CVE-2011-2979 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2979): Bugzilla 4.1.x before 4.1.3 generates different responses for certain assignee queries depending on whether the group name is valid, which allows remote attackers to determine the existence of private group names via a custom search. NOTE: this vulnerability exists because of a CVE-2010-2756 regression. CVE-2011-2976 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2976): Cross-site scripting (XSS) vulnerability in Bugzilla 2.16rc1 through 2.22.7, 3.0.x through 3.3.x, and 3.4.x before 3.4.12 allows remote attackers to inject arbitrary web script or HTML via vectors involving a BUGLIST cookie. CVE-2011-2381 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2381): CRLF injection vulnerability in Bugzilla 2.17.1 through 2.22.7, 3.0.x through 3.3.x, 3.4.x before 3.4.12, 3.5.x, 3.6.x before 3.6.6, 3.7.x, 4.0.x before 4.0.2, and 4.1.x before 4.1.3 allows remote attackers to inject arbitrary e-mail headers via an attachment description in a flagmail notification. CVE-2011-2380 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2380): Bugzilla 2.23.3 through 2.22.7, 3.0.x through 3.3.x, 3.4.x before 3.4.12, 3.5.x, 3.6.x before 3.6.6, 3.7.x, 4.0.x before 4.0.2, and 4.1.x before 4.1.3 allows remote attackers to determine the existence of private group names via a crafted parameter during (1) bug creation or (2) bug editing. CVE-2011-2379 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2379): Cross-site scripting (XSS) vulnerability in Bugzilla 2.4 through 2.22.7, 3.0.x through 3.3.x, 3.4.x before 3.4.12, 3.5.x, 3.6.x before 3.6.6, 3.7.x, 4.0.x before 4.0.2, and 4.1.x before 4.1.3, when Internet Explorer before 9 or Safari before 5.0.6 is used for Raw Unified mode, allows remote attackers to inject arbitrary web script or HTML via a crafted patch, related to content sniffing. CVE-2010-4570 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4570): Cross-site scripting (XSS) vulnerability in the duplicate-detection functionality in Bugzilla 3.7.1, 3.7.2, 3.7.3, and 4.0rc1 allows remote attackers to inject arbitrary web script or HTML via the summary field, related to the DataTable widget in YUI. CVE-2010-4569 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4569): Cross-site scripting (XSS) vulnerability in Bugzilla 3.7.1, 3.7.2, 3.7.3, and 4.0rc1 allows remote attackers to inject arbitrary web script or HTML via the real name field of a user account, related to the AutoComplete widget in YUI. CVE-2010-3764 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3764): The Old Charts implementation in Bugzilla 2.12 through 3.2.8, 3.4.8, 3.6.2, 3.7.3, and 4.1 creates graph files with predictable names in graphs/, which allows remote attackers to obtain sensitive information via a modified URL. CVE-2010-3172 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3172): CRLF injection vulnerability in Bugzilla before 3.2.9, 3.4.x before 3.4.9, 3.6.x before 3.6.3, and 4.0.x before 4.0rc1, when Server Push is enabled in a web browser, allows remote attackers to inject arbitrary HTTP headers and content, and conduct HTTP response splitting attacks, via a crafted URL.
*** Bug 386205 has been marked as a duplicate of this bug. ***
3.6.6 is the latest stable and fixes all of these. Nothing to do for you. Added to GLSA request.
This issue was resolved and addressed in GLSA 201110-03 at http://security.gentoo.org/glsa/glsa-201110-03.xml by GLSA coordinator Stefan Behte (craig).
