User: Password:
|
|
Subscribe / Log in / New account

Fedora alert FEDORA-2010-17280 (bugzilla)

From:  updates@fedoraproject.org
To:  package-announce@lists.fedoraproject.org
Subject:  [SECURITY] Fedora 13 Update: bugzilla-3.4.9-1.fc13
Date:  Sun, 14 Nov 2010 21:28:33 +0000
Message-ID:  <20101114212833.11E8C110625@bastion02.phx2.fedoraproject.org>
Archive-link:  Article, Thread

-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2010-17280 2010-11-04 22:23:01 -------------------------------------------------------------------------------- Name : bugzilla Product : Fedora 13 Version : 3.4.9 Release : 1.fc13 URL : http://www.bugzilla.org/ Summary : Bug tracking system Description : Bugzilla is a popular bug tracking system used by multiple open source projects It requires a database engine installed - either MySQL, PostgreSQL or Oracle. Without one of these database engines (local or remote), Bugzilla will not work - see the Release Notes for details. -------------------------------------------------------------------------------- Update Information: The following security issues have been discovered in Bugzilla: * There is a way to inject both headers and content to users, causing a serious Cross-Site Scripting vulnerability. * It was possible to see graphs from Old Charts even if you did not have access to a particular product, and you could browse a particular URL to see all product names. * YUI 2.8.1, which shipped with Bugzilla starting with 3.7.x, contained a security vulnerability. The version of YUI shipped with Bugzilla 4.0rc1 and above has been updated to 2.8.2. These are tracked by CVE-2010-3764. -------------------------------------------------------------------------------- ChangeLog: * Wed Nov 3 2010 Emmanuel Seyman <emmanuel.seyman@club-internet.fr> - 3.4.9-1 - Update to 3.4.9 * Thu Aug 19 2010 Emmanuel Seyman <emmanuel.seyman@club-internet.fr> - 3.4.8-2 - Bump to correct changelog version * Wed Aug 18 2010 Emmanuel Seyman <emmanuel.seyman@club-internet.fr> - 3.4.8-1 - Update to 3.4.8 (#623426, #615331) - Only run checksetup if /etc/bugzilla/localconfig does not exist (#610210) - Add bugzilla-contrib to Requires (#610198) * Wed Jun 30 2010 Emmanuel Seyman <emmanuel.seyman@club-internet.fr> - 3.4.7-2 - Remove mod_perl from the requirements (#600924) * Fri Jun 25 2010 Emmanuel Seyman <emmanuel.seyman@club-internet.fr> - 3.4.7-1 - Update to 3.4.7 (CVE-2010-1204) -------------------------------------------------------------------------------- References: [ 1 ] Bug #649398 - CVE-2010-3172 bugzilla: header and content injection vulnerability via Server Push https://bugzilla.redhat.com/show_bug.cgi?id=649398 [ 2 ] Bug #649404 - CVE-2010-3764 bugzilla: information leak via Old Charts system https://bugzilla.redhat.com/show_bug.cgi?id=649404 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update bugzilla' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list package-announce@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/package-...


(Log in to post comments)


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds