Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 220799 (CVE-2008-2103) - www-apps/bugzilla <2.20.6, 2.22.4, 3.0.4: multiple vulnerabilities (CVE-2008-{2103,2104,2105})
Summary: www-apps/bugzilla <2.20.6, 2.22.4, 3.0.4: multiple vulnerabilities (CVE-2008-...
Status: RESOLVED FIXED
Alias: CVE-2008-2103
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.bugzilla.org/security/2.20.5/
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-05-07 18:38 UTC by Christian Hoffmann (RETIRED)
Modified: 2008-06-01 20:56 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Hoffmann (RETIRED) gentoo-dev 2008-05-07 18:38:19 UTC 
See $URL
<3.1.4 (we do not seem to ship 3.1.x): Unauthorized Bug Change
<2.20.6, <2.22.4, <3.0.4, <3.1.4: XSS
<3.0.4, <3.1.4: Account Impersonation

Requesting CVEs.
Comment 1 Christian Hoffmann (RETIRED) gentoo-dev 2008-05-07 20:14:12 UTC 
Unauthorized Bug Change: CVE-2008-2104
XSS: CVE-2008-2103
Account Impersonation: CVE-2008-2105 (according to Steve's interpretation, only 2.23.x < 3.x is affected, so we do not even ship a version which is affected by this).
Comment 2 Gunnar Wrobel (RETIRED) gentoo-dev 2008-05-17 07:30:35 UTC 
The new versions are in the tree.

Targets:

 - 2.20.6: alpha amd64 ia64 ppc ppc64 sparc x86
 - 2.22.4: ia64 ppc ppc64 sparc x86
 - 3.0.4:  alpha amd64 ia64 ppc ppc64 sparc x86
Comment 3 Markus Rothe (RETIRED) gentoo-dev 2008-05-18 14:38:56 UTC 
ppc64 stable
Comment 4 Markus Meier gentoo-dev 2008-05-18 16:25:27 UTC 
amd64/x86 stable
Comment 5 Raúl Porcel (RETIRED) gentoo-dev 2008-05-20 14:26:57 UTC 
alpha/ia64/sparc stable
Comment 6 Tobias Scherbaum (RETIRED) gentoo-dev 2008-05-20 16:37:36 UTC 
ppc stable
Comment 7 Peter Volkov (RETIRED) gentoo-dev 2008-05-21 09:45:27 UTC 
Fixed in release snapshot.
Comment 8 Gunnar Wrobel (RETIRED) gentoo-dev 2008-06-01 14:28:14 UTC 
Removed vulnerable versions. webapps done.
Comment 9 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-06-01 17:50:57 UTC 
Time for glsa vote here.
I vote NO.
Comment 10 Tobias Heinlein (RETIRED) gentoo-dev 2008-06-01 20:56:13 UTC 
NO, too, and closing.