344081 – (CVE-2010-3172) <www-apps/bugzilla-3.2.9: Multiple Vulnerabilities (CVE-2010-{3172,3764})

Bug 344081 (CVE-2010-3172) - <www-apps/bugzilla-3.2.9: Multiple Vulnerabilities (CVE-2010-{3172,3764})

Summary: <www-apps/bugzilla-3.2.9: Multiple Vulnerabilities (CVE-2010-{3172,3764})

Status:	RESOLVED FIXED

Alias:	CVE-2010-3172

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor
Assignee:	Gentoo Security

URL:	http://www.bugzilla.org/security/3.2.8/
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2010-11-04 09:54 UTC by Tim Sammut (RETIRED)
Modified:	2010-11-26 01:22 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tim Sammut (RETIRED) gentoo-dev

2010-11-04 09:54:45 UTC

From $URL:

Vulnerability Details
=====================

Class:       HTTP Response Splitting
Versions:    Every Version Before 3.2.9, 3.4.9, 3.6.3, 4.0rc1
Fixed In:    3.2.9, 3.4.9, 3.6.3, 4.0rc1
Description: By inserting a certain string into a URL, it was possible
             to inject both headers and content to any browser that
             supported "Server Push" (mostly only Gecko-based browsers
             like Firefox). This could lead to Cross-Site Scripting
             vulnerabilities, and possibly other more dangerous
             security issues as well.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=600464
             http://cwe.mitre.org/data/definitions/113.html
CVE Number:  CVE-2010-3172

Class:       Information Leak
Versions:    2.12 to 3.2.8, 3.4.8, 3.6.2, 3.7.3, 4.1
Fixed In:    3.2.9, 3.4.9, 3.6.3, 4.0rc1
Description: The Old Charts system generated graphs with
             predictable names into the "graphs/" directory,
             which also could be browsed to see its contents.
             This allowed unauthorized users to see product names
             and charted information about those products over time.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=419014
CVE Number:  CVE-2010-3764

Class:       Cross-Site Scripting
Versions:    3.7.1 to 3.7.3, 4.1
Fixed In:    4.0rc1
Description: YUI 2.8.1 was vulnerable to a Cross-Site Scripting
             vulnerability in certain .swf files. The YUI shipped
             with Bugzilla has been updated to 2.8.2.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=606618
             http://secunia.com/advisories/41955
             http://yuilibrary.com/support/2.8.2/

Comment 1 Alex Brandt (RETIRED) gentoo-dev

2010-11-09 15:44:19 UTC

Does this vulnerability require a new ebuild for 3.2.9?  Is there a bug for a new ebuild for this version of bugzilla already?

Comment 2 Torsten Veller (RETIRED) gentoo-dev

2010-11-15 18:49:00 UTC

ebuilds are in the tree.

3.2.9 should be stabilized.
3.2.9: alpha amd64 ia64 ppc ppc64 sparc x86

Comment 3 Tim Sammut (RETIRED) gentoo-dev

2010-11-15 18:56:33 UTC

(In reply to comment #2)
> ebuilds are in the tree.
> 
> 3.2.9 should be stabilized.
> 3.2.9: alpha amd64 ia64 ppc ppc64 sparc x86
> 

Thank you.

Arches, please test and mark stable:
=www-apps/bugzilla-3.2.9
Target keywords : "alpha amd64 ia64 ppc ppc64 sparc x86"

Comment 4 Christian Faulhammer (RETIRED) gentoo-dev

2010-11-16 13:10:49 UTC

x86 stable

Comment 5 Markos Chandras (RETIRED) gentoo-dev

2010-11-17 21:46:14 UTC

amd64 done

Comment 6 Raúl Porcel (RETIRED) gentoo-dev

2010-11-20 12:15:22 UTC

alpha/ia64/sparc stable

Comment 7 Brent Baude (RETIRED) gentoo-dev

2010-11-24 20:29:23 UTC

ppc done

Comment 8 Brent Baude (RETIRED) gentoo-dev

2010-11-25 01:01:34 UTC

ppc64 done

Comment 9 Tim Sammut (RETIRED) gentoo-dev

2010-11-25 01:04:29 UTC

GLSA Vote: no.

Comment 10 Stefan Behte (RETIRED) gentoo-dev

2010-11-26 01:22:00 UTC

No, too. Closing noglsa.