[Bug 1185483] New: CVE-2014-8630 Bugzilla: Command Injection into product names and other attributes
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1185483
Bug ID: 1185483
Summary: CVE-2014-8630 Bugzilla: Command Injection into product
names and other attributes
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: kseifried(a)redhat.com
CC: bazanluis20(a)gmail.com, emmanuel(a)seyman.fr,
itamar(a)ispbrasil.com.br,
perl-devel(a)lists.fedoraproject.org,
xavier(a)bachelot.org
The Bugzilla project reports:
Class: Command Injection
Versions: All versions before 4.0.16, 4.1.1 to 4.2.11, 4.3.1 to 4.4.6,
4.5.1 to 4.5.6
Fixed In: 4.0.16, 4.2.12, 4.4.7, 5.0rc1
Description: Some code in Bugzilla does not properly utilize 3 arguments form
for open() and it is possible for an account with editcomponents
permissions to inject commands into product names and other
attributes.
References: https://bugzilla.mozilla.org/show_bug.cgi?id=1079065
CVE Number: CVE-2014-8630
External references:
http://www.bugzilla.org/security/4.0.15/
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=wv1CAf1O1K&a=cc_unsubscribe
6 years
[Bug 1150091] New: CVE-2014-1571 CVE-2014-1572 CVE-2014-1573 bugzilla: security fixes release
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1150091
Bug ID: 1150091
Summary: CVE-2014-1571 CVE-2014-1572 CVE-2014-1573 bugzilla:
security fixes release
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: vkaigoro(a)redhat.com
CC: bazanluis20(a)gmail.com, emmanuel(a)seyman.fr,
itamar(a)ispbrasil.com.br, mcepl(a)redhat.com,
perl-devel(a)lists.fedoraproject.org
Upstream has issued an advisory today (October 6):
http://www.bugzilla.org/security/4.0.14/
Class: Unauthorized Account Creation
Versions: 2.23.3 to 4.0.14, 4.1.1 to 4.2.10, 4.3.1 to 4.4.5, 4.5.1 to 4.5.5
Fixed In: 4.0.15, 4.2.11, 4.4.6, 4.5.6
Description: An attacker creating a new Bugzilla account can override certain
parameters when finalizing the account creation that can lead to
the
user being created with a different email address than originally
requested. The overridden login name could be automatically added
to groups based on the group's regular expression setting.
References: https://bugzilla.mozilla.org/show_bug.cgi?id=1074812
CVE Number: CVE-2014-1572
Class: Cross-Site Scripting
Versions: 2.17.1 to 4.0.14, 4.1.1 to 4.2.10, 4.3.1 to 4.4.5, 4.5.1 to 4.5.5
Fixed In: 4.0.15, 4.2.11, 4.4.6, 4.5.6
Description: During an audit of the Bugzilla code base, several places
were found where cross-site scripting exploits could occur which
could allow an attacker to access sensitive information.
References: https://bugzilla.mozilla.org/show_bug.cgi?id=1075578
CVE Number: CVE-2014-1573
Class: Information Leak
Versions: 2.17.1 to 4.0.14, 4.1.1 to 4.2.10, 4.3.1 to 4.4.5, 4.5.1 to 4.5.5
Fixed In: 4.0.15, 4.2.11, 4.4.6, 4.5.6
Description: If a new comment was marked private to the insider group, and a
flag
was set in the same transaction, the comment would be visible to
flag recipients even if they were not in the insider group.
References: https://bugzilla.mozilla.org/show_bug.cgi?id=1064140
CVE Number: CVE-2014-1571
Class: Social Engineering
Versions: 2.17.1 to 4.0.14, 4.1.1 to 4.2.10, 4.3.1 to 4.4.5, 4.5.1 to 4.5.5
Fixed In: 4.0.15, 4.2.11, 4.4.6, 4.5.6
Description: Search results can be exported as a CSV file which can then be
imported into external spreadsheet programs. Specially formatted
field values can be interpreted as formulas which can be executed
and used to attack a user's computer.
