Mageia alert MGASA-2014-0412 (bugzilla)

From:
    	     
 
Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	     
 
updates-announce@ml.mageia.org 
Subject:
    	     
 
[updates-announce] MGASA-2014-0412: Updated bugzilla packages fix security vulnerabilities 
Date:
    	     
 
Thu, 9 Oct 2014 16:39:50 +0200
Message-ID:
    	     
 
<20141009143950.90C695CB53@valstar.mageia.org>
MGASA-2014-0412 - Updated bugzilla packages fix security vulnerabilities

Publication date: 09 Oct 2014
URL: http://advisories.mageia.org/MGASA-2014-0412.html

Type: security
Affected Mageia releases: 3, 4
CVE: CVE-2014-1571,
     CVE-2014-1572,
     CVE-2014-1573

Description:
Updated bugzilla packages fix security vulnerabilities:

If a new comment was marked private to the insider group, and a flag was set
in the same transaction, the comment would be visible to flag recipients
even if they were not in the insider group (CVE-2014-1571).

An attacker creating a new Bugzilla account can override certain parameters
when finalizing the account creation that can lead to the user being created
with a different email address than originally requested. The overridden
login name could be automatically added to groups based on the group's
regular expression setting (CVE-2014-1572).

During an audit of the Bugzilla code base, several places were found where
cross-site scripting exploits could occur which could allow an attacker to
access sensitive information (CVE-2014-1573).

References:
- https://bugs.mageia.org/show_bug.cgi?id=14241

- http://www.bugzilla.org/security/4.0.14/

- http://www.bugzilla.org/releases/4.4.6/release-notes.html

- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1571

- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1572

- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1573


SRPMS:
- 4/core/bugzilla-4.4.6-1.mga4
- 3/core/bugzilla-4.4.6-1.mga3