Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2011.0809
Bugzilla 4.1.2, 4.0.1, 3.6.5, and 3.4.11 Security Advisory
8 August 2011
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Bugzilla 4.1.2
Bugzilla 4.0.1
Bugzilla 3.6.5
Bugzilla 3.4.11
Publisher: Bugzilla
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Cross-site Scripting -- Remote with User Interaction
Access Confidential Data -- Existing Account
Provide Misleading Information -- Existing Account
Unauthorised Access -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2011-2979 CVE-2011-2978 CVE-2011-2977
CVE-2011-2976 CVE-2011-2381 CVE-2011-2380
CVE-2011-2379
Original Bulletin:
http://www.bugzilla.org/security/3.4.11/
- --------------------------BEGIN INCLUDED TEXT--------------------
4.1.2, 4.0.1, 3.6.5, and 3.4.11 Security Advisory
Tuesday, August 4, 2011
Summary
=======
Bugzilla is a Web-based bug-tracking system used by a large number of
software projects. The following security issues have been discovered
in Bugzilla:
* Internet Explorer 8 and older, and Safari before 5.0.6 do content
sniffing when viewing a patch in "Raw Unified" mode, which could
trigger a cross-site scripting attack due to the execution of
malicious code in the attachment.
* It is possible to determine whether or not certain group names exist
while creating or updating bugs; and in Bugzilla 4.1.1 and 4.1.2,
also by using custom searches.
* Attachment descriptions with a newline in them could lead to the
injection of crafted headers in email notifications sent to the
requestee or the requester when editing an attachment flag.
* If an attacker has access to a user's session, he can modify that
user's email address without that user being notified of the change.
* Temporary files for uploaded attachments are not deleted on Windows,
which could let a user with local access to the server read them.
* Up to Bugzilla 3.4.11, if a BUGLIST cookie is compromised, it can
be used to inject HTML code when viewing a bug report, leading to
a cross-site scripting attack.
All affected installations are encouraged to upgrade as soon as
possible.
Vulnerability Details
=====================
Class: Cross-Site Scripting
Versions: 2.4 to 3.4.11, 3.5.1 to 3.6.5, 3.7.1 to 4.0.1,
4.1.1 to 4.1.2
Fixed In: 3.4.12, 3.6.6, 4.0.2, 4.1.3
Description: Bugzilla uses an alternate host for attachments when
viewing them in raw format to prevent cross-site scripting
attacks. This alternate host is now also used when viewing
patches in "Raw Unified" mode because Internet Explorer 8
and older, and Safari before 5.0.6 do content sniffing,
which could lead to the execution of malicious code.
References: https://bugzilla.mozilla.org/show_bug.cgi?id=637981
CVE Number: CVE-2011-2379
Class: Information Leak
Versions: 2.23.3 to 3.4.11, 3.5.1 to 3.6.5, 3.7.1 to 4.0.1,
4.1.1 to 4.1.2
Fixed In: 3.4.12, 3.6.6, 4.0.2, 4.1.3
Description: Normally, a group name is confidential and is only visible
to members of the group, and to non-members if the group
is used in bugs. By crafting the URL when creating or
editing a bug, it was possible to guess if a group existed
or not, even for groups which weren't used in bugs and so
which were supposed to remain confidential.
Moreover, in Bugzilla 4.1.1 and 4.1.2, custom searches also
let you determine if a group exists or not, even for groups
which should remain confidential.
References: https://bugzilla.mozilla.org/show_bug.cgi?id=653477
https://bugzilla.mozilla.org/show_bug.cgi?id=674497
CVE Number: CVE-2011-2380, CVE-2011-2979
Class: Email Header Injection
Versions: 2.17.1 to 3.4.11, 3.5.1 to 3.6.5, 3.7.1 to 4.0.1,
4.1.1 to 4.1.2
Fixed In: 3.4.12, 3.6.6, 4.0.2, 4.1.3
Description: Bugzilla mostly sends two types of email notifications:
bugmails and flagmails. A bugmail is the standard email
users get when a change is made to a bug. A flagmail is
only sent to the requestee or requester of a flag. For
flagmails only, attachment descriptions with a newline
in them could lead to the injection of crafted headers in
email notifications when an attachment flag is edited.
Other users only receiving a bugmail are not affected.
