Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2012.0125 Bugzilla 4.2rc1, 4.0.3, 3.6.7, and 3.4.13 Security Advisory 3 February 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Bugzilla Publisher: Bugzilla Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Cross-site Request Forgery -- Remote with User Interaction Unauthorised Access -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2012-0448 CVE-2012-0440 Original Bulletin: http://www.bugzilla.org/security/3.4.13/ - --------------------------BEGIN INCLUDED TEXT-------------------- 4.2rc1, 4.0.3, 3.6.7, and 3.4.13 Security Advisory Tuesday, January 31th, 2012 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * When a user creates a new account, Bugzilla doesn't correctly reject email addresses containing non-ASCII characters, which could be used to impersonate another user account. * A CSRF vulnerability in the implementation of the JSON-RPC API could be used to make changes to bugs or execute some admin tasks without the victim's knowledge. All affected installations are encouraged to upgrade as soon as possible. Vulnerability Details ===================== Class: Account Impersonation Versions: 2.0 to 3.4.13, 3.5.1 to 3.6.7, 3.7.1 to 4.0.3, 4.1.1 to 4.2rc1 Fixed In: 3.4.14, 3.6.8, 4.0.4, 4.2rc2 Description: When a user creates a new account, Bugzilla doesn't correctly reject email addresses containing non-ASCII characters, which could be used to impersonate another user account. Such email addresses could look visually identical to other valid email addresses, and an attacker could try to confuse other users and be added to bugs he shouldn't have access to. References: https://bugzilla.mozilla.org/show_bug.cgi?id=714472 CVE Number: CVE-2012-0448 Class: Cross-Site Request Forgery Versions: 3.5.1 to 3.6.7, 3.7.1 to 4.0.3, 4.1.1 to 4.2rc1 Fixed In: 3.6.8, 4.0.4, 4.2rc2 Description: Due to a lack of validation of the Content-Type header when making POST requests to jsonrpc.cgi, a possible CSRF vulnerability was discovered. If a user visits an HTML page with some malicious JS code in it, an attacker could make changes to a remote Bugzilla installation on behalf of the victim's account by using the JSON-RPC API. The user would have had to be already logged in to the target site for the vulnerability to work. References: https://bugzilla.mozilla.org/show_bug.cgi?id=718319 CVE Number: CVE-2012-0440 Vulnerability Solutions ======================= The fixes for these issues are included in the 3.4.14, 3.6.8, 4.0.4, and 4.2rc2 releases. Upgrading to a release with the relevant fixes will protect your installation from possible exploits of these issues. If you are unable to upgrade but would like to patch just the individual security vulnerabilities, there are patches available for each issue at the "References" URL for each vulnerability. Full release downloads, patches to upgrade Bugzilla from previous versions, and CVS/bzr upgrade instructions are available at: http://www.bugzilla.org/download/ Credits ======= The Bugzilla team wish to thank the following people/organizations for their assistance in locating, advising us of, and assisting us to fix this issue: Frédéric Buclin Max Kanat-Alexander Byron Jones Mario Gomes James Kettle General information about the Bugzilla bug-tracking system can be found at: http://www.bugzilla.org/ Comments and follow-ups can be directed to the mozilla.support.bugzilla newsgroup or the support-bugzilla mailing list. http://www.bugzilla.org/support/ has directions for accessing these forums. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBTytmju4yVqjM2NGpAQI60g/9F3jjuBeG58IyPu5spsAmnzeZsgWoH3SF Tiz7b651cxmrEb0iO6awPXdw7Y7f/9q/vD//ObZwVEFpKCrdAYTiTcZQvY/nBFK2 MRX6DdAlNN0f+3R0jB+ZJ/2FaRavkVTSd8zssszPdwgmy6tK8sVl+g0hXk4VVfyT 3nqTqcmdHl0Xj5RqHdTaDrUwpSjOGwKoWoJjKmuOKrstzPYVQn2zJ/5GWyK9J+id MSNfE5isC++RB3m9SbvtGmcUUBHelZa3u1q7hu0VGDCRsqJWYRolDg0oQlcYNhqo GMnKqSgvA+P9Jn2H96d8m9baSBtE/KIMJVX3AoIJafbcMZHEmW8aaScBmAIBq8s0 FehUslrYzkETjBJPJ3yelHjWGwAjp/8onvwTcl//eBANtSQX845f2aLareXNvU3x DNIhXrxnbU/eBuZQ6JZ0W6p5fG0P4p91fwsQPcox+fFAwLTuExuo8GX13voGzDK7 Dd5zKMEFLnxXwICLe/TJEUAg7MSiXNrYomuJC4OYObaPhja2Cp/DRiNnqbKyCC7O lBahJcP2NHb+4KqBTpDlDehnznNsxO5ZnZvEKiOOvXPYMq/bMAuoDZlRKz0jxK7A Y0loBsSTD+9bydQpZQfieU1kuFxNpsSRcrGMTcDnsCJLSPMssWGBfnOJQmQIISoA FjzU3VO84/g= =Rqet -----END PGP SIGNATURE-----