| Summary: | Gentoo Bugzilla 2.18.3 requires security issue update to 2.18.4 | ||
|---|---|---|---|
| Product: | Gentoo Infrastructure | Reporter: | Gary Kwong [:gkw] [:nth10sd] <nth10sd> |
| Component: | Bugzilla | Assignee: | Jeffrey Forman (RETIRED) <jforman> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | critical | ||
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.bugzilla.org/releases/2.18.4/ | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
Note: This is for the 2.18.3 Bugzilla version Gentoo is currently using. It has already been noted for the metabug regarding 2.20 (#99714). Security issue fixed in 2.18.4: Vulnerability Details ===================== Issue 1 ------- Class: Information Leak Versions: 2.18rc1 - 2.18.3, 2.19 - 2.20rc2, 2.21 Description: config.cgi gives JavaScript and RDF information about Bugzilla to third-party clients, including a list of products in the Bugzilla installation. The "requirelogin" parameter requires that all people be logged into Bugzilla before seeing any data, as a security measure. In affected versions, config.cgi is always accessible, and always contains information to non-logged-in users, even when "requirelogin" is turned on, possibly exposing product names that administrators expected to be confidential. Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=308256