https://bugzilla.redhat.com/show_bug.cgi?id=1262404
Bug ID: 1262404
Summary: CVE-2015-4499 bugzilla: Email address is not properly
validated during registration
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: amaris(a)redhat.com
CC: bazanluis20(a)gmail.com, emmanuel(a)seyman.fr,
itamar(a)ispbrasil.com.br,
perl-devel(a)lists.fedoraproject.org,
xavier(a)bachelot.org
As announced in
http://seclists.org/bugtraq/2015/Sep/48 :
Login names (usually an email address) longer than 127 characters are silently
truncated in MySQL which could cause the domain name of the email address to be
corrupted. An attacker could use this vulnerability to create an account with
an email address different from the one originally requested. The login name
could then be automatically added to groups based on the group's regular
expression setting.
Upstream patches:
Fix for 4.2:
https://git.mozilla.org/?p=bugzilla/bugzilla.git;a=commitdiff;h=10b1fef
Fix for 4.4:
https://git.mozilla.org/?p=bugzilla/bugzilla.git;a=commitdiff;h=be1be8c
Fix for 5.0:
https://git.mozilla.org/?p=bugzilla/bugzilla.git;a=commitdiff;h=69386c5
Fix on master branch:
https://git.mozilla.org/?p=bugzilla/bugzilla.git;a=commitdiff;h=9d64d15
--
You are receiving this mail because:
You are on the CC list for the bug.