U programskom paketu Bugzilla otkriveno je nekoliko sigurnosnih propusta koje udaljeni napadač može iskoristiti za umetanje HTML i skriptnog koda, te neovlašteni pristup sustavu.
Paket:
bugzilla 3.x, bugzilla 4.x
Operacijski sustavi:
Fedora 15, Fedora 16
Kritičnost:
6.1
Problem:
CSRF, neodgovarajuća provjera ulaznih podataka, pogreška u programskoj komponenti, XSS
Iskorištavanje:
udaljeno
Posljedica:
neovlašteni pristup sustavu, umetanje HTML i skriptnog koda
Jedan od nedostataka otkriven je u komponenti "User.offer_account_by_email" koja nepravilno rukuje postavkom "user_can_create_account". Ostali propusti su CSRF (eng. cross-site request forgery) tipa,a otkriveni u datotekama "post_bug.cgi" i "attachment.cgi". Također, dolazi i do XSS ranjivosti kada se koristi debug način rada.
Posljedica:
Prvi propust omogućuje udaljenom korisniku neovlašteno stvaranje novog korisničkog računa. Ostali propusti mogu se iskoristiti za umetanje HTML i skriptnog koda te presretanje autentikacije korisnika.
Rješenje:
Preporuča se korištenje službenih programskih zakrpi koje otklanjaju opisane propuste.
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2012-0301
2012-01-11 05:14:42
--------------------------------------------------------------------------------
Name : bugzilla
Product : Fedora 16
Version : 4.0.3
Release : 1.fc16
URL : http://www.bugzilla.org/
Summary : Bug tracking system
Description :
Bugzilla is a popular bug tracking system used by multiple open source projects
It requires a database engine installed - either MySQL, PostgreSQL or Oracle.
Without one of these database engines (local or remote), Bugzilla will not work
- see the Release Notes for details.
--------------------------------------------------------------------------------
Update Information:
These new versions fix the following securtiy flaws:
CVE-2011-3657
CVE-2011-3667
CVE-2011-3668
CVE-2011-3669
--------------------------------------------------------------------------------
ChangeLog:
* Sun Jan 8 2012 Emmanuel Seyman <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 4.0.3-1
- Update to 4.0.3
- Add perl(Locale::Language) to the Requires
- Add index.html to the DirectoryIndex
- Fix typo in README.fedora.bugzilla
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #744841 - Locale::Language is missing from the perl core package
https://bugzilla.redhat.com/show_bug.cgi?id=744841
[ 2 ] Bug #771402 - CVE-2011-3657 CVE-2011-3667 CVE-2011-3668 CVE-2011-3669
bugzilla: multiple security flaws fixed in 4.1.3, 4.0.2, 3.6.6, and 3.4.12
[fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=771402
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update bugzilla' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2012-0328
2012-01-11 05:19:02
--------------------------------------------------------------------------------
Name : bugzilla
Product : Fedora 15
Version : 3.6.7
Release : 1.fc15
URL : http://www.bugzilla.org/
Summary : Bug tracking system
Description :
Bugzilla is a popular bug tracking system used by multiple open source projects
It requires a database engine installed - either MySQL, PostgreSQL or Oracle.
Without one of these database engines (local or remote), Bugzilla will not work
- see the Release Notes for details.
--------------------------------------------------------------------------------
Update Information:
These new versions fix the following securtiy flaws:
CVE-2011-3657
CVE-2011-3667
CVE-2011-3668
CVE-2011-3669
--------------------------------------------------------------------------------
ChangeLog:
* Sun Jan 8 2012 Emmanuel Seyman <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 3.6.7-1
- Update to 3.6.7
- Add perl(Locale::Language) to the Requires
- Add index.html to the DirectoryIndex
- Fix typo in README.fedora.bugzilla
* Fri Aug 5 2011 Emmanuel Seyman <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 3.6.6-1
- Update to 3.6.6
- Move graphs to /var/lib/bugzilla/graphs.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #744841 - Locale::Language is missing from the perl core package
https://bugzilla.redhat.com/show_bug.cgi?id=744841
[ 2 ] Bug #771402 - CVE-2011-3657 CVE-2011-3667 CVE-2011-3668 CVE-2011-3669
bugzilla: multiple security flaws fixed in 4.1.3, 4.0.2, 3.6.6, and 3.4.12
[fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=771402
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update bugzilla' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
Posljednje sigurnosne preporuke