Closed
Bug 741079
Opened 12 years ago
Closed 12 years ago
Security advisory for Bugzilla 4.2.1, 4.0.6 and 3.6.9
Categories
(Bugzilla :: bugzilla.org, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: LpSolit, Assigned: dkl)
References
Details
Attachments
(1 file, 3 obsolete files)
We have one security bug ready for checkin: bug 728639, affecting all active branches.
Flags: blocking4.2.1+
|
Assignee | |
Comment 1•12 years ago
|
||
|
Reporter | |
Comment 2•12 years ago
|
||
Comment on attachment 614481 [details] 3.6.8 sec adv (v1) >* When abusing X-FORWARDED-FOR header, an attacker could bypass > lockout policy allowing a possible brute-force discovery of a > valid user password. Maybe it's just me, but shouldn't you add "the" before "X-FORWARDED-FOR header" and "lockout policy"? >Versions: 3.6.8, 4.0.5, 4.2 All versions since 3.5.3 are vulnerable, so it must be: 3.5.3 to 3.6.8, 3.7.1 to 4.0.5, 4.1.1 to 4.2. >Description: Due to a lack of proper validation of the X-FORWARDED-FOR > header of an authentication request, an attacker could bypass > the current lockout policy used for protection against and > brute-force password discovery or possible denial of service > attack. I don't understand "against" in this sentence. Also, don't mention DoS as it's not true. Also, mention that this vulnerability can only be exploited if the 'inbound_proxies' parameter is set. >David Lawrence >Byron Jones >Frédéric Buclin The credits list contains the following people, in this order: assignee, reviewer, reporter. So we have: Frédéric Buclin Byron Jones Soroush Dalili
Attachment #614481 -
Flags: review?(LpSolit) → review-
|
|
Assignee | |
Comment 3•12 years ago
|
||
Thanks for the review. Grammar errors fixed as well as other changes. dkl
Attachment #614481 -
Attachment is obsolete: true
Attachment #614673 -
Flags: review?(LpSolit)
|
|
Reporter | |
Comment 4•12 years ago
|
||
Comment on attachment 614673 [details] 3.6.8 sec adv (v2) > header of an authentication request, an attacker could bypass > the current lockout policy used for protection against brute- >The fix for this issue is included in the 3.6.9, 4.0.6 and 4.2.1 releases. This is fine, but these 3 lines are longer than 72 characters. This can be fixed when sending the sec adv by email. r=LpSolit
Attachment #614673 -
Attachment is patch: false
Attachment #614673 -
Flags: review?(LpSolit) → review+
|
|
Reporter | |
Updated•12 years ago
|
Depends on: CVE-2012-0466
|
|
Assignee | |
Comment 5•12 years ago
|
||
Added additional security issue fixed.
Attachment #614673 -
Attachment is obsolete: true
Attachment #615979 -
Flags: review?(LpSolit)
|
|
Reporter | |
Comment 6•12 years ago
|
||
Comment on attachment 615979 [details] 3.6.8 sec adv (v3) >* It is possible, using cross-site scripting, for an attacker using > JavaScript in buglist.cgi to gain access to bug information > using a victim's account. This sounds like the attacker could inject JavaScript in buglist.cgi, which is not true. I would rather say something like: * An attacker can get access to some bug information using the victim's credentials using a specially crafted HTML page. >Class: Cross Site Scripting >Versions: 3.5.3 to 3.6.8, 3.7.1 to 4.0.5, 4.1.1 to 4.2 2.17.4 and above are affected. So it must start with "2.17.4 to 3.6.8, ...". >Description: A JavaScript template used by buglist.cgi could be used > by a malicious script accessing a Bugzilla instance > and gaining access to bug information using a victim's > account. This is a problem if the target Bugzilla instance > always requires a valid login when accessing any page. s/and gaining/to gain/ maybe? Also, the last sentence is confusing. It sounds like this is only a problem when requirelogin is turned on, which is not quite true. Even without requiring the user to log in, this could be used by the attacker to gain access to bugs he is not allowed to see (such as security bugs). Maybe the whole paragraph could be reworded to: "A JavaScript template used by buglist.cgi could be used by a malicious script to permit an attacker to gain access to some information about bugs he would not normally be allowed to see, using the victim's credentials. To be exploitable, the victim must be logged in when visiting the attacker's malicious page." >The fix for this issue is included in the 3.6.9, 4.0.6 and 4.2.1 releases. >Upgrading to a release with the relevant fix will protect your >installation from possible exploits of this issue. fix and issue must be plural. >If you are unable to upgrade but would like to patch just the >individual security vulnerability, there is a patch available for >the issue at the "References" URL for the vulnerability. vulnerability and patch must be plural. Also, s/the issue/each issue/ s/the vulnerability/each vulnerability/
Attachment #615979 -
Flags: review?(LpSolit) → review-
|
|
Reporter | |
Updated•12 years ago
|
Attachment #615979 -
Attachment is patch: false
|
|
Assignee | |
Comment 7•12 years ago
|
||
Attachment #615979 -
Attachment is obsolete: true
Attachment #616180 -
Flags: review?(LpSolit)
|
|
Reporter | |
Comment 8•12 years ago
|
||
Comment on attachment 616180 [details] 3.6.8 sec advisory (v4) >releases. Upgrading to a release with the relevant fixes will protect your >installation from possible exploits of this issue. s/this issue/these issues/. This can be fixed before sending the sec adv by email. r=LpSolit
Attachment #616180 -
Flags: review?(LpSolit) → review+
|
|
Reporter | |
Comment 9•12 years ago
|
||
Security Advisory sent.
Group: bugzilla-security
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•