This advisory covers two security bugs that have recently been discovered and fixed in the Bugzilla code: + In all versions of Bugzilla since at least 2.16, it is possible to guess the name of a hidden product and have Bugzilla confirm that you were correct. + In Bugzilla 2.18 and above, a user's username and password are sometimes exposed in the URL after generating a Report. All Bugzilla installations are advised to upgrade to the latest stable version of Bugzilla, 2.18.1.
I am in the process of getting a new bugzilla installation upgrade done. It just takes some time with our hacked up templates
web-apps, pls provide an ebuild for 2.18.1
2.18.1 in CVS. ppc please stable.
Stable on ppc.
Ready for GLSA vote
I tend to vote NO. Though not sure about the pw disclosure.
I vote NO. It leaks pw information, but in unpredictable ways. And hidden products names are not really useful.
agreed closing without GLSA