Date: Mon, 3 Sep 2007 20:44:16 GMT From: Nick Barkas <snb@threerings.net> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/116060: [patch] security/vuxml update for vulnerabilities in devel/bugzilla and other bugzilla ports Message-ID: <200709032044.l83KiGpv091541@www.freebsd.org> Resent-Message-ID: <200709032050.l83Ko2OK017275@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 116060 >Category: ports >Synopsis: [patch] security/vuxml update for vulnerabilities in devel/bugzilla and other bugzilla ports >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Mon Sep 03 20:50:01 GMT 2007 >Closed-Date: >Last-Modified: >Originator: Nick Barkas >Release: 7.0-CURRENT >Organization: Three Rings Design >Environment: FreeBSD freebsd-current.localdomain 7.0-CURRENT-200706 FreeBSD 7.0-CURRENT-200706 #0: Sun Jun 3 18:41:02 UTC 2007 root@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 >Description: http://www.bugzilla.org/security/2.20.4/ lists a number of vulnerabilities in Bugzilla. This is an update to the VuXML document to notify users of Bugzilla ports about these. >How-To-Repeat: >Fix: Patch attached with submission follows: diff -urN vuxml.orig/vuln.xml vuxml/vuln.xml --- vuxml.orig/vuln.xml Mon Sep 3 21:58:32 2007 +++ vuxml/vuln.xml Mon Sep 3 22:38:29 2007 @@ -34,6 +34,53 @@ --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="75231c63-f6a2-499d-8e27-787773bda284"> + <topic>bugzilla -- multiple vulnerabilities</topic> + <affects> + <package> + <name>bugzilla</name> + <name>ja-bugzilla</name> + <range><lt>3.0.1</lt></range> + </package> + <package> + <name>bugzilla2</name> + <range><lt>2.22.3</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>A Bugzilla Security Advisory reports:</p> + <blockquote cite="http://www.bugzilla.org/security/2.20.4/">; + <p>This advisory covers three security issues that have recently been + fixed in the Bugzilla code:</p> + <ul> + <li>A possible cross-site scripting (XSS) vulnerability when filing + bugs using the guided form.</li> + <li>When using email_in.pl, insufficiently escaped data may be + passed to sendmail.</li> + <li>Users using the WebService interface may access Bugzilla's + time-tracking fields even if they normally cannot see them.</li> + </ul> + <p>We strongly advise that 2.20.x and 2.22.x users should upgrade to + 2.20.5 and 2.22.3 respectively. 3.0 users, and users of 2.18.x or + below, should upgrade to 3.0.1.</p> + </blockquote> + </body> + </description> + <references> + <url>http://www.bugzilla.org/security/2.20.4/</url>; + <cvename>CVE-2007-4538</cvename> + <cvename>CVE-2007-4539</cvename> + <cvename>CVE-2007-4543</cvename> + <bid>25425</bid> + <url>http://secunia.com/advisories/26584</url>; + </references> + <dates> + <discovery>2007-8-23</discovery> + <entry>2007-9-3</entry> + </dates> + </vuln> + <vuln vid="45500f74-5947-11dc-87c1-000e2e5785ad"> <topic>fetchmail -- denial of service on reject of local warning message</topic> >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200709032044.l83KiGpv091541>