Martin Schulze
2006-Mar-13 12:28 UTC
[Secure-testing-team] Re: [mkanat@bugzilla.org: Security Advisory for Bugzilla 2.18.3, 2.20rc2, and 2.21]
Martin Schulze wrote:> Not sure if you saw this already. Could you check whether our versions > in woody, sarge and/or sid are vulnerable and prepare updates?The following CVE names have been assigned, please mention them in the changelog in sid when you alter the package.> ----- Forwarded message from mkanat@bugzilla.org ----- > > Date: 1 Oct 2005 01:18:45 -0000 > From: mkanat@bugzilla.org > To: bugtraq@securityfocus.com > Subject: Security Advisory for Bugzilla 2.18.3, 2.20rc2, and 2.21 > X-Folder: bugtraq@lists.infodrom.org > > Summary > ======> > Bugzilla is a Web-based bug-tracking system, used by a large number of > software projects. > > This advisory covers two security bugs that have recently been > discovered and fixed in the Bugzilla code: > > + config.cgi exposes information to users who aren''t logged in, even > when "requirelogin" is turned on in Bugzilla.This is CAN-2005-3138.> + It is possible to bypass the "user visibility groups" restrictions > if user-matching is turned on in "substring" mode.This is CAN-2005-3139. URL: http://marc.theaimsgroup.com/?l=bugtraq&m=112818466125484&w=2 Alex said:> Sarge has 2.16.7, so it''s not vulnerable. > Etch and Sid have 2.18.3 and then, are vulnerable.Regards, Joey -- Ten years and still binary compatible. -- XFree86