LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

bugzilla: SQL injection

Package(s):bugzilla CVE #(s):CVE-2009-3125 CVE-2009-3165 CVE-2009-3166
Created:September 21, 2009 Updated:June 4, 2010
Description: From the Bugzilla advisory:

* Two SQL injection attacks have been discovered in Bugzilla. One only affects the 3.4 series, while the other affects the 3.0, 3.2, and 3.4 series. These are extremely serious vulnerabilities that must be patched immediately.

* When a user would change his password, his new password would be exposed in the URL field of the browser if he logged in right after changing his password.

Alerts:
Gentoo 201006-19:02 2010-06-04
Fedora FEDORA-2009-9550 2009-09-15
Fedora FEDORA-2009-9554 2009-09-15
Debian DSA-1913-1 2009-10-17
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds