[Bug 1262404] New: CVE-2015-4499 bugzilla: Email address is not properly validated during registration
bugzilla at redhat.com
bugzilla at redhat.com
Fri Sep 11 14:41:08 UTC 2015
https://bugzilla.redhat.com/show_bug.cgi?id=1262404
Bug ID: 1262404
Summary: CVE-2015-4499 bugzilla: Email address is not properly
validated during registration
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team at redhat.com
Reporter: amaris at redhat.com
CC: bazanluis20 at gmail.com, emmanuel at seyman.fr,
itamar at ispbrasil.com.br,
perl-devel at lists.fedoraproject.org,
xavier at bachelot.org
As announced in http://seclists.org/bugtraq/2015/Sep/48 :
Login names (usually an email address) longer than 127 characters are silently
truncated in MySQL which could cause the domain name of the email address to be
corrupted. An attacker could use this vulnerability to create an account with
an email address different from the one originally requested. The login name
could then be automatically added to groups based on the group's regular
expression setting.
Upstream patches:
Fix for 4.2:
https://git.mozilla.org/?p=bugzilla/bugzilla.git;a=commitdiff;h=10b1fef
Fix for 4.4:
https://git.mozilla.org/?p=bugzilla/bugzilla.git;a=commitdiff;h=be1be8c
Fix for 5.0:
https://git.mozilla.org/?p=bugzilla/bugzilla.git;a=commitdiff;h=69386c5
Fix on master branch:
https://git.mozilla.org/?p=bugzilla/bugzilla.git;a=commitdiff;h=9d64d15
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the perl-devel
mailing list