Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 332193 (CVE-2010-2756) - <www-apps/bugzilla-{3.2.8,3.4.8,3.6.2}: Multiple Vulnerabilites (CVE-2010-{2756,2757,2758,2759})
Summary: <www-apps/bugzilla-{3.2.8,3.4.8,3.6.2}: Multiple Vulnerabilites (CVE-2010-{27...
Status: RESOLVED FIXED
Alias: CVE-2010-2756
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.bugzilla.org/security/3.2.7/
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-08-11 07:50 UTC by Torsten Veller (RETIRED)
Modified: 2010-09-29 21:18 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Torsten Veller (RETIRED) gentoo-dev 2010-08-11 07:50:25 UTC 
Fixed In: 3.2.8, 3.4.8, 3.6.2

Please stabilize
=www-apps/bugzilla-3.2.8
Comment 1 Markos Chandras (RETIRED) gentoo-dev 2010-08-11 10:14:31 UTC 
amd64 done
Comment 2 Joe Jezak (RETIRED) gentoo-dev 2010-08-11 22:20:17 UTC 
Marked ppc/ppc64 stable.
Comment 3 Joe Jezak (RETIRED) gentoo-dev 2010-08-11 22:20:51 UTC 
Forgot to remove our CC's, sorry!
Comment 4 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-08-12 02:16:58 UTC 
x86 stable
Comment 5 Raúl Porcel (RETIRED) gentoo-dev 2010-08-14 14:24:13 UTC 
lpha/ia64/sparc stable
Comment 6 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-08-17 19:36:29 UTC 
Impact: Information disclosure and partial DoS.
Vote: NO.
Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2010-09-03 21:47:29 UTC 
CVE-2010-2756 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2756):
  Search.pm in Bugzilla 2.19.1 through 3.2.7, 3.3.1 through 3.4.7,
  3.5.1 through 3.6.1, and 3.7 through 3.7.2 allows remote attackers to
  determine the group memberships of arbitrary users via vectors
  involving the Search interface, boolean charts, and group-based
  pronouns.

CVE-2010-2757 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2757):
  The sudo feature in Bugzilla 2.22rc1 through 3.2.7, 3.3.1 through
  3.4.7, 3.5.1 through 3.6.1, and 3.7 through 3.7.2 does not properly
  send impersonation notifications, which makes it easier for remote
  authenticated users to impersonate other users without discovery.

CVE-2010-2758 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2758):
  Bugzilla 2.17.1 through 3.2.7, 3.3.1 through 3.4.7, 3.5.1 through
  3.6.1, and 3.7 through 3.7.2 generates different error messages
  depending on whether a product exists, which makes it easier for
  remote attackers to guess product names via unspecified use of the
  (1) Reports or (2) Duplicates page.

CVE-2010-2759 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2759):
  Bugzilla 2.23.1 through 3.2.7, 3.3.1 through 3.4.7, 3.5.1 through
  3.6.1, and 3.7 through 3.7.2, when PostgreSQL is used, does not
  properly handle large integers in (1) bug and (2) attachment phrases,
  which allows remote authenticated users to cause a denial of service
  (bug invisibility) via a crafted comment.
Comment 8 Stefan Behte (RETIRED) gentoo-dev Security 2010-09-29 21:18:27 UTC 
NO, too. Closing noglsa.