![[LWN Logo]](/images/lcorner.png) |
|
![[LWN.net]](/images/Included.png) |
From: David Miller <justdave@syndicomm.com>
To: bugtraq@securityfocus.com
Subject: Security Advisory for Bugzilla v2.13 and older
Date: Wed, 29 Aug 2001 18:55:42 -0400
All users of Bugzilla, the bug-tracking system from mozilla.org, are
strongly recommended to update to version 2.14.
Bugzilla 2.14 is a general security update, but not all of the security
issues are serious.
Serious issues include:
* Multiple instances where data on "confidential" bugs could be
obtained by valid users of the system who are not authorized to.
* Multiple instances of security holes where parameters were not being
checked/escaped properly.
There are many patches that need to be applied to properly close these
holes, so they are not included here. If you will not be upgrading your
system to 2.14 and instead wish to apply these patches to your existing
system, please consult the bug reports on bugzilla.mozilla.org for the bug
numbers listed below, where you can obtain the patches attached to those
bugs.
Complete bug reports for all bugs can be obtained by visiting the
following URL: http://bugzilla.mozilla.org/show_bug.cgi?id=XXXXX
where you replace the XXXXX at the end of the URL with a bug number as
listed below. You may also enter the bug numbers in the "enter a bug#" box
on the main page at http://bugzilla.mozilla.org/ or in the footer of any
other page on bugzilla.mozilla.org.
*** SECURITY ISSUES RESOLVED ***
- Multiple instances of unauthorized access to confidential
bugs has been fixed.
(bug 39524, 39526, 39527, 39531, 39533, 70189, 82781)
- Multiple instances of untrusted parameters not being
checked/escaped was fixed. These included definite security
holes.
(bug 38854, 38855, 38859, 39536, 87701, 95235)
- After logging in passwords no longer appear in the URL.
(bug 15980)
- Procedures to prevent unauthorized access to confidential
files are now simpler. In particular the shadow directory
no longer exists and the data/comments file no longer needs
to be directly accessible, so the entire data directory can
be blocked. However, no changes are required here if you
have a properly secured 2.12 installation as no new files
must be protected.
(bug 71552, 73191)
- If they do not already exist, checksetup.pl will attempt to
write Apache .htaccess files by default, to prevent
unauthoried access to confidential files. You can turn this
off in the localconfig file.
(bug 76154)
- Sanity check can now only be run by people in the 'editbugs'
group. Although it would be better to have a separate
group, this is not possible until the limitation on the
number of groups allowed has been removed.
(bug 54556)
- The password is no longer stored in plaintext form. It will
be eradicated next time you run checksetup.pl. A user must
now change their password via a password change request that
gets validated at their e-mail account, rather than have it
mailed to them.
(bug 74032)
- When you using product groups and you move a bug between
products (single or mass change), the bug will no longer be
restricted to the old product's group (if it was) and will
be restricted to the new product's group.
(bug 66235)
- There are now options on a bug to choose whether the
reporter, assignee, QA and CCs can access a bug even if
they aren't in groups the bug it is restricted to.
(bug 39816)
- You can no longer mark a bug as a duplicate of a bug you
can't see, and if you mark a bug a duplicate of a bug
the reporter cannot see you will be given options as to
what to do regarding adding the reporter of the resolved
bug to the CC of the open bug.
(bug 96085)
General information about the Bugzilla bug-tracking system can be found at
http://www.mozilla.org/projects/bugzilla/
Comments and follow-ups can be directed to the
netscape.public.mozilla.webtools newsgroup or the mozilla-webtools mailing
list (see http://www.mozilla.org/community.html for directions how to
access these forums).
--
Dave Miller justdave@syndicomm.com + justdave@justdave.net
Lead Software Engineer/System Administrator, Syndicomm Online
http://www.syndicomm.com/ http://www.justdave.net/