Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 303725 (CVE-2009-3387)

Summary: <www-apps/bugzilla-{3.0.11, 3.2.6, 3.4.5} Multiple vulnerabilites (CVE-2009-{3387,3989})
Product: Gentoo Security Reporter: Stefan Behte (RETIRED) <craig>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.mozilla.org/show_bug.cgi?id=532493
Whiteboard: B4 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 303437    

Description Stefan Behte (RETIRED) gentoo-dev Security 2010-02-06 14:43:31 UTC
CVE-2009-3387 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3387):
  Bugzilla 3.3.1 through 3.4.4, 3.5.1, and 3.5.2 does not allow group
  restrictions to be preserved throughout the process of moving a bug
  to a different product category, which allows remote attackers to
  obtain sensitive information via a request for a bug in opportunistic
  circumstances.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2010-02-06 15:41:28 UTC
CVE-2009-3989 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3989):
  Bugzilla before 3.0.11, 3.2.x before 3.2.6, 3.4.x before 3.4.5, and
  3.5.x before 3.5.3 does not block access to files and directories
  that are used by custom installations, which allows remote attackers
  to obtain sensitive information via requests for (1) CVS/, (2)
  contrib/, (3) docs/en/xml/, (4) t/, or (5) old-params.txt.

Comment 2 Torsten Veller (RETIRED) gentoo-dev 2010-02-18 08:08:30 UTC
Bumped ebuilds are in the tree now.

Minimal keywording targets:
3.0.x: 3.0.11: alpha amd64 ia64 ppc ppc64 sparc x86
3.2.x: 3.2.6:  alpha amd64 ia64 ppc ppc64 sparc x86
3.4.x: 3.4.5: (none previously stable)
Comment 3 Christian Faulhammer (RETIRED) gentoo-dev 2010-02-21 22:16:34 UTC
x86 stable
Comment 4 Brent Baude (RETIRED) gentoo-dev 2010-02-23 15:41:33 UTC
ppc64 done
Comment 5 Raúl Porcel (RETIRED) gentoo-dev 2010-02-25 19:56:51 UTC
alpha/ia64/sparc stable
Comment 6 Markus Meier gentoo-dev 2010-03-08 19:48:05 UTC
amd64 stable
Comment 7 Joe Jezak (RETIRED) gentoo-dev 2010-03-09 22:03:53 UTC
Marked ppc stable.
Comment 8 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-05-31 07:35:08 UTC
GLSA with bug 239564, bug 258592, bug 264572, bug 284824, bug 303437, and bug 303725.
Comment 9 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-06-04 05:17:41 UTC
GLSA 201006-19