Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 303725 (CVE-2009-3387) - <www-apps/bugzilla-{3.0.11, 3.2.6, 3.4.5} Multiple vulnerabilites (CVE-2009-{3387,3989})
Summary: <www-apps/bugzilla-{3.0.11, 3.2.6, 3.4.5} Multiple vulnerabilites (CVE-2009-{...
Status: RESOLVED FIXED
Alias: CVE-2009-3387
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor
Assignee: Gentoo Security
URL: https://bugzilla.mozilla.org/show_bug...
Whiteboard: B4 [glsa]
Keywords:
Depends on:
Blocks: 303437
  Show dependency tree
 
Reported: 2010-02-06 14:43 UTC by Stefan Behte (RETIRED)
Modified: 2010-06-04 05:17 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2010-02-06 14:43:31 UTC 
CVE-2009-3387 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3387):
  Bugzilla 3.3.1 through 3.4.4, 3.5.1, and 3.5.2 does not allow group
  restrictions to be preserved throughout the process of moving a bug
  to a different product category, which allows remote attackers to
  obtain sensitive information via a request for a bug in opportunistic
  circumstances.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2010-02-06 15:41:28 UTC 
CVE-2009-3989 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3989):
  Bugzilla before 3.0.11, 3.2.x before 3.2.6, 3.4.x before 3.4.5, and
  3.5.x before 3.5.3 does not block access to files and directories
  that are used by custom installations, which allows remote attackers
  to obtain sensitive information via requests for (1) CVS/, (2)
  contrib/, (3) docs/en/xml/, (4) t/, or (5) old-params.txt.
Comment 2 Torsten Veller (RETIRED) gentoo-dev 2010-02-18 08:08:30 UTC 
Bumped ebuilds are in the tree now.

Minimal keywording targets:
3.0.x: 3.0.11: alpha amd64 ia64 ppc ppc64 sparc x86
3.2.x: 3.2.6:  alpha amd64 ia64 ppc ppc64 sparc x86
3.4.x: 3.4.5: (none previously stable)
Comment 3 Christian Faulhammer (RETIRED) gentoo-dev 2010-02-21 22:16:34 UTC 
x86 stable
Comment 4 Brent Baude (RETIRED) gentoo-dev 2010-02-23 15:41:33 UTC 
ppc64 done
Comment 5 Raúl Porcel (RETIRED) gentoo-dev 2010-02-25 19:56:51 UTC 
alpha/ia64/sparc stable
Comment 6 Markus Meier gentoo-dev 2010-03-08 19:48:05 UTC 
amd64 stable
Comment 7 Joe Jezak (RETIRED) gentoo-dev 2010-03-09 22:03:53 UTC 
Marked ppc stable.
Comment 8 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-05-31 07:35:08 UTC 
GLSA with bug 239564, bug 258592, bug 264572, bug 284824, bug 303437, and bug 303725.
Comment 9 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-06-04 05:17:41 UTC 
GLSA 201006-19