Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 284824 (CVE-2009-3125) - <www-apps/bugzilla-{3.0.9, 3.4.2} Mutliple vulnerabilities (CVE-2009-{3125,3165,3166})
Summary: <www-apps/bugzilla-{3.0.9, 3.4.2} Mutliple vulnerabilities (CVE-2009-{3125,31...
Status: RESOLVED FIXED
Alias: CVE-2009-3125
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.bugzilla.org/security/3.0.8/
Whiteboard: B3 [glsa]
Keywords:
Depends on: 283947 284059 284064 284166
Blocks:
  Show dependency tree
 
Reported: 2009-09-13 21:33 UTC by Christian Ruppert (idl0r)
Modified: 2010-06-04 05:17 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Ruppert (idl0r) gentoo-dev 2009-09-13 21:33:57 UTC
Please bump bugzilla to 3.4.2 and 3.0.9.
Reasons are CVE-2009-3125, CVE-2009-3165 and CVE-2009-3166.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-24 15:17:55 UTC
CVE-2009-3125 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3125):
  SQL injection vulnerability in the Bug.search WebService function in
  Bugzilla 3.3.2 through 3.4.1, and 3.5, allows remote attackers to
  execute arbitrary SQL commands via unspecified parameters.

CVE-2009-3165 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3165):
  SQL injection vulnerability in the Bug.create WebService function in
  Bugzilla 2.23.4 through 3.0.8, 3.1.1 through 3.2.4, and 3.3.1 through
  3.4.1 allows remote attackers to execute arbitrary SQL commands via
  unspecified parameters.

CVE-2009-3166 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3166):
  token.cgi in Bugzilla 3.4rc1 through 3.4.1 places a password in a URL
  at the beginning of a login session that occurs immediately after a
  password reset, which allows context-dependent attackers to discover
  passwords by reading (1) web-server access logs, (2) web-server
  Referer logs, or (3) the browser history.

Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2009-11-06 15:13:18 UTC
*ping*
Comment 3 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2009-11-06 16:11:10 UTC
bumped now since webapps hasn't.

You didn't ask for 3.2.5, but there was a 3.2.4 vulnerable as well, so I bumped that too.

Minimal keywording targets:
3.0.x: 3.0.10: alpha amd64 ia64 ppc ppc64 sparc x86
3.2.x: 3.2.5: alpha amd64 ia64 ppc sparc x86
3.4.x: 3.4.3: (none previously stable)

Should be good to ask for 3.4.x to be stabilized anyway, it's had ~60 days in testing for all arches except ppc64 (bug 284166).
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-12-11 13:30:14 UTC
Arches, please test and mark stable:
=www-apps/bugzilla-3.2.5
Target keywords : "alpha amd64 ia64 ppc ppc64 sparc x86"
Comment 5 Brent Baude (RETIRED) gentoo-dev 2009-12-11 14:39:27 UTC
ppc64 done
Comment 6 Tobias Klausmann (RETIRED) gentoo-dev 2009-12-13 15:45:52 UTC
Stable on alpha.
Comment 7 Christian Faulhammer (RETIRED) gentoo-dev 2009-12-14 08:21:50 UTC
x86 stable
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2009-12-26 11:32:53 UTC
ia64/sparc stable
Comment 9 Joe Jezak (RETIRED) gentoo-dev 2009-12-27 09:40:20 UTC
Marked ppc stable.
Comment 10 Markus Meier gentoo-dev 2009-12-31 18:14:20 UTC
amd64 stable, all arches done.
Comment 11 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-05-31 07:35:00 UTC
GLSA with bug 239564, bug 258592, bug 264572, bug 284824, bug 303437, and bug 303725.
Comment 12 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-06-04 05:17:36 UTC
GLSA 201006-19