Fixed In: 3.2.8, 3.4.8, 3.6.2 Please stabilize =www-apps/bugzilla-3.2.8
amd64 done
Marked ppc/ppc64 stable.
Forgot to remove our CC's, sorry!
x86 stable
lpha/ia64/sparc stable
Impact: Information disclosure and partial DoS. Vote: NO.
CVE-2010-2756 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2756): Search.pm in Bugzilla 2.19.1 through 3.2.7, 3.3.1 through 3.4.7, 3.5.1 through 3.6.1, and 3.7 through 3.7.2 allows remote attackers to determine the group memberships of arbitrary users via vectors involving the Search interface, boolean charts, and group-based pronouns. CVE-2010-2757 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2757): The sudo feature in Bugzilla 2.22rc1 through 3.2.7, 3.3.1 through 3.4.7, 3.5.1 through 3.6.1, and 3.7 through 3.7.2 does not properly send impersonation notifications, which makes it easier for remote authenticated users to impersonate other users without discovery. CVE-2010-2758 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2758): Bugzilla 2.17.1 through 3.2.7, 3.3.1 through 3.4.7, 3.5.1 through 3.6.1, and 3.7 through 3.7.2 generates different error messages depending on whether a product exists, which makes it easier for remote attackers to guess product names via unspecified use of the (1) Reports or (2) Duplicates page. CVE-2010-2759 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2759): Bugzilla 2.23.1 through 3.2.7, 3.3.1 through 3.4.7, 3.5.1 through 3.6.1, and 3.7 through 3.7.2, when PostgreSQL is used, does not properly handle large integers in (1) bug and (2) attachment phrases, which allows remote authenticated users to cause a denial of service (bug invisibility) via a crafted comment.
NO, too. Closing noglsa.