Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 92376 - www-apps/bugzilla Information disclosure
Summary: www-apps/bugzilla Information disclosure
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.bugzilla.org/security/2.16.8/
Whiteboard: B4 [noglsa] vorlon
Keywords:
Depends on:
Blocks:
 
Reported: 2005-05-12 07:19 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2009-07-13 22:36 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-12 07:19:12 UTC 
This advisory covers two security bugs that have recently been
discovered and fixed in the Bugzilla code:

+ In all versions of Bugzilla since at least 2.16, it is possible
  to guess the name of a hidden product and have Bugzilla confirm that
  you were correct.
+ In Bugzilla 2.18 and above, a user's username and password are
  sometimes exposed in the URL after generating a Report.

All Bugzilla installations are advised to upgrade to the latest stable
version of Bugzilla, 2.18.1.
Comment 1 Jeffrey Forman (RETIRED) gentoo-dev 2005-05-12 11:51:23 UTC 
 I am in the process of getting a new bugzilla installation upgrade done. It just takes some time with our hacked up templates
Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev 2005-05-12 12:47:17 UTC 
web-apps, pls provide an ebuild for 2.18.1
Comment 3 Aaron Walker (RETIRED) gentoo-dev 2005-05-12 18:47:09 UTC 
2.18.1 in CVS. ppc please stable.
Comment 4 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-05-13 04:53:41 UTC 
Stable on ppc.
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-05-13 06:52:17 UTC 
Ready for GLSA vote
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-13 09:05:56 UTC 
I tend to vote NO. Though not sure about the pw disclosure.
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2005-05-13 10:25:00 UTC 
I vote NO. It leaks pw information, but in unpredictable ways. And hidden products names are not really useful.
Comment 8 Matthias Geerdsen (RETIRED) gentoo-dev 2005-05-13 11:59:56 UTC 
agreed

closing without GLSA