Flags: review?(mkanat)
Attachment #584476 - Attachment is patch: false
Comment on attachment 584476 [details]
sec adv, v1

>Description: The User.offer_account_by_email WebService method ignores
>             the user_can_create_account setting of the authentication
>             method and generates an email with a token in it which the
>             user can use to create an account. Depending on the
>             authentication method being active, this could allow the
>             user to log in using this account.

  Does clearing createemailregexp still prevent users from creating accounts? This should be mentioned, if so.

>             in an HTML page and the user visits this page. This
>             behavior is intentional to let third-party applications

  This behavior was intentional (not is)
Attachment #584476 - Flags: review?(mkanat) → review+
Attached file sec adv, v1.1 (obsolete) —
Fixed both comments. Carrying mkanat's r+ forward (per IRC discussion).
Attachment #584476 - Attachment is obsolete: true
Attachment #584480 - Flags: review+
Attached file sec adv, v1.2
Adding dkl to the credits list as he reviewed backports for bug 711714 a few minutes ago.
Attachment #584480 - Attachment is obsolete: true
Attachment #584500 - Flags: review+
Any reason why bug 705474 wasn't mentioned?
(In reply to Reed Loden [:reed] (very busy) from comment #5)
> Any reason why bug 705474 wasn't mentioned?

It has no sec flag set, and so went out of my radar. Also, I don't think it worths being mentioned in the sec adv.
The sec adv is now live on the bugzilla.org website, and has been sent per email.
Group: bugzilla-security
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Added CVE numbers for bug 703975 and bug 703983.

Checking in src/security/3.4.12/index.html;
/www/bugzilla-org/src/security/3.4.12/index.html,v  <--  index.html
new revision: 1.3; previous revision: 1.2
done
You need to log in before you can comment on or make changes to this bug.