Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 344081 (CVE-2010-3172)

Summary: <www-apps/bugzilla-3.2.9: Multiple Vulnerabilities (CVE-2010-{3172,3764})
Product: Gentoo Security Reporter: Tim Sammut (RETIRED) <underling>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: alunduil, tove, web-apps
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.bugzilla.org/security/3.2.8/
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---

Description Tim Sammut (RETIRED) gentoo-dev 2010-11-04 09:54:45 UTC 
From $URL:

Vulnerability Details
=====================

Class:       HTTP Response Splitting
Versions:    Every Version Before 3.2.9, 3.4.9, 3.6.3, 4.0rc1
Fixed In:    3.2.9, 3.4.9, 3.6.3, 4.0rc1
Description: By inserting a certain string into a URL, it was possible
             to inject both headers and content to any browser that
             supported "Server Push" (mostly only Gecko-based browsers
             like Firefox). This could lead to Cross-Site Scripting
             vulnerabilities, and possibly other more dangerous
             security issues as well.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=600464
             http://cwe.mitre.org/data/definitions/113.html
CVE Number:  CVE-2010-3172

Class:       Information Leak
Versions:    2.12 to 3.2.8, 3.4.8, 3.6.2, 3.7.3, 4.1
Fixed In:    3.2.9, 3.4.9, 3.6.3, 4.0rc1
Description: The Old Charts system generated graphs with
             predictable names into the "graphs/" directory,
             which also could be browsed to see its contents.
             This allowed unauthorized users to see product names
             and charted information about those products over time.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=419014
CVE Number:  CVE-2010-3764

Class:       Cross-Site Scripting
Versions:    3.7.1 to 3.7.3, 4.1
Fixed In:    4.0rc1
Description: YUI 2.8.1 was vulnerable to a Cross-Site Scripting
             vulnerability in certain .swf files. The YUI shipped
             with Bugzilla has been updated to 2.8.2.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=606618
             http://secunia.com/advisories/41955
             http://yuilibrary.com/support/2.8.2/
Comment 1 Alex Brandt (RETIRED) gentoo-dev 2010-11-09 15:44:19 UTC 
Does this vulnerability require a new ebuild for 3.2.9?  Is there a bug for a new ebuild for this version of bugzilla already?
Comment 2 Torsten Veller (RETIRED) gentoo-dev 2010-11-15 18:49:00 UTC 
ebuilds are in the tree.

3.2.9 should be stabilized.
3.2.9: alpha amd64 ia64 ppc ppc64 sparc x86
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2010-11-15 18:56:33 UTC 
(In reply to comment #2)
> ebuilds are in the tree.
> 
> 3.2.9 should be stabilized.
> 3.2.9: alpha amd64 ia64 ppc ppc64 sparc x86
> 

Thank you.

Arches, please test and mark stable:
=www-apps/bugzilla-3.2.9
Target keywords : "alpha amd64 ia64 ppc ppc64 sparc x86"
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2010-11-16 13:10:49 UTC 
x86 stable
Comment 5 Markos Chandras (RETIRED) gentoo-dev 2010-11-17 21:46:14 UTC 
amd64 done
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2010-11-20 12:15:22 UTC 
alpha/ia64/sparc stable
Comment 7 Brent Baude (RETIRED) gentoo-dev 2010-11-24 20:29:23 UTC 
ppc done
Comment 8 Brent Baude (RETIRED) gentoo-dev 2010-11-25 01:01:34 UTC 
ppc64 done
Comment 9 Tim Sammut (RETIRED) gentoo-dev 2010-11-25 01:04:29 UTC 
GLSA Vote: no.
Comment 10 Stefan Behte (RETIRED) gentoo-dev Security 2010-11-26 01:22:00 UTC 
No, too. Closing noglsa.