Note: This is for the 2.18.3 Bugzilla version Gentoo is currently using. It has already been noted for the metabug regarding 2.20 (#99714). Security issue fixed in 2.18.4: Vulnerability Details ===================== Issue 1 ------- Class: Information Leak Versions: 2.18rc1 - 2.18.3, 2.19 - 2.20rc2, 2.21 Description: config.cgi gives JavaScript and RDF information about Bugzilla to third-party clients, including a list of products in the Bugzilla installation. The "requirelogin" parameter requires that all people be logged into Bugzilla before seeing any data, as a security measure. In affected versions, config.cgi is always accessible, and always contains information to non-logged-in users, even when "requirelogin" is turned on, possibly exposing product names that administrators expected to be confidential. Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=308256
*** This bug has been marked as a duplicate of 99714 ***
