[BUGZILLA] Security Advisory - information leak
Bugzilla Security Advisory
November 9, 2003
Summary
=======
Bugzilla is a Web-based bug-tracking system, currently used by a large
number of software projects.
This advisory covers a security bug which was accidently introduced in
development version 2.17.5 and subsequently fixed in the Bugzilla code
involving unprivileged access to restricted data.
All Bugzilla installations who have upgraded to the 2.17.5 development
snapshot are encouraged to obtain version 2.17.6 or apply the relevant
patch.
The current stable version of Bugzilla is 2.16.4, and is not affected
by this advisory.
Vulnerability Details
=====================
Class: Information leak
Versions: 2.17.5 is the only version affected.
Description: A new feature was introduced in version 2.17.5 which allows
remote websites to build tooltips and other dynamically
generated data using current bug information retrieved from
Bugzilla. A security lapse in the initial implementation
of this feature allows the remote site to obtain that
information from Bugzilla using the privileges of the
client user.
Reference: http://bugzilla.mozilla.org/show_bug.cgi?id=195530
Vulnerability Solutions
=======================
The fix for the security bug mentioned in this advisory is included in
the 2.17.6 release. Upgrading to this release will protect
installations from this issue. As stated above, this only affects
Bugzilla 2.17.5, and does not affect the stable version 2.16.4.
Full release downloads of Bugzilla 2.17.6 and CVS upgrade instructions
can be found at:
http://www.bugzilla.org/download.html
A specific patch for this issue can be found on the corresponding bug
report, at the URL given in the reference for the issue in the
Vulnerability Details section above.
Credits
=======
The Bugzilla team wish to thank Gervase Markham for discovering and
fixing this promptly after he introduced it.
General information about the Bugzilla bug-tracking system can be found
at http://www.bugzilla.org/
Comments and follow-ups can be directed to the
netscape.public.mozilla.webtools newsgroup or the mozilla-webtools
mailing list; http://www.bugzilla.org/discussion.html has directions for
accessing these forums.
-30-
--
Dave Miller Project Leader, Bugzilla Bug Tracking System
http://www.justdave.net/ http://www.bugzilla.org/