Home page logo

bugtraq logo Bugtraq mailing list archives

[BUGZILLA] Security Advisory For Versions of Bugzilla 2.14 Prior To 2.14.2, 2.16 Prior To 2.16rc2
From: David Miller <justdave () syndicomm com>
Date: Sat, 8 Jun 2002 02:50:12 -0400

Bugzilla Security Advisory

Jun 8th, 2002

All Bugzilla installations are advised to upgrade to the latest versions
of Bugzilla released today, 2.14.2 and 2.16rc2.

Various security issues of varying importance have been fixed in
Bugzilla 2.14.2.  Most of these were fixed already in 2.16rc1, a few
were not.

Hence, if you are running 2.14.1 or earlier, it is advised you upgrade
to 2.14.2.  Whereas if you were running 2.15 or 2.16rc1, it is advised
you upgrade to 2.16rc2.

There are many patches that need to be applied to properly close these
holes, so they are not included here.  If you will not be upgrading your
system and instead wish to apply these patches to your existing system, a
single patch which can be applied to a Bugzilla 2.14.1 installation is
available at
and a patch which can be applied to a Bugzilla 2.14 installation is at

Full downloads (rather than patches) are available at

Complete bug reports for all bugs can be obtained by visiting the
following URL:  http://bugzilla.mozilla.org/show_bug.cgi?id=XXXXX
where you replace the XXXXX at the end of the URL with a bug number as
listed below.  You may also enter the bug numbers in the "enter a bug#" box
on the main page at http://bugzilla.mozilla.org/ or in the footer of any
other page on bugzilla.mozilla.org.

A complete list of issues solved in 2.14.2 follows:

- queryhelp.cgi no longer shows confidential products to
  people it shouldn't.
  (bug 126801)

- It was possible for a user to bypass the IP check by
  setting up a fake reverse DNS, if the Bugzilla web server
  was configured to do reverse DNS lookups.  Apache is not
  configured as such by default.  This is not a complete
  exploit, as the user's login cookie would also need to
  be divulged for this to be a problem.
  (bug 129466)

- In some situations the data directory became world writeable.
  (bug 134575)

- Any user with access to editusers.cgi could delete a user
  regardless of whether 'allowuserdeletion' is on.
  (bug 141557)

- Real names were not HTML filtered, causing possible cross
  site scripting attacks.
  (bug 146447, 147486)

- Mass change would set the groupset of every bug to be the
  groupset of the first bug.
  (bug 107718)

- Some browsers (eg NetPositive) interacted with Bugzilla
  badly and could have various form problems, including
  removing group restrictions on bugs.
  (bug 148674)

- It was possible for random confidential information to be
  divulged, if the shadow database was in use and became
  (bug 92263)

- The bug list sort order is now stricter about the SQL it will accept,
  ensuring you use correct column name syntax.  Before this, there were
  some syntax checks, so it is not known whether this problem was
  (bug 130821)

General information about the Bugzilla bug-tracking system can be found at

Comments and follow-ups can be directed to the
netscape.public.mozilla.webtools newsgroup or the mozilla-webtools mailing
list (see http://www.mozilla.org/community.html for directions how to
access these forums).

Dave Miller      Project Leader, Bugzilla Bug Tracking System
Lead Software Engineer/System Administrator, Syndicomm Online
http://www.syndicomm.com/            http://www.bugzilla.org/

  By Date           By Thread  

Current thread:
  • [BUGZILLA] Security Advisory For Versions of Bugzilla 2.14 Prior To 2.14.2, 2.16 Prior To 2.16rc2 David Miller (Jun 08)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]