Bug 220799 - www-apps/bugzilla <2.20.6, 2.22.4, 3.0.4: multiple vulnerabilities (CVE-2008-{2103,2104,2105})
|
Bug#:
220799
(CVE-2008-2103)
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: All
|
Status: RESOLVED
|
Severity: normal
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: hoffie@gentoo.org
|
|
Component: Vulnerabilities
|
|
|
URL:
http://www.bugzilla.org/security/2.20.5/
|
|
Summary: www-apps/bugzilla <2.20.6, 2.22.4, 3.0.4: multiple vulnerabilities (CVE-2008-{2103,2104,2105})
|
|
Keywords:
|
|
Status Whiteboard: B4 [noglsa]
|
|
Opened: 2008-05-07 18:38 0000
|
See $URL
<3.1.4 (we do not seem to ship 3.1.x): Unauthorized Bug Change
<2.20.6, <2.22.4, <3.0.4, <3.1.4: XSS
<3.0.4, <3.1.4: Account Impersonation
Requesting CVEs.
Unauthorized Bug Change: CVE-2008-2104
XSS: CVE-2008-2103
Account Impersonation: CVE-2008-2105 (according to Steve's interpretation, only
2.23.x < 3.x is affected, so we do not even ship a version which is affected by
this).
The new versions are in the tree.
Targets:
- 2.20.6: alpha amd64 ia64 ppc ppc64 sparc x86
- 2.22.4: ia64 ppc ppc64 sparc x86
- 3.0.4: alpha amd64 ia64 ppc ppc64 sparc x86
Fixed in release snapshot.
Removed vulnerable versions. webapps done.
Time for glsa vote here.
I vote NO.
