Summary: | <www-apps/bugzilla-{3.6.12,4.0.9,4.2.4}: multiple security flaws (CVE-2012-{4189,4197,4198,4199,5883}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | dastergon, idl0r, jaak, web-apps |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=876701 | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 458562 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2012-11-14 21:39:52 UTC
CVE-2012-5883 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5883): Cross-site scripting (XSS) vulnerability in the Flash component infrastructure in YUI 2.8.0 through 2.9.0, as used in Bugzilla 3.7.x and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x and 4.4.x before 4.4rc1, allows remote attackers to inject arbitrary web script or HTML via vectors related to swfstore.swf, a similar issue to CVE-2010-4209. CVE-2012-4199 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4199): template/en/default/bug/field-events.js.tmpl in Bugzilla 3.x before 3.6.12, 3.7.x and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x and 4.4.x before 4.4rc1 generates JavaScript function calls containing private product names or private component names in certain circumstances involving custom-field visibility control, which allows remote attackers to obtain sensitive information by reading HTML source code. CVE-2012-4198 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4198): The User.get method in Bugzilla/WebService/User.pm in Bugzilla 3.7.x and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x and 4.4.x before 4.4rc1 has a different outcome for a groups request depending on whether a group exists, which allows remote authenticated users to discover private group names by observing whether a call throws an error. CVE-2012-4197 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4197): Bugzilla/Attachment.pm in attachment.cgi in Bugzilla 2.x and 3.x before 3.6.12, 3.7.x and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x and 4.4.x before 4.4rc1 allows remote attackers to read attachment descriptions from private bugs via an obsolete=1 insert action. CVE-2012-4189 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4189): Cross-site scripting (XSS) vulnerability in Bugzilla 4.1.x and 4.2.x before 4.2.4, and 4.3.x and 4.4.x before 4.4rc1, allows remote attackers to inject arbitrary web script or HTML via a field value that is not properly handled during construction of a tabular report, as demonstrated by the Version field. CVE-2012-5475 was rejected in favor of CVE-2012-5883 and other CVE identifiers that detail vulnerabilities in parts of YUI not shipped with Bugzilla. *** Bug 448600 has been marked as a duplicate of this bug. *** Lets not forget CVE-2012-1969 which was fixed by upstream in July (e.g. in 4.0.7). When can we expect new ebuilds in the tree? |