| Summary: | <www-apps/bugzilla-3.4.4 Alias Field Information Leak (CVE-2009-3386) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | trivial | CC: | robbat2, web-apps |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.bugzilla.org/security/3.4.3/ | ||
| Whiteboard: | ~4 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
Please bump our unstable to 3.4.4. CVE-2009-3386 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3386): Template.pm in Bugzilla 3.3.2 through 3.4.3 and 3.5 through 3.5.1 allows remote attackers to discover the alias of a private bug by reading the (1) Depends On or (2) Blocks field of a related bug. 3.4.5 is in the tree (#303725) ~arch issue only. Closing noglsa. |
* Aliases of hidden bugs would show up in the "Depends On" and "Blocks" list of other bugs, even if you didn't have permission to see the hidden bugs. All affected installations are encouraged to upgrade as soon as possible. Vulnerability Details ===================== Class: Information Leak Versions: 3.3.2 to 3.4.3, 3.5 to 3.5.1 Fixed In: 3.4.4, 3.5.2 Description: When a bug is in a group, none of its information (other than its status and resolution) should be visible to users outside that group. It was discovered that as of 3.3.2, Bugzilla was showing the alias of the bug (a very short string used as a shortcut for looking up the bug) to users outside of the group, if the protected bug ended up in the "Depends On" or "Blocks" list of any other bug. References: https://bugzilla.mozilla.org/show_bug.cgi?id=529416 CVE Number: CVE-2009-3386