References: https://bugzilla.mozilla.org/show_bug.cgi?id=657158
CVE Number: CVE-2011-2381
Class: Unnotified Account Change
Versions: 2.16rc1 to 3.4.11, 3.5.1 to 3.6.5, 3.7.1 to 4.0.1,
4.1.1 to 4.1.2
Fixed In: 3.4.12, 3.6.6, 4.0.2, 4.1.3
Description: When a user changes his email address, Bugzilla trusts
a user-modifiable field for obtaining the current e-mail
address to send a confirmation message to. If an attacker
has access to the session of another user (for example,
if that user left their browser window open in a public
place), the attacker could alter this field to cause
the email-change notification to go to their own address.
This means that the user would not be notified that his
account had its email address changed by the attacker.
References: https://bugzilla.mozilla.org/show_bug.cgi?id=670868
CVE Number: CVE-2011-2978
Class: Local Information Disclosure
Versions: 3.6 to 3.6.5, 3.7.1 to 4.0.1, 4.1.1 to 4.1.2
Fixed In: 3.6.6, 4.0.2, 4.1.3
Description: Temporary files for uploaded attachments are not deleted
on Windows. A user with local access to the server could
read these attachments even if he wouldn't normally be
allowed to view them from Bugzilla.
References: https://bugzilla.mozilla.org/show_bug.cgi?id=660502
CVE Number: CVE-2011-2977
Class: Cross-Site Scripting
Versions: 2.16rc1 to 3.4.11
Fixed In: 3.4.12
Description: If a BUGLIST cookie is compromised (which is not possible
except via a vulnerability outside of Bugzilla), it can be
used to inject HTML code when viewing a bug report, leading
to a cross-site scripting attack.
Bugzilla 3.5.1 and above are not affected by this issue.
References: https://bugzilla.mozilla.org/show_bug.cgi?id=660053
CVE Number: CVE-2011-2976
Vulnerability Solutions
=======================
The fixes for these issues are included in the 3.4.12, 3.6.6, 4.0.2,
and 4.1.3 releases. Upgrading to a release with the relevant fixes will
protect your installation from possible exploits of these issues.
If you are unable to upgrade but would like to patch just the
individual security vulnerabilities, there are patches available for
each issue at the "References" URL for each vulnerability.
Full release downloads, patches to upgrade Bugzilla from previous
versions, and CVS/bzr upgrade instructions are available at:
http://www.bugzilla.org/download/
Credits
=======
The Bugzilla team wish to thank the following people/organizations for
their assistance in locating, advising us of, and assisting us to fix
this issue:
Frédéric Buclin
Byron Jones
Max Kanat-Alexander
Reed Loden
Neal Poole
Neil Rashbrook
David Lawrence
General information about the Bugzilla bug-tracking system can be found
at:
http://www.bugzilla.org/
Comments and follow-ups can be directed to the mozilla.support.bugzilla
newsgroup or the support-bugzilla mailing list.
http://www.bugzilla.org/support/ has directions for accessing these
forums.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBTj9xou4yVqjM2NGpAQLAHg//ZEabfy3MrsDnL0PJ4dEyr6T2IbOikVjF
GoBIIxJ2cO/tcHfC28Kwps7tG7XabLwOd0/SMP8gqf/VzpP3fzfbWPDzNBTjUTdw
RRRPGltJO0PvrjDYbxcFAIEqQFAvAmwXpZJRgzZ2m9/2UsrCL1569J1pGE2NG3lu
CQLAFvFuv1q4ZjnokXZWtTnMrv5ZNFVXPbe6KWRIjXq+BYA6jIPs4bP4NON+zNSH
GMmNmVdKlig6PR49xslUHh1C8ditN4LZ4csFgCMs94cUPt2e1Xr4tAOI+LHHvz77
Avr0Bc5KAO2g5BdbfSvE3bZlBaXGiI1VcSNLeC71UumVtaeiTRFGL8prPn6gLnR9
pVfjujpM1WW011WjsuAQPBqVT6J8SLcLE8GqgOlVWcavclkAJJRbJvrZu27xqloF
Txgh+8VAAWEJbEGjpy1RmGcMDHIVME8+gBdOVml2p58XWp5jbNPIkTC9oxCRvvLF
7tMAoPjKUQR5ioug0XTp5dwyaZUb0Qnfmt2hBpJjU5ZjK72GNCULc68y5Jox5oke
1hIvmidXdr3wEaxPJNkICA7wRdPFU9tYLfMZPVeBIBKlhp2d0LoSOE0zB9ieLtwL
EjJjE8uZrmGQ1dsT+orMKrY0t2AF23ImUJDYa83oYIEYaO49R68U7YfoakBHqRc/
Ai/S7FYqyOg=
=w1LC
-----END PGP SIGNATURE-----