Summary: | <www-apps/bugzilla-{4.2.9,4.4.4}: Comments Control Characters Spoofing Vulnerability (CVE-2014-1517) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | minor | CC: | andrew, creffett, proxy-maint, web-apps | ||||
Priority: | Normal | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | https://secunia.com/advisories/58059/ | ||||||
Whiteboard: | B3 [noglsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Agostino Sarubbo
2014-04-18 10:01:03 UTC
I have tested revbumps for 4.2.9 and 4.4.4 and the appropriate ebuilds (4.2.7 and 4.4.1) work fine with a simple rename. For 4.0.13, there is a dependency change. I have attached an updated ebuild; alternatively, the change to be made is: - dev-perl/Math-Random-ISAAC + dev-perl/Math-Random-Secure creffett can you please commit the updated versions and then request stabilization for 4.2.9 and 4.4.4 (4.0.11 is not stabilized so 4.0.13 does not need to be stabilized). Created attachment 375518 [details]
bugzilla 4.0.13 ebuild
Arches, please test and stabilize: =www-apps/bugzilla-4.2.9 =www-apps/bugzilla-4.4.4 Target arches: amd64 x86. Thanks! amd64 stable x86 stable. Maintainer(s), please cleanup. Security, please vote. Cleanup done. GLSA vote: no. GLSA vote: no. Closing as [noglsa]. CVE-2014-1517 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1517): The login form in Bugzilla 2.x, 3.x, 4.x before 4.4.3, and 4.5.x before 4.5.3 does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to obtain sensitive information by arranging for a victim to login to the attacker's account and then submit a vulnerability report, related to a "login CSRF" issue. |