Security vulnerabilities in Bugzilla
This is the latest Bugzilla Security Advisory:
All Bugzilla installations are advised to upgrade to the latest versions of Bugzilla released today, 2.14.2 and 2.16rc2.
Various security issues of varying importance have been fixed in Bugzilla 2.14.2. Most of these were fixed already in 2.16rc1, a few were not.
Hence, if you are running 2.14.1 or earlier, it is advised you upgrade to 2.14.2. Whereas if you were running 2.15 or 2.16rc1, it is advised you upgrade to 2.16rc2.
There are many patches that need to be applied to properly close these holes, so they are not included here. If you will not be upgrading your system and instead wish to apply these patches to your existing system, a single patch which can be applied to a Bugzilla 2.14.1 installation is available at
(HNS Note: the patches below were linked incorrectly in the original advisory, so we fixed the URL's)
and a patch which can be applied to a Bugzilla 2.14 installation is at
Full downloads (rather than patches) are available at http://www.bugzilla.org/download.html
Complete bug reports for all bugs can be obtained by visiting the following URL: http://bugzilla.mozilla.org/show_bug.cgi?id=XXXXX where you replace the XXXXX at the end of the URL with a bug number as listed below. You may also enter the bug numbers in the "enter a bug#" box on the main page at http://bugzilla.mozilla.org/ or in the footer of any other page on bugzilla.mozilla.org.
A complete list of issues solved in 2.14.2 follows:
- queryhelp.cgi no longer shows confidential products to people it shouldn't. (bug 126801)
- It was possible for a user to bypass the IP check by setting up a fake reverse DNS, if the Bugzilla web server was configured to do reverse DNS lookups. Apache is not configured as such by default. This is not a complete exploit, as the user's login cookie would also need to be divulged for this to be a problem. (bug 129466)
- In some situations the data directory became world writeable. (bug 134575)
- Any user with access to editusers.cgi could delete a user regardless of whether 'allowuserdeletion' is on. (bug 141557)
- Real names were not HTML filtered, causing possible cross site scripting attacks. (bug 146447, 147486)
- Mass change would set the groupset of every bug to be the groupset of the first bug. (bug 107718)
- Some browsers (eg NetPositive) interacted with Bugzilla badly and could have various form problems, including
removing group restrictions on bugs. (bug 148674)
- It was possible for random confidential information to be divulged, if the shadow database was in use and became corrupted. (bug 92263)
- The bug list sort order is now stricter about the SQL it will accept, ensuring you use correct column name syntax. Before this, there were some syntax checks, so it is not known whether this problem was exploitable.
General information about the Bugzilla bug-tracking system can be found at http://www.bugzilla.org/
Comments and follow-ups can be directed to the netscape.public.mozilla.webtools newsgroup or the mozilla-webtools mailing list (see http://www.mozilla.org/community.html for directions how to access these forums).