Some vulnerabilities and a security issue have been reported in
Bugzilla, which can be exploited by malicious users to inject shell
commands, and by malicious people to conduct cross-site scripting
attacks and to disclose potentially sensitive information.
1) Input passed to the "buildid" parameter when filing bugs using the
guided form is not properly sanitised before being returned to a user.
This can be exploited to execute arbitrary HTML and script code in a
user's browser session in context of an affected site.
The vulnerability is reported in version 2.17.1 and later.
2) The "Email::Send::Sendmail()" function does not properly sanitise
Bugzilla's "from" email information which is later passed to the "-f"
parameter of sendmail. This can be exploited to inject shell commands
via a specially crafted "from" setting.
The vulnerability is reported in version 2.23.4 and later.
3) The XML-RPC interface of Bugzilla allows to disclose certain
time-tracking information without proper access to the time-tracking
The security issue is reported in version 2.23.3 and above.
Update to a fixed version.
Bugzilla 2.20.x users:
Update to version 2.20.5.
Bugzilla 2.22.x users:
Update to version 2.22.3.
Bugzilla 3.0 users:
Update to version 3.0.1.
Setting whiteboard status.
infra has already verified our installation of bugzilla is unaffected by any of the exploits listed.
*** Bug 190267 has been marked as a duplicate of this bug. ***
2.20.5, 2.22.3 and 3.0.1 have been added to the tree.
2.20.5 should be stabilized on
alpha amd64 ia64 ppc ppc64 sparc x86
(alternatively the arches can also stabilize the higher 2.22.3)
2.22.3 should be stabilized on
ia64 ppc64 sparc x86
Is there a specific reason to keep 2.18.6 in the tree? There is no update available for this branch and I guess users of this branch should then upgrade to 2.20.5.
(In reply to comment #4)
> 2.20.5, 2.22.3 and 3.0.1 have been added to the tree.
> 2.20.5 should be stabilized on
> alpha amd64 ia64 ppc ppc64 sparc x86
> (alternatively the arches can also stabilize the higher 2.22.3)
> 2.22.3 should be stabilized on
> ia64 ppc64 sparc x86
> Is there a specific reason to keep 2.18.6 in the tree? There is no update
> available for this branch and I guess users of this branch should then upgrade
> to 2.20.5.
Thanks Gunnar. cc'ing arches for stabilization.
quick update, quick test, quick stabilization: ppc64 stable
Sparc stable (2.20.5 and 2.23)
Removed insecure versions. webapps done here.
unsubbing our bugzilla alias, since bugs.g.o is not affected.