Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2012.1089 4.3.3, 4.2.3, 4.0.8, and 3.6.11 Security Advisory 15 November 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Bugzilla Publisher: Bugzilla Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Access Confidential Data -- Existing Account Cross-site Scripting -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2012-5475 CVE-2012-4199 CVE-2012-4198 CVE-2012-4197 CVE-2012-4189 Original Bulletin: http://www.bugzilla.org/security/3.6.11/ - --------------------------BEGIN INCLUDED TEXT-------------------- Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * Confidential product and component names can be disclosed to unauthorized users if they are used to control the visibility of a custom field. * When calling the 'User.get' WebService method with a 'groups' argument, it is possible to check if the given group names exist or not. * Due to incorrectly filtered field values in tabular reports, it is possible to inject code which can lead to XSS. * When trying to mark an attachment in a bug you cannot see as obsolete, the description of the attachment is disclosed in the error message. * A vulnerability in swfstore.swf from YUI2 can lead to XSS. All affected installations are encouraged to upgrade as soon as possible. Vulnerability Details ===================== Class: Information Leak Versions: 3.3.4 to 3.6.11, 3.7.1 to 4.0.8, 4.1.1 to 4.2.3, 4.3.1 to 4.3.3 Fixed In: 3.6.12, 4.0.9, 4.2.4, 4.4rc1 Description: If the visibility of a custom field is controlled by a product or a component of a product you cannot see, their names are disclosed in the JavaScript code generated for this custom field despite they should remain confidential. References: https://bugzilla.mozilla.org/show_bug.cgi?id=731178 CVE Number: CVE-2012-4199 Class: Information Leak Versions: 3.7.1 to 4.0.8, 4.1.1 to 4.2.3, 4.3.1 to 4.3.3 Fixed In: 4.0.9, 4.2.4, 4.4rc1 Description: Calling the User.get method with a 'groups' argument leaks the existence of the groups depending on whether an error is thrown or not. This method now also throws an error if the user calling this method does not belong to these groups (independently of whether the groups exist or not). References: https://bugzilla.mozilla.org/show_bug.cgi?id=781850 CVE Number: CVE-2012-4198 Class: Cross-Site Scripting Versions: 4.1.1 to 4.2.3, 4.3.1 to 4.3.3 Fixed In: 4.2.4, 4.4rc1 Description: Due to incorrectly filtered field values in tabular reports, it is possible to inject code leading to XSS. References: https://bugzilla.mozilla.org/show_bug.cgi?id=790296 CVE Number: CVE-2012-4189 Class: Information Leak Versions: 2.16 to 3.6.11, 3.7.1 to 4.0.8, 4.1.1 to 4.2.3, 4.3.1 to 4.3.3 Fixed In: 3.6.12, 4.0.9, 4.2.4, 4.4rc1 Description: Trying to mark an attachment in a bug you cannot see as obsolete discloses its description in the error message. The description of the attachment is now removed from the error message. References: https://bugzilla.mozilla.org/show_bug.cgi?id=802204 CVE Number: CVE-2012-4197 Class: Cross-Site Scripting Versions: 3.7.1 to 4.0.8, 4.1.1 to 4.2.3, 4.3.1 to 4.3.3 Fixed In: 4.0.9, 4.2.4, 4.4rc1 Description: A vulnerability in swfstore.swf from YUI2 allows JavaScript injection exploits to be created against domains that host this affected YUI .swf file. References: https://bugzilla.mozilla.org/show_bug.cgi?id=808845 http://yuilibrary.com/support/20121030-vulnerability/ CVE Number: CVE-2012-5475 Vulnerability Solutions ======================= The fixes for these issues are included in the 3.6.12, 4.0.9, 4.2.4 and 4.4rc1 releases. Upgrading to a release with the relevant fixes will protect your installation from possible exploits of these issues. If you are unable to upgrade but would like to patch just the individual security vulnerabilities, there are patches available for each issue at the "References" URL for each vulnerability. Full release downloads, patches to upgrade Bugzilla from previous versions, and CVS/bzr upgrade instructions are available at: http://www.bugzilla.org/download/ Credits ======= The Bugzilla team wish to thank the following people/organizations for their assistance in locating, advising us of, and assisting us to fix this issue: Frédéric Buclin David Lawrence Gervase Markham Mateusz Goik General information about the Bugzilla bug-tracking system can be found at: http://www.bugzilla.org/ Comments and follow-ups can be directed to the mozilla.support.bugzilla newsgroup or the support-bugzilla mailing list. http://www.bugzilla.org/support/ has directions for accessing these forums. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUKRTd+4yVqjM2NGpAQKg3Q//UPHUWPo4ykg+XIVvxACjObROZ2sZlURK DBGMUtVgD0koI7B+CN4d2xZ+CBowf9qucnr00ItKzvpRjU+6cWrf2+5o4jGeeHva ZdoYIUMD8gtMaHufU5g7oC5dGW6UuOOn/imIDktBZsjpDuWeTX5wcK5Ps2E2nvi2 aCG9szuniO7ZucFRl6zNWnR8Ly7NL4tPxmuutGlNVyIHIELJKfyMRRaBqZGF6nVK Anmi6Tn8ghSx2FV9Zd3s01VWsokEuMBasCe8//4gCsw6y3+Vs1HWWdkP+lzmrPLX KbDQW9vBAGkq+LMYwS0DdhF+XCVE+6LfyGBH5IeQLVOHsiXhRPQKsvp2AVijkR2F jLrTCfJMhFRNfiHh2Iv98j1tGWrnsByGAWpAMJGY8S1TiXV8Zf5LgOm7BUuZzKXe JuLWjd2+3TSr1w6SH57hJfNPnVWC1dUgpZAcalF99R14kEn4DNXxi9InhvZBneqt d8NejACOq6WcUEZanKuCXURJp77qsatpDcJvED+QpGzLqYSknwMXUnwKydYkyrUi pHNpcEZRYZVvcqJpVIx1Ng1/LS4zDoGmI9hr4KKDH6q9i7N68eQjEmHU4c6xorlK OC4iEl7lxEnnkTnc8IqijJlMJTCAjYL1D3jmGvH4BKIoT3QSB/YwW5crown25Gwa ZSq3tL42zC0= =5LFt -----END PGP SIGNATURE-----