Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2011.0809 Bugzilla 4.1.2, 4.0.1, 3.6.5, and 3.4.11 Security Advisory 8 August 2011 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Bugzilla 4.1.2 Bugzilla 4.0.1 Bugzilla 3.6.5 Bugzilla 3.4.11 Publisher: Bugzilla Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Existing Account Provide Misleading Information -- Existing Account Unauthorised Access -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2011-2979 CVE-2011-2978 CVE-2011-2977 CVE-2011-2976 CVE-2011-2381 CVE-2011-2380 CVE-2011-2379 Original Bulletin: http://www.bugzilla.org/security/3.4.11/ - --------------------------BEGIN INCLUDED TEXT-------------------- 4.1.2, 4.0.1, 3.6.5, and 3.4.11 Security Advisory Tuesday, August 4, 2011 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * Internet Explorer 8 and older, and Safari before 5.0.6 do content sniffing when viewing a patch in "Raw Unified" mode, which could trigger a cross-site scripting attack due to the execution of malicious code in the attachment. * It is possible to determine whether or not certain group names exist while creating or updating bugs; and in Bugzilla 4.1.1 and 4.1.2, also by using custom searches. * Attachment descriptions with a newline in them could lead to the injection of crafted headers in email notifications sent to the requestee or the requester when editing an attachment flag. * If an attacker has access to a user's session, he can modify that user's email address without that user being notified of the change. * Temporary files for uploaded attachments are not deleted on Windows, which could let a user with local access to the server read them. * Up to Bugzilla 3.4.11, if a BUGLIST cookie is compromised, it can be used to inject HTML code when viewing a bug report, leading to a cross-site scripting attack. All affected installations are encouraged to upgrade as soon as possible. Vulnerability Details ===================== Class: Cross-Site Scripting Versions: 2.4 to 3.4.11, 3.5.1 to 3.6.5, 3.7.1 to 4.0.1, 4.1.1 to 4.1.2 Fixed In: 3.4.12, 3.6.6, 4.0.2, 4.1.3 Description: Bugzilla uses an alternate host for attachments when viewing them in raw format to prevent cross-site scripting attacks. This alternate host is now also used when viewing patches in "Raw Unified" mode because Internet Explorer 8 and older, and Safari before 5.0.6 do content sniffing, which could lead to the execution of malicious code. References: https://bugzilla.mozilla.org/show_bug.cgi?id=637981 CVE Number: CVE-2011-2379 Class: Information Leak Versions: 2.23.3 to 3.4.11, 3.5.1 to 3.6.5, 3.7.1 to 4.0.1, 4.1.1 to 4.1.2 Fixed In: 3.4.12, 3.6.6, 4.0.2, 4.1.3 Description: Normally, a group name is confidential and is only visible to members of the group, and to non-members if the group is used in bugs. By crafting the URL when creating or editing a bug, it was possible to guess if a group existed or not, even for groups which weren't used in bugs and so which were supposed to remain confidential. Moreover, in Bugzilla 4.1.1 and 4.1.2, custom searches also let you determine if a group exists or not, even for groups which should remain confidential. References: https://bugzilla.mozilla.org/show_bug.cgi?id=653477 https://bugzilla.mozilla.org/show_bug.cgi?id=674497 CVE Number: CVE-2011-2380, CVE-2011-2979 Class: Email Header Injection Versions: 2.17.1 to 3.4.11, 3.5.1 to 3.6.5, 3.7.1 to 4.0.1, 4.1.1 to 4.1.2 Fixed In: 3.4.12, 3.6.6, 4.0.2, 4.1.3 Description: Bugzilla mostly sends two types of email notifications: bugmails and flagmails. A bugmail is the standard email users get when a change is made to a bug. A flagmail is only sent to the requestee or requester of a flag. For flagmails only, attachment descriptions with a newline in them could lead to the injection of crafted