References: https://bugzilla.mozilla.org/show_bug.cgi?id=1054702
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=0XmWcvadmK&a=cc_unsubscribe
6 years
[Bug 1438957] New: icons are missing on bugzilla's front page
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1438957
Bug ID: 1438957
Summary: icons are missing on bugzilla's front page
Product: Fedora
Version: 25
Component: bugzilla
Assignee: itamar(a)ispbrasil.com.br
Reporter: emmanuel(a)seyman.fr
QA Contact: extras-qa(a)fedoraproject.org
CC: adrian(a)lisas.de, bazanluis20(a)gmail.com,
dwt(a)poltec.com, emmanuel(a)seyman.fr,
extras-qa(a)fedoraproject.org, hughbragg(a)tpg.com.au,
itamar(a)ispbrasil.com.br,
perl-devel(a)lists.fedoraproject.org
Depends On: 1403588
--- Additional comment from Dennis W. Tokarski on 2016-12-21 18:32:34 EST ---
And by the way, once you get the home page to render, the large
icons for bug/search/usr/docs are missing.
The client is trying to fetch e.g /skins/standard/index/search.png and getting
a 404. It should be trying for /bugzilla/skins....
Temporary fix is to edit bugzilla.conf again and at the top add
Alias /skins /usr/share/bugzilla/skins
Looks like a bug in the cgi script for the home page.
Sorry for not filing this separately, emmanuel, but since you're on this
anyway...
Hope this helps.
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1403588
[Bug 1403588] /usr/share/bugzilla/assets/.htaccess: Require not allowed
here
--
You are receiving this mail because:
You are on the CC list for the bug.
6 years
[Bug 1347302] New: Please build perl-Crypt-SMIME for EPEL 7
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1347302
Bug ID: 1347302
Summary: Please build perl-Crypt-SMIME for EPEL 7
Product: Fedora EPEL
Version: epel7
Component: perl-Crypt-SMIME
Assignee: steve.traylen(a)cern.ch
Reporter: xavier(a)bachelot.org
QA Contact: extras-qa(a)fedoraproject.org
CC: perl-devel(a)lists.fedoraproject.org,
steve.traylen(a)cern.ch
Hi,
I would need perl-Crypt-SMIME in EPEL 7 for another package.
Could you please branch and build ?
I can (co-)maintain the branch if you wish.
Regards,
Xavier
--
You are receiving this mail because:
You are on the CC list for the bug.
6 years, 1 month
[Bug 1331520] New: Please update perl-Crypt-SMIME to at least 0.15
in EPEL 6
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1331520
Bug ID: 1331520
Summary: Please update perl-Crypt-SMIME to at least 0.15 in
EPEL 6
Product: Fedora EPEL
Version: el6
Component: perl-Crypt-SMIME
Assignee: steve.traylen(a)cern.ch
Reporter: xavier(a)bachelot.org
QA Contact: extras-qa(a)fedoraproject.org
CC: perl-devel(a)lists.fedoraproject.org,
steve.traylen(a)cern.ch
Hi,
I'd like perl-Crypt-SMIME to be updated to at least version 0.15 in EPEL 6 in
order to build another package.
Thanks and regards,
Xavier
--
You are receiving this mail because:
You are on the CC list for the bug.
6 years, 1 month
[Bug 1380983] New:
Package metadata for perl-Gtk2-Unique lists the wrong URL.
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1380983
Bug ID: 1380983
Summary: Package metadata for perl-Gtk2-Unique lists the wrong
URL.
Product: Fedora
Version: rawhide
Component: perl-Gtk2-Unique
Assignee: liangsuilong(a)gmail.com
Reporter: andrew(a)tosk.in
QA Contact: extras-qa(a)fedoraproject.org
CC: liangsuilong(a)gmail.com,
perl-devel(a)lists.fedoraproject.org
Hello, liangsuilong
This is a fairly minor problem, but the package metadata for perl-Gtk2-Unique
is out-of-date. It currently lists the project's URL as
https://live.gnome.org/LibUnique.
but GNOME no longer uses the "live" subdomain; requests now get redirected to
the wiki. The newer equivalent URL is
https://wiki.gnome.org/Attic/LibUnique
...but that page says libunique is deprecated and offers a link to the
GtkApplication porting guide.
(I'm filing this same bug report for multiple packages, so I apologize if you
see this issue twice.)
--
You are receiving this mail because:
You are on the CC list for the bug.
6 years, 1 month