Gentoo Bug 220799 - www-apps/bugzilla <2.20.6, 2.22.4, 3.0.4: multiple vulnerabilities (CVE-2008-{2103,2104,2105})

First Last Prev Next No search results available Search page Enter new bug

Bug#:	220799
Alias:
Product:
Component:
Status:	RESOLVED
Resolution:	FIXED
Assigned To:	Gentoo Security <security@gentoo.org>

Hardware:
OS:
Version:
Priority:
Severity:

Reporter:	Christian Hoffmann <hoffie@gentoo.org>
Add CC:
CC:	Remove selected CCs

URL:
Summary:
Status Whiteboard:
Keywords:

Flags:			Requestee:
	Pending
	Approved
	Assigned_To		()

Filename	Description	Type	Creator	Created	Size	Actions
Create a New Attachment (proposed patch, testcase, etc.)						View All

Bug 220799 depends on:			Show dependency tree
Bug 220799 blocks:			Show dependency tree

Additional Comments: (this is where you put emerge --info)

Add to CC list

Not eligible to see or edit group visibility for this bug.

Leave as RESOLVED FIXED
Reopen bug
Mark bug as VERIFIED
Mark bug as CLOSED

View Bug Activity | Format For Printing | XML | Clone This Bug

Description:

Opened: 2008-05-07 18:38 0000

See $URL
<3.1.4 (we do not seem to ship 3.1.x): Unauthorized Bug Change
<2.20.6, <2.22.4, <3.0.4, <3.1.4: XSS
<3.0.4, <3.1.4: Account Impersonation

Requesting CVEs.

------- Comment #1 From Christian Hoffmann 2008-05-07 20:14:12 0000 -------

Unauthorized Bug Change: CVE-2008-2104
XSS: CVE-2008-2103
Account Impersonation: CVE-2008-2105 (according to Steve's interpretation, only
2.23.x < 3.x is affected, so we do not even ship a version which is affected by
this).

------- Comment #2 From Gunnar Wrobel 2008-05-17 07:30:35 0000 -------

The new versions are in the tree.

Targets:

 - 2.20.6: alpha amd64 ia64 ppc ppc64 sparc x86
 - 2.22.4: ia64 ppc ppc64 sparc x86
 - 3.0.4:  alpha amd64 ia64 ppc ppc64 sparc x86

------- Comment #3 From Markus Rothe 2008-05-18 14:38:56 0000 -------

ppc64 stable

------- Comment #4 From Markus Meier 2008-05-18 16:25:27 0000 -------

amd64/x86 stable

------- Comment #5 From Raúl Porcel 2008-05-20 14:26:57 0000 -------

alpha/ia64/sparc stable

------- Comment #6 From Tobias Scherbaum 2008-05-20 16:37:36 0000 -------

ppc stable

------- Comment #7 From Peter Volkov 2008-05-21 09:45:27 0000 -------

Fixed in release snapshot.

------- Comment #8 From Gunnar Wrobel 2008-06-01 14:28:14 0000 -------

Removed vulnerable versions. webapps done.

------- Comment #9 From Pierre-Yves Rofes 2008-06-01 17:50:57 0000 -------

Time for glsa vote here.
I vote NO.

------- Comment #10 From Tobias Heinlein 2008-06-01 20:56:13 0000 -------

NO, too, and closing.

First Last Prev Next No search results available Search page Enter new bug

Bugzilla Bug 220799

www-apps/bugzilla <2.20.6, 2.22.4, 3.0.4: multiple vulnerabilities (CVE-2008-{2103,2104,2105})

Last modified: 2008-06-01 20:56:13 0000