[Secure-testing-team] Re: [mkanat@bugzilla.org: Security Advisory
for Bugzilla 2.18.3, 2.20rc2, and 2.21]
Martin Schulze
joey at infodrom.org
Thu Oct 6 07:04:36 UTC 2005
Martin Schulze wrote:
> Not sure if you saw this already. Could you check whether our versions
> in woody, sarge and/or sid are vulnerable and prepare updates?
The following CVE names have been assigned, please mention them in the
changelog in sid when you alter the package.
> ----- Forwarded message from mkanat at bugzilla.org -----
>
> Date: 1 Oct 2005 01:18:45 -0000
> From: mkanat at bugzilla.org
> To: bugtraq at securityfocus.com
> Subject: Security Advisory for Bugzilla 2.18.3, 2.20rc2, and 2.21
> X-Folder: bugtraq at lists.infodrom.org
>
> Summary
> =======
>
> Bugzilla is a Web-based bug-tracking system, used by a large number of
> software projects.
>
> This advisory covers two security bugs that have recently been
> discovered and fixed in the Bugzilla code:
>
> + config.cgi exposes information to users who aren't logged in, even
> when "requirelogin" is turned on in Bugzilla.
This is CAN-2005-3138.
> + It is possible to bypass the "user visibility groups" restrictions
> if user-matching is turned on in "substring" mode.
This is CAN-2005-3139.
URL: http://marc.theaimsgroup.com/?l=bugtraq&m=112818466125484&w=2
Alex said:
> Sarge has 2.16.7, so it's not vulnerable.
> Etch and Sid have 2.18.3 and then, are vulnerable.
Regards,
Joey
--
Ten years and still binary compatible. -- XFree86
More information about the Secure-testing-team
mailing list