>Class: Cross-Site Request Forgery >Versions: Bugzilla 2.16rc1 to 4.4.12, 4.5.1 to 5.0.3 >Fixed In: 4.4.13, 5.0.4 >Description: Via the image generation in report.cgi, a malicious site > using the presence of certain images, could extract > potentially confidential information if the victim was > logged in and could access the bug. >References: https://bugzilla.mozilla.org/show_bug.cgi?id=1433400 >CVE Number: CVE-2018-5123
Note that bugs.g.o is fine: https://gitweb.gentoo.org/fork/bugzilla.git/commit/?id=7b7a210cd57140e85c36c9c5bfed35389f7952d5
@maintainer(s): ping
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f2fa70ce5190a8073fd697326a8495f2626326f2 commit f2fa70ce5190a8073fd697326a8495f2626326f2 Author: David Denoncin <ddenoncin@gmail.com> AuthorDate: 2020-07-18 15:58:44 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-08-01 20:27:37 +0000 www-apps/bugzilla: vbump 5.0.6 This new ebuild leaves dealing with mod_perl to experienced users. This change enables bumping the ebuild to EAPI 7. It also loses using use flags for optional runtime dependencies. Bug: https://bugs.gentoo.org/712706 Closes: https://bugs.gentoo.org/332251 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: David Denoncin <ddenoncin@gmail.com> Closes: https://github.com/gentoo/gentoo/pull/16125 Signed-off-by: Sam James <sam@gentoo.org> www-apps/bugzilla/Manifest | 1 + www-apps/bugzilla/bugzilla-5.0.6.ebuild | 118 +++++++++++++++++++++ .../bugzilla/files/bugzilla-5.0.6-leftbrace.patch | 17 +++ www-apps/bugzilla/files/bugzilla-5.0.6-perl.patch | 17 +++ .../bugzilla/files/bugzilla-5.0.6-template.patch | 17 +++ www-apps/bugzilla/files/postinstall-5.0.6-en.txt | 30 ++++++ www-apps/bugzilla/files/postinstall-en.txt | 1 + www-apps/bugzilla/files/postupgrade-5.0.6-en.txt | 10 ++ 8 files changed, 211 insertions(+)
Giving it a few days.
amd64 done
x86 done all arches done
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e7e5ee5f8f488c35a163dda0075df0ceb0e02a7b commit e7e5ee5f8f488c35a163dda0075df0ceb0e02a7b Author: David Denoncin <ddenoncin@gmail.com> AuthorDate: 2020-08-10 21:15:42 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-08-15 05:59:09 +0000 www-apps/bugzilla: drop vulnerable old Package-Manager: Portage-2.3.103, Repoman-2.3.23 Signed-off-by: David Denoncin <ddenoncin@gmail.com> Bug: https://bugs.gentoo.org/712706 Closes: https://github.com/gentoo/gentoo/pull/17073 Signed-off-by: Sam James <sam@gentoo.org> www-apps/bugzilla/Manifest | 2 - www-apps/bugzilla/bugzilla-4.4.12-r2.ebuild | 130 -------------------- www-apps/bugzilla/bugzilla-5.0.3-r2.ebuild | 134 --------------------- .../bugzilla/files/bugzilla-5.0.3-leftbrace.patch | 26 ---- www-apps/bugzilla/files/bugzilla-queue.confd | 4 - www-apps/bugzilla/files/bugzilla.cron.daily | 5 - www-apps/bugzilla/files/bugzilla.cron.tab | 1 - www-apps/bugzilla/files/postinstall-en.txt | 14 --- www-apps/bugzilla/files/reconfig | 19 --- www-apps/bugzilla/metadata.xml | 4 - 10 files changed, 339 deletions(-)
GLSA vote: no. Tree is clean. Closing.