Browse archive

Latest news

The security of WordPress plugins

How to detect hidden administrator apps on Android

Key obstacles to effective IT security strategies

CyanogenMod founder aims to thwart data-grabbing apps

Businesses not fully implementing infosec programs

Is accessing work apps on the move destructive?

Microsoft releases Enhanced Mitigation Experience Toolkit 4.0

New regulation for ENISA, the EU cybersecurity agency

F-Secure advances fight against exploits

Free anti-spam software for the Mac

Information security executives need to be strategic thinkers

U.S. tech companies sharing bug info with U.S. govt before releasing fixes

Account takeover attempts have nearly doubled

It takes 10 hours to identify a security breach

Guccifer hacks U.S. nuclear security agency chief

British GCHQ spied on G20 delegates to gain advantage in talks

Hacking charge stations for electric cars

Risks

Vulnerabilities

Security Advisory for Bugzilla v2.15 and older

07 January 2002

All users of Bugzilla, the bug-tracking system from mozilla.org, who are using a version of Bugzilla installed from a downloaded tarball or package file are strongly recommended to update to version 2.14.1.

All users of Bugzilla who are currently using version 2.15 checked out of cvs prior to 15 December 2001 are strongly recommended to use 'cvs update' to obtain the current cvs code.

Bugzilla 2.14.1 is a security update; patches from a number of security-related bugs which have already been applied to the working source version 2.15 in cvs, have been applied to Bugzilla 2.14 to create the new stable release 2.14.1, which fixes several security issues discovered since version 2.14 was released, which we believe are too serious to wait for our upcoming 2.16 release.

There are many patches that need to be applied to properly close these holes, so they are not included here. If you will not be upgrading your system and instead wish to apply these patches to your existing system, a single patch which can be applied to a Bugzilla 2.14 installation is available at http://www.bugzilla.org/bugzilla2.14to2.14.1.patch

Complete bug reports for all bugs can be obtained by visiting the following URL: http://bugzilla.mozilla.org/show_bug.cgi?id=XXXXX where you replace the XXXXX at the end of the URL with a bug number as listed below. You may also enter the bug numbers in the "enter a bug#" box on the main page at http://bugzilla.mozilla.org/ or in the footer of any other page on bugzilla.mozilla.org.

*** SECURITY ISSUES RESOLVED ***

- Multiple instances of user-account hijacking capability were fixed (Bugs 54901, 108385, 185516)

- Two occurrences of allowing data protected by Bugzilla's groupset restrictions to be visible to users outside of those groups were fixes (Bugs 102141, 108821)

- One instance of an untrusted variable being echoed back to a user via HTML was fixed (Bug 98146)

- Multiple instances of untrusted variables being passed to SQL queries were fixed (Bugs 108812, 108822, 109679, 109690)

More detailed summaries of the specific exploits are available in the release notes, which are available on the project web site.

General information about the Bugzilla bug-tracking system can be found at http://www.bugzilla.org/

Comments and follow-ups can be directed to the
netscape.public.mozilla.webtools newsgroup or the mozilla-webtools mailing list (see http://www.mozilla.org/community.html for directions how to access these forums).

--
Dave Miller
Lead Software Engineer/System Administrator, Syndicomm Online
http://www.syndicomm.com/ bugdude1@syndicomm.com