Comment 1 Stefan Behte (RETIRED) 2009-02-11 13:07:34 UTC

CVE-2009-0481 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0481):
  Bugzilla 2.x before 2.22.7, 3.0 before 3.0.7, 3.2 before 3.2.1, and
  3.3 before 3.3.2 allows remote authenticated users to conduct
  cross-site scripting (XSS) and related attacks by uploading HTML and
  JavaScript attachments that are rendered by web browsers.

CVE-2009-0482 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0482):
  Cross-site request forgery (CSRF) vulnerability in Bugzilla before
  3.2 before 3.2.1, 3.3 before 3.3.2, and other versions before 3.2
  allows remote attackers to perform bug updating activities as other
  users via a link or IMG tag to process_bug.cgi.

CVE-2009-0483 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0483):
  Cross-site request forgery (CSRF) vulnerability in Bugzilla 2.22
  before 2.22.7, 3.0 before 3.0.7, 3.2 before 3.2.1, and 3.3 before
  3.3.2 allows remote attackers to delete keywords and user preferences
  via a link or IMG tag to (1) editkeywords.cgi or (2) userprefs.cgi.

CVE-2009-0484 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0484):
  Cross-site request forgery (CSRF) vulnerability in Bugzilla 3.0
  before 3.0.7, 3.2 before 3.2.1, and 3.3 before 3.3.2 allows remote
  attackers to delete shared or saved searches via a link or IMG tag to
  buglist.cgi.

CVE-2009-0485 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0485):
  Cross-site request forgery (CSRF) vulnerability in Bugzilla 2.17 to
  2.22.7, 3.0 before 3.0.7, 3.2 before 3.2.1, and 3.3 before 3.3.2
  allows remote attackers to delete unused flag types via a link or IMG
  tag to editflagtypes.cgi.

CVE-2009-0486 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0486):
  Bugzilla 3.2.1, 3.0.7, and 3.3.2, when running under mod_perl, calls
  the srand function at startup time, which causes Apache children to
  have the same seed and produce insufficiently random numbers for
  random tokens, which allows remote attackers to bypass cross-site
  request forgery (CSRF) protection mechanisms and conduct unauthorized
  activities as other users.

uh, dup of #257923

Comment 3 Pierre-Yves Rofes (RETIRED) 2009-04-19 17:57:33 UTC

*** Bug 234325 has been marked as a duplicate of this bug. ***

Comment 4 Tomáš Chvátal (RETIRED) 2009-06-24 13:20:29 UTC

Definetly dupe.

*** This bug has been marked as a duplicate of bug 257923 ***

Comment 5 Robert Buchholz (RETIRED) 2009-06-24 23:23:18 UTC

Please add the CVE references to the title of the other bug when marking as a dupe.

Comment 6 Robert Buchholz (RETIRED) 2009-06-24 23:26:17 UTC

Revisiting this bug, it is not a dupicate of bug 257923. Only CVE-2009-0486 is a duplicate of that bug, so we might as well mark that as a dulicate of this bug.

Comment 7 Robert Buchholz (RETIRED) 2009-06-24 23:26:33 UTC

*** Bug 257923 has been marked as a duplicate of this bug. ***

Comment 8 Robert Buchholz (RETIRED) 2009-06-24 23:27:19 UTC

Since all previous versions in the tree (2.20.6 up to 3.2) are vulnerable, can we stable 3.2.3 ?

Comment 9 Tomáš Chvátal (RETIRED) 2009-08-29 09:37:16 UTC

Ok guys i just did this:
  +files/3.4/bugzilla.cron.daily, +bugzilla-2.22.7.ebuild,
  -bugzilla-3.2.ebuild, +files/3.4/bugzilla.cron.tab,
  +bugzilla-3.0.8.ebuild, -bugzilla-3.2.3.ebuild,
  +files/3.4/postinstall-en.txt, +bugzilla-3.2.4.ebuild,
  +files/3.4/reconfig, +bugzilla-3.4.1.ebuild:
I would suggest to stable 3.0.8, 2.22.7 and 3.2.4. Kill all remains of 2.20.

But I am not maintainer and i just sync the ebuilds to correspond a bit to what upstream has as deps on website and so on.
Anyway aparently web-apps are busy so you will have to decide yourself.
Also it seems that upstream backport stuff to only latest 2 series. so 3.2 and 3.4.

Comment 10 Robert Buchholz (RETIRED) 2009-09-28 02:44:02 UTC

Arches, please test and mark stable:
=www-apps/bugzilla-2.22.7
=www-apps/bugzilla-3.0.8
=www-apps/bugzilla-3.2.4
Target keywords : "alpha amd64 ia64 ppc ppc64 sparc x86"

Comment 11 Tobias Klausmann (RETIRED) 2009-09-28 18:05:17 UTC

Stable on alpha, took dev-perl/Email-MIME-Encodings-1.313 along for the ride.

Comment 12 Christian Faulhammer (RETIRED) 2009-09-30 09:02:28 UTC

x86 stable

Finally some action here :-)

I suggest upgrade to at least 3.2.5 which fixes an SQL injection. Just tested this with bugzilla-3.2.4.ebuild as official release notes do not state any system requirement changes for it. So a trivial version number increase for all devs. Already rolled it out as production release for our company.

In consequence somebody should change the summary and close bugs #258738, #264572, #239564 and probably #284824.

The latter refers foremost to bugzilla-3.4.2 and 3.0.9 fixing two SQL injections. Dependencies have not changed neither since bugzilla-3.4.1-r1. I have not tested this one but if current testing version within portage works, fixing the version number like for 3.2.4/5 in the ebuilds should do the trick as well.

I would suggest in getting rid of all insecure versions (=<3.0.8, =<3.2.4 and =<3.4.1-r1) as soon as possible and focus on stablizing 3.4 within the next one or two months.

Comment 14 Markus Meier 2009-09-30 21:09:20 UTC

amd64 stable

Comment 15 Raúl Porcel (RETIRED) 2009-10-01 17:19:03 UTC

ia64/sparc stable

Comment 16 nixnut (RETIRED) 2009-10-18 17:08:24 UTC

ppc stable

Comment 17 Brent Baude (RETIRED) 2009-11-17 16:45:09 UTC

ppc64 done

Comment 18 Alex Legler (RETIRED) 2010-03-06 16:24:10 UTC

We have an open Bugzilla GLSA draft, these issues could be added.

Comment 19 Alex Legler (RETIRED) 2010-05-31 07:34:54 UTC

GLSA with bug 239564, bug 258592, bug 264572, bug 284824, bug 303437, and bug 303725.

Comment 20 Alex Legler (RETIRED) 2010-06-04 05:17:31 UTC

GLSA 201006-19