https://bugzilla.redhat.com/show_bug.cgi?id=1262404
Bug ID: 1262404 Summary: CVE-2015-4499 bugzilla: Email address is not properly validated during registration Product: Security Response Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team@redhat.com Reporter: amaris@redhat.com CC: bazanluis20@gmail.com, emmanuel@seyman.fr, itamar@ispbrasil.com.br, perl-devel@lists.fedoraproject.org, xavier@bachelot.org
As announced in http://seclists.org/bugtraq/2015/Sep/48 :
Login names (usually an email address) longer than 127 characters are silently truncated in MySQL which could cause the domain name of the email address to be corrupted. An attacker could use this vulnerability to create an account with an email address different from the one originally requested. The login name could then be automatically added to groups based on the group's regular expression setting.
Upstream patches:
Fix for 4.2: https://git.mozilla.org/?p=bugzilla/bugzilla.git;a=commitdiff;h=10b1fef Fix for 4.4: https://git.mozilla.org/?p=bugzilla/bugzilla.git;a=commitdiff;h=be1be8c Fix for 5.0: https://git.mozilla.org/?p=bugzilla/bugzilla.git;a=commitdiff;h=69386c5 Fix on master branch: https://git.mozilla.org/?p=bugzilla/bugzilla.git;a=commitdiff;h=9d64d15
https://bugzilla.redhat.com/show_bug.cgi?id=1262404
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1262405 Depends On| |1262406 Depends On| |1262407
--- Comment #1 from Adam Mariš amaris@redhat.com ---
Created bugzilla tracking bugs for this issue:
Affects: fedora-all [bug 1262405] Affects: epel-5 [bug 1262406] Affects: epel-6 [bug 1262407]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1262405 [Bug 1262405] CVE-2015-4499 bugzilla: Email address is not properly validated during registration [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1262406 [Bug 1262406] CVE-2015-4499 bugzilla: Email address is not properly validated during registration [epel-5] https://bugzilla.redhat.com/show_bug.cgi?id=1262407 [Bug 1262407] CVE-2015-4499 bugzilla: Email address is not properly validated during registration [epel-6]
https://bugzilla.redhat.com/show_bug.cgi?id=1262404
--- Comment #2 from Fedora Update System updates@fedoraproject.org --- bugzilla-4.4.10-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=1262404 Bug 1262404 depends on bug 1262405, which changed state.
Bug 1262405 Summary: CVE-2015-4499 bugzilla: Email address is not properly validated during registration [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1262405
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1262404
--- Comment #3 from Fedora Update System updates@fedoraproject.org --- bugzilla-4.4.10-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=1262404
--- Comment #4 from Fedora Update System updates@fedoraproject.org --- bugzilla-4.4.10-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=1262404 Bug 1262404 depends on bug 1262406, which changed state.
Bug 1262406 Summary: CVE-2015-4499 bugzilla: Email address is not properly validated during registration [epel-5] https://bugzilla.redhat.com/show_bug.cgi?id=1262406
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |EOL
https://bugzilla.redhat.com/show_bug.cgi?id=1262404 Bug 1262404 depends on bug 1262407, which changed state.
Bug 1262407 Summary: CVE-2015-4499 bugzilla: Email address is not properly validated during registration [epel-6] https://bugzilla.redhat.com/show_bug.cgi?id=1262407
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |WONTFIX
perl-devel@lists.fedoraproject.org