Some vulnerabilities and a security issue have been reported in Bugzilla, which can be exploited by malicious users to inject shell commands, and by malicious people to conduct cross-site scripting attacks and to disclose potentially sensitive information. 1) Input passed to the "buildid" parameter when filing bugs using the guided form is not properly sanitised before being returned to a user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerability is reported in version 2.17.1 and later. 2) The "Email::Send::Sendmail()" function does not properly sanitise Bugzilla's "from" email information which is later passed to the "-f" parameter of sendmail. This can be exploited to inject shell commands via a specially crafted "from" setting. The vulnerability is reported in version 2.23.4 and later. 3) The XML-RPC interface of Bugzilla allows to disclose certain time-tracking information without proper access to the time-tracking fields. The security issue is reported in version 2.23.3 and above. SOLUTION: Update to a fixed version. Bugzilla 2.20.x users: Update to version 2.20.5. Bugzilla 2.22.x users: Update to version 2.22.3. Bugzilla 3.0 users: Update to version 3.0.1.
Setting whiteboard status.
infra has already verified our installation of bugzilla is unaffected by any of the exploits listed.
*** Bug 190267 has been marked as a duplicate of this bug. ***
2.20.5, 2.22.3 and 3.0.1 have been added to the tree. 2.20.5 should be stabilized on alpha amd64 ia64 ppc ppc64 sparc x86 (alternatively the arches can also stabilize the higher 2.22.3) 2.22.3 should be stabilized on ia64 ppc64 sparc x86 Is there a specific reason to keep 2.18.6 in the tree? There is no update available for this branch and I guess users of this branch should then upgrade to 2.20.5.
(In reply to comment #4) > 2.20.5, 2.22.3 and 3.0.1 have been added to the tree. > > 2.20.5 should be stabilized on > > alpha amd64 ia64 ppc ppc64 sparc x86 > > (alternatively the arches can also stabilize the higher 2.22.3) > > 2.22.3 should be stabilized on > > ia64 ppc64 sparc x86 > > Is there a specific reason to keep 2.18.6 in the tree? There is no update > available for this branch and I guess users of this branch should then upgrade > to 2.20.5. > Thanks Gunnar. cc'ing arches for stabilization.
quick update, quick test, quick stabilization: ppc64 stable
ppc stable
x86 stable
Sparc stable (2.20.5 and 2.23)
alpha/ia64 stable
amd64 stable
Removed insecure versions. webapps done here.
unsubbing our bugzilla alias, since bugs.g.o is not affected.
GLSA 200709-18