headers in email notifications when an attachment flag is edited. Other users only receiving a bugmail are not affected. References: https://bugzilla.mozilla.org/show_bug.cgi?id=657158 CVE Number: CVE-2011-2381 Class: Unnotified Account Change Versions: 2.16rc1 to 3.4.11, 3.5.1 to 3.6.5, 3.7.1 to 4.0.1, 4.1.1 to 4.1.2 Fixed In: 3.4.12, 3.6.6, 4.0.2, 4.1.3 Description: When a user changes his email address, Bugzilla trusts a user-modifiable field for obtaining the current e-mail address to send a confirmation message to. If an attacker has access to the session of another user (for example, if that user left their browser window open in a public place), the attacker could alter this field to cause the email-change notification to go to their own address. This means that the user would not be notified that his account had its email address changed by the attacker. References: https://bugzilla.mozilla.org/show_bug.cgi?id=670868 CVE Number: CVE-2011-2978 Class: Local Information Disclosure Versions: 3.6 to 3.6.5, 3.7.1 to 4.0.1, 4.1.1 to 4.1.2 Fixed In: 3.6.6, 4.0.2, 4.1.3 Description: Temporary files for uploaded attachments are not deleted on Windows. A user with local access to the server could read these attachments even if he wouldn't normally be allowed to view them from Bugzilla. References: https://bugzilla.mozilla.org/show_bug.cgi?id=660502 CVE Number: CVE-2011-2977 Class: Cross-Site Scripting Versions: 2.16rc1 to 3.4.11 Fixed In: 3.4.12 Description: If a BUGLIST cookie is compromised (which is not possible except via a vulnerability outside of Bugzilla), it can be used to inject HTML code when viewing a bug report, leading to a cross-site scripting attack. Bugzilla 3.5.1 and above are not affected by this issue. References: https://bugzilla.mozilla.org/show_bug.cgi?id=660053 CVE Number: CVE-2011-2976 Vulnerability Solutions ======================= The fixes for these issues are included in the 3.4.12, 3.6.6, 4.0.2, and 4.1.3 releases. Upgrading to a release with the relevant fixes will protect your installation from possible exploits of these issues. If you are unable to upgrade but would like to patch just the individual security vulnerabilities, there are patches available for each issue at the "References" URL for each vulnerability. Full release downloads, patches to upgrade Bugzilla from previous versions, and CVS/bzr upgrade instructions are available at: http://www.bugzilla.org/download/ Credits ======= The Bugzilla team wish to thank the following people/organizations for their assistance in locating, advising us of, and assisting us to fix this issue: Frédéric Buclin Byron Jones Max Kanat-Alexander Reed Loden Neal Poole Neil Rashbrook David Lawrence General information about the Bugzilla bug-tracking system can be found at: http://www.bugzilla.org/ Comments and follow-ups can be directed to the mozilla.support.bugzilla newsgroup or the support-bugzilla mailing list. http://www.bugzilla.org/support/ has directions for accessing these forums. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBTj9xou4yVqjM2NGpAQLAHg//ZEabfy3MrsDnL0PJ4dEyr6T2IbOikVjF GoBIIxJ2cO/tcHfC28Kwps7tG7XabLwOd0/SMP8gqf/VzpP3fzfbWPDzNBTjUTdw RRRPGltJO0PvrjDYbxcFAIEqQFAvAmwXpZJRgzZ2m9/2UsrCL1569J1pGE2NG3lu CQLAFvFuv1q4ZjnokXZWtTnMrv5ZNFVXPbe6KWRIjXq+BYA6jIPs4bP4NON+zNSH GMmNmVdKlig6PR49xslUHh1C8ditN4LZ4csFgCMs94cUPt2e1Xr4tAOI+LHHvz77 Avr0Bc5KAO2g5BdbfSvE3bZlBaXGiI1VcSNLeC71UumVtaeiTRFGL8prPn6gLnR9 pVfjujpM1WW011WjsuAQPBqVT6J8SLcLE8GqgOlVWcavclkAJJRbJvrZu27xqloF Txgh+8VAAWEJbEGjpy1RmGcMDHIVME8+gBdOVml2p58XWp5jbNPIkTC9oxCRvvLF 7tMAoPjKUQR5ioug0XTp5dwyaZUb0Qnfmt2hBpJjU5ZjK72GNCULc68y5Jox5oke 1hIvmidXdr3wEaxPJNkICA7wRdPFU9tYLfMZPVeBIBKlhp2d0LoSOE0zB9ieLtwL EjJjE8uZrmGQ1dsT+orMKrY0t2AF23ImUJDYa83oYIEYaO49R68U7YfoakBHqRc/ Ai/S7FYqyOg= =w1LC -----END PGP SIGNATURE-----