Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.0239 Bugzilla 4.4rc1, 4.2.4, 4.0.9, and 3.6.12 Security Advisory 21 February 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Bugzilla Publisher: Bugzilla Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2013-0786 CVE-2013-0785 Original Bulletin: http://www.bugzilla.org/security/3.6.12/ - --------------------------BEGIN INCLUDED TEXT-------------------- 4.4rc1, 4.2.4, 4.0.9, and 3.6.12 Security Advisory Tuesday Feb 19th, 2013 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * When viewing a bug report, a bug ID containing random code is not correctly sanitized in the HTML page if the specified page format is invalid. This can lead to XSS. * When running a query in debug mode, it is possible to determine if a given confidential field value (such as a product name) exists. Bugzilla 4.1 and newer are not affected by this issue. All affected installations are encouraged to upgrade as soon as possible. Vulnerability Details ===================== Class: Cross-Site Scripting Versions: 2.0 to 3.6.12, 3.7.1 to 4.0.9, 4.1.1 to 4.2.4, 4.3.1 to 4.4rc1 Fixed In: 3.6.13, 4.0.10, 4.2.5, 4.4rc2 Description: When viewing a single bug report, which is the default, the bug ID is validated and rejected if it is invalid. But when viewing several bug reports at once, which is specified by the format=multiple parameter, invalid bug IDs can go through and are sanitized in the HTML page itself. But when an invalid page format is passed to the CGI script, the wrong HTML page is called and data are not correctly sanitized, which can lead to XSS. References: https://bugzilla.mozilla.org/show_bug.cgi?id=842038 CVE Number: CVE-2013-0785 Class: Information Leak Versions: 2.17.1 to 3.6.12, 3.7.1 to 4.0.9 Fixed In: 3.6.13, 4.0.10 Description: When running a query in debug mode, the generated SQL query used to collect the data is displayed. The way this SQL query is built permits the user to determine if some confidential field value (such as a product name) exists. This problem only affects Bugzilla 4.0.9 and older. Newer releases are not affected by this issue. References: https://bugzilla.mozilla.org/show_bug.cgi?id=824399 CVE Number: CVE-2013-0786 Vulnerability Solutions ======================= The fixes for these issues are included in the 3.6.13, 4.0.10, 4.2.5 and 4.4rc2 releases. Upgrading to a release with the relevant fixes will protect your installation from possible exploits of these issues. If you are unable to upgrade but would like to patch just the individual security vulnerabilities, there are patches available for each issue at the "References" URL for each vulnerability. Full release downloads, patches to upgrade Bugzilla from previous versions, and CVS/bzr upgrade instructions are available at: http://www.bugzilla.org/download/ Credits ======= The Bugzilla team wish to thank the following people/organizations for their assistance in locating, advising us of, and assisting us to fix this issue: Frédéric Buclin Simon Green Byron Jones SimranJeet Singh General information about the Bugzilla bug-tracking system can be found at: http://www.bugzilla.org/ Comments and follow-ups can be directed to the mozilla.support.bugzilla newsgroup or the support-bugzilla mailing list. http://www.bugzilla.org/support/ has directions for accessing these forums. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUSXJQe4yVqjM2NGpAQL/EhAAspRGS8LnNfeyLnJr0Kaw6hJxT2Vu63qe UlppllaixwygtB9HNF7Toy9yzAnTE+foBOPzG/VDMvWSvFAdfLFgCfpN3SFqOzFZ ZeFdOsEBQe824nmY6qBD1/YGJn40OPFwBoMPzNfRSJEVfETtihtS6uCKDVmTHiFi LHJk6V4NqTalxYW5MbYfLcDM0rknpx7Tzj8Wmc1RJAWdRk1mCyMJqJggCLsf6U2I EdREODXtsaXZhIMQsD8+rjrxv7Z/nycvLe3K/7nID3D3BTLvGWT9kUOzKCnUa3iR AN5RdmJ42Me+r9W2zmdOP1IFS/3BncOEO/nFrOywFdqAG8dqgfbvvrQxq36C5drB oWmNguXhoGTSBw3Nw+nYWzRK8eE4il+7u5fgtjjhU9rQyt/mhzAouNLcc0lPjdf9 MjTXHhAKRxi9XZ4VvrXp0W5sat7B4wCrZABqBqbmndAN9DCxhEzSktGKnOugHF0h K/ipOF7DBrhs/5R0NSoh1CYPFcY+oDHtZ5uvOfpUkGyAukjH0T4y0PYqTS5X80Sg oNU2r6Krax0sZ7rObBoKzLORp9+ab5W30tSyxOkGNJ8+Gzz0SBqdlw5qjMJjgYeP 7wdl2evR2VepalLJwCoLSJSkvKjPTcwLGl0xldFO0gC6JP0O1DE7PO+k43xSOPZy xHDz1UnP1Rc= =LSd/ -----END PGP SIGNATURE-----