Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2012.1089
4.3.3, 4.2.3, 4.0.8, and 3.6.11 Security Advisory
15 November 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Bugzilla
Publisher: Bugzilla
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Access Confidential Data -- Existing Account
Cross-site Scripting -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2012-5475 CVE-2012-4199 CVE-2012-4198
CVE-2012-4197 CVE-2012-4189
Original Bulletin:
http://www.bugzilla.org/security/3.6.11/
- --------------------------BEGIN INCLUDED TEXT--------------------
Summary
=======
Bugzilla is a Web-based bug-tracking system used by a large number of
software projects. The following security issues have been discovered
in Bugzilla:
* Confidential product and component names can be disclosed to
unauthorized users if they are used to control the visibility of
a custom field.
* When calling the 'User.get' WebService method with a 'groups'
argument, it is possible to check if the given group names exist
or not.
* Due to incorrectly filtered field values in tabular reports, it is
possible to inject code which can lead to XSS.
* When trying to mark an attachment in a bug you cannot see as
obsolete, the description of the attachment is disclosed in the
error message.
* A vulnerability in swfstore.swf from YUI2 can lead to XSS.
All affected installations are encouraged to upgrade as soon as
possible.
Vulnerability Details
=====================
Class: Information Leak
Versions: 3.3.4 to 3.6.11, 3.7.1 to 4.0.8, 4.1.1 to 4.2.3,
4.3.1 to 4.3.3
Fixed In: 3.6.12, 4.0.9, 4.2.4, 4.4rc1
Description: If the visibility of a custom field is controlled by
a product or a component of a product you cannot see,
their names are disclosed in the JavaScript code
generated for this custom field despite they should
remain confidential.
References: https://bugzilla.mozilla.org/show_bug.cgi?id=731178
CVE Number: CVE-2012-4199
Class: Information Leak
Versions: 3.7.1 to 4.0.8, 4.1.1 to 4.2.3, 4.3.1 to 4.3.3
Fixed In: 4.0.9, 4.2.4, 4.4rc1
Description: Calling the User.get method with a 'groups' argument leaks
the existence of the groups depending on whether an error
is thrown or not. This method now also throws an error if
the user calling this method does not belong to these
groups (independently of whether the groups exist or not).
References: https://bugzilla.mozilla.org/show_bug.cgi?id=781850
CVE Number: CVE-2012-4198
Class: Cross-Site Scripting
Versions: 4.1.1 to 4.2.3, 4.3.1 to 4.3.3
Fixed In: 4.2.4, 4.4rc1
Description: Due to incorrectly filtered field values in tabular
reports, it is possible to inject code leading to XSS.
References: https://bugzilla.mozilla.org/show_bug.cgi?id=790296
CVE Number: CVE-2012-4189
Class: Information Leak
Versions: 2.16 to 3.6.11, 3.7.1 to 4.0.8, 4.1.1 to 4.2.3,
4.3.1 to 4.3.3
Fixed In: 3.6.12, 4.0.9, 4.2.4, 4.4rc1
Description: Trying to mark an attachment in a bug you cannot see as
obsolete discloses its description in the error message.
The description of the attachment is now removed from
the error message.
References: https://bugzilla.mozilla.org/show_bug.cgi?id=802204
CVE Number: CVE-2012-4197
Class: Cross-Site Scripting
Versions: 3.7.1 to 4.0.8, 4.1.1 to 4.2.3, 4.3.1 to 4.3.3
Fixed In: 4.0.9, 4.2.4, 4.4rc1
Description: A vulnerability in swfstore.swf from YUI2 allows
JavaScript injection exploits to be created against
domains that host this affected YUI .swf file.
References: https://bugzilla.mozilla.org/show_bug.cgi?id=808845
http://yuilibrary.com/support/20121030-vulnerability/
CVE Number: CVE-2012-5475
Vulnerability Solutions
=======================
The fixes for these issues are included in the 3.6.12, 4.0.9, 4.2.4
and 4.4rc1 releases. Upgrading to a release with the relevant fixes
will protect your installation from possible exploits of these issues.
If you are unable to upgrade but would like to patch just the
individual security vulnerabilities, there are patches available for
each issue at the "References" URL for each vulnerability.
Full release downloads, patches to upgrade Bugzilla from previous
versions, and CVS/bzr upgrade instructions are available at:
http://www.bugzilla.org/download/
Credits
=======
The Bugzilla team wish to thank the following people/organizations for
their assistance in locating, advising us of, and assisting us to fix
this issue:
Frédéric Buclin
David Lawrence
Gervase Markham
Mateusz Goik
General information about the Bugzilla bug-tracking system can be found
at:
http://www.bugzilla.org/
Comments and follow-ups can be directed to the mozilla.support.bugzilla
newsgroup or the support-bugzilla mailing list.
http://www.bugzilla.org/support/ has directions for accessing these
forums.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUKRTd+4yVqjM2NGpAQKg3Q//UPHUWPo4ykg+XIVvxACjObROZ2sZlURK
DBGMUtVgD0koI7B+CN4d2xZ+CBowf9qucnr00ItKzvpRjU+6cWrf2+5o4jGeeHva
ZdoYIUMD8gtMaHufU5g7oC5dGW6UuOOn/imIDktBZsjpDuWeTX5wcK5Ps2E2nvi2
aCG9szuniO7ZucFRl6zNWnR8Ly7NL4tPxmuutGlNVyIHIELJKfyMRRaBqZGF6nVK
Anmi6Tn8ghSx2FV9Zd3s01VWsokEuMBasCe8//4gCsw6y3+Vs1HWWdkP+lzmrPLX
KbDQW9vBAGkq+LMYwS0DdhF+XCVE+6LfyGBH5IeQLVOHsiXhRPQKsvp2AVijkR2F
jLrTCfJMhFRNfiHh2Iv98j1tGWrnsByGAWpAMJGY8S1TiXV8Zf5LgOm7BUuZzKXe
JuLWjd2+3TSr1w6SH57hJfNPnVWC1dUgpZAcalF99R14kEn4DNXxi9InhvZBneqt
d8NejACOq6WcUEZanKuCXURJp77qsatpDcJvED+QpGzLqYSknwMXUnwKydYkyrUi
pHNpcEZRYZVvcqJpVIx1Ng1/LS4zDoGmI9hr4KKDH6q9i7N68eQjEmHU4c6xorlK
OC4iEl7lxEnnkTnc8IqijJlMJTCAjYL1D3jmGvH4BKIoT3QSB/YwW5crown25Gwa
ZSq3tL42zC0=
=5LFt
-----END PGP SIGNATURE-----