CVE-2010-0180 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0180): Install/Filesystem.pm in Bugzilla 3.5.1 through 3.6 and 3.7, when use_suexec is enabled, uses world-readable permissions for the localconfig files, which allows local users to read sensitive configuration fields, as demonstrated by the database password field and the site_wide_secret field.
| 30 Jun 2010; Torsten Veller <tove@gentoo.org> +bugzilla-3.2.7.ebuild, | +bugzilla-3.4.7.ebuild, +bugzilla-3.6.1.ebuild: | Version bump. Fixes CVE-2010-1204 (3.2, 3.4, 3.6) and CVE-2010-0180 (3.6 | only) No stable version affected.
CVE-2010-2470 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2470): Install/Filesystem.pm in Bugzilla 3.5.1 through 3.6.1 and 3.7 through 3.7.1, when use_suexec is enabled, uses world-readable permissions within (1) .bzr/ and (2) data/webdot/, which allows local users to obtain potentially sensitive data by reading files in these directories, a different vulnerability than CVE-2010-0180.
*** Bug 326301 has been marked as a duplicate of this bug. ***
Please stabilize: =www-apps/bugzilla-3.2.7 : alpha amd64 ia64 ppc ppc64 sparc x86 =www-apps/bugzilla-3.4.7 : alpha amd64 ia64 ppc sparc x86
Correction: 3.4 isn't stable on any arch, so please stabilize 3.2.7 only: =www-apps/bugzilla-3.2.7 : alpha amd64 ia64 ppc ppc64 sparc x86
x86 stable
amd64 done
alpha/ia64/sparc stable
CVE-2010-1204 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1204): Search.pm in Bugzilla 2.17.1 through 3.2.6, 3.3.1 through 3.4.6, 3.5.1 through 3.6, and 3.7 allows remote attackers to obtain potentially sensitive time-tracking information via a crafted search URL, related to a "boolean chart search."
ppc64 done
Marked ppc stable.
Impact: Information disclosure. Vote: NO.
NO, too. Closing noglsa.
