7004664 2001-08-29 18:55 -0400  /95 rader/ David Miller <justdave@syndicomm.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-08-30  01:55  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18996>
Ärende: Security Advisory for Bugzilla v2.13 and older
------------------------------------------------------------
From: David Miller <justdave@syndicomm.com>
To: bugtraq@securityfocus.com
Message-ID: <p05101008b7b322d72906@[10.0.1.201]>

All users of Bugzilla, the bug-tracking system from mozilla.org, are
strongly recommended to update to version 2.14.

Bugzilla 2.14 is a general security update, but not all of the
security issues are serious.

Serious issues include:

    * Multiple instances where data on "confidential" bugs could be
      obtained by valid users of the system who are not authorized to.
    * Multiple instances of security holes where parameters were not being
      checked/escaped properly.

There are many patches that need to be applied to properly close
these holes, so they are not included here.  If you will not be
upgrading your system to 2.14 and instead wish to apply these patches
to your existing system, please consult the bug reports on
bugzilla.mozilla.org for the bug numbers listed below, where you can
obtain the patches attached to those bugs.

Complete bug reports for all bugs can be obtained by visiting the
following URL:  http://bugzilla.mozilla.org/show_bug.cgi?id=XXXXX
where you replace the XXXXX at the end of the URL with a bug number
as listed below.  You may also enter the bug numbers in the "enter a
bug#" box on the main page at http://bugzilla.mozilla.org/ or in the
footer of any other page on bugzilla.mozilla.org.

*** SECURITY ISSUES RESOLVED ***

- Multiple instances of unauthorized access to confidential
  bugs has been fixed.
  (bug 39524, 39526, 39527, 39531, 39533, 70189, 82781)
- Multiple instances of untrusted parameters not being
  checked/escaped was fixed.  These included definite security
  holes.
  (bug 38854, 38855, 38859, 39536, 87701, 95235)
- After logging in passwords no longer appear in the URL.
  (bug 15980)
- Procedures to prevent unauthorized access to confidential
  files are now simpler.  In particular the shadow directory
  no longer exists and the data/comments file no longer needs
  to be directly accessible, so the entire data directory can
  be blocked.  However, no changes are required here if you
  have a properly secured 2.12 installation as no new files
  must be protected.
  (bug 71552, 73191)
- If they do not already exist, checksetup.pl will attempt to
  write Apache .htaccess files by default, to prevent
  unauthoried access to confidential files.  You can turn this
  off in the localconfig file.
  (bug 76154)
- Sanity check can now only be run by people in the 'editbugs'
  group.  Although it would be better to have a separate
  group, this is not possible until the limitation on the
  number of groups allowed has been removed.
  (bug 54556)
- The password is no longer stored in plaintext form.  It will
  be eradicated next time you run checksetup.pl.  A user must
  now change their password via a password change request that
  gets validated at their e-mail account, rather than have it
  mailed to them.
  (bug 74032)
- When you using product groups and you move a bug between
  products (single or mass change), the bug will no longer be
  restricted to the old product's group (if it was) and will
  be restricted to the new product's group.
  (bug 66235)
- There are now options on a bug to choose whether the
  reporter, assignee, QA and CCs can access a bug even if
  they aren't in groups the bug it is restricted to.
  (bug 39816)
- You can no longer mark a bug as a duplicate of a bug you
  can't see, and if you mark a bug a duplicate of a bug
  the reporter cannot see you will be given options as to
  what to do regarding adding the reporter of the resolved
  bug to the CC of the open bug.
  (bug 96085)

General information about the Bugzilla bug-tracking system can be
found at http://www.mozilla.org/projects/bugzilla/

Comments and follow-ups can be directed to the
netscape.public.mozilla.webtools newsgroup or the mozilla-webtools
mailing list (see http://www.mozilla.org/community.html for
directions how to access these forums).
-- 
Dave Miller    justdave@syndicomm.com + justdave@justdave.net
Lead Software Engineer/System Administrator, Syndicomm Online
http://www.syndicomm.com/            http://www.justdave.net/
(7004664) /David Miller <justdave@syndicomm.com>/(Ombruten)