Summary: | <www-apps/bugzilla-{3.2.7,3.4.7}: Multiple Vulnerabilites (CVE-2010-{0180,1204,2470}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Stefan Behte (RETIRED) <craig> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | tove, web-apps |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.mozilla.org/show_bug.cgi?id=561797 | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Stefan Behte (RETIRED)
2010-07-26 15:05:28 UTC
| 30 Jun 2010; Torsten Veller <tove@gentoo.org> +bugzilla-3.2.7.ebuild, | +bugzilla-3.4.7.ebuild, +bugzilla-3.6.1.ebuild: | Version bump. Fixes CVE-2010-1204 (3.2, 3.4, 3.6) and CVE-2010-0180 (3.6 | only) No stable version affected. CVE-2010-2470 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2470): Install/Filesystem.pm in Bugzilla 3.5.1 through 3.6.1 and 3.7 through 3.7.1, when use_suexec is enabled, uses world-readable permissions within (1) .bzr/ and (2) data/webdot/, which allows local users to obtain potentially sensitive data by reading files in these directories, a different vulnerability than CVE-2010-0180. *** Bug 326301 has been marked as a duplicate of this bug. *** Please stabilize: =www-apps/bugzilla-3.2.7 : alpha amd64 ia64 ppc ppc64 sparc x86 =www-apps/bugzilla-3.4.7 : alpha amd64 ia64 ppc sparc x86 Correction: 3.4 isn't stable on any arch, so please stabilize 3.2.7 only: =www-apps/bugzilla-3.2.7 : alpha amd64 ia64 ppc ppc64 sparc x86 x86 stable amd64 done alpha/ia64/sparc stable CVE-2010-1204 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1204): Search.pm in Bugzilla 2.17.1 through 3.2.6, 3.3.1 through 3.4.6, 3.5.1 through 3.6, and 3.7 allows remote attackers to obtain potentially sensitive time-tracking information via a crafted search URL, related to a "boolean chart search." ppc64 done Marked ppc stable. Impact: Information disclosure. Vote: NO. NO, too. Closing noglsa. |