Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.3238 Security advisory for Bugzilla 5.0.2, 4.4.11 and 4.2.16 24 December 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Bugzilla Publisher: Bugzilla Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2015-8509 CVE-2015-8508 Original Bulletin: https://bugzilla.mozilla.org/show_bug.cgi?id=1221518 https://bugzilla.mozilla.org/show_bug.cgi?id=1232785 - --------------------------BEGIN INCLUDED TEXT-------------------- Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * Unfiltered HTML injected into a dependency graph could be used to create a cross-site scripting attack. * Some web browsers incorrectly parse CSV files as valid JavaScript code which could lead to data leak. All affected installations are encouraged to upgrade as soon as possible. Vulnerability Details ===================== Class: Cross-Site Scripting Versions: Bugzilla 2.6 to 4.2.15, 4.3.1 to 4.4.10, 4.5.1 to 5.0.1 Fixed In: 4.2.16, 4.4.11, 5.0.2 Description: During the generation of a dependency graph, the code for the HTML image map is generated locally if a local dot installation is used. With escaped HTML characters in a bug summary, it is possible to inject unfiltered HTML code in the map file which the CreateImagemap function generates. This could be used for a cross-site scripting attack. References: https://bugzilla.mozilla.org/show_bug.cgi?id=1221518 CVE Number: CVE-2015-8508 Class: Information Leak Versions: Bugzilla 2.17.1 to 4.2.15, 4.3.1 to 4.4.10, 4.5.1 to 5.0.1 Fixed In: 4.2.16, 4.4.11, 5.0.2 Description: If an external HTML page contains a <script> element with its src attribute pointing to a buglist in CSV format, some web browsers incorrectly try to parse the CSV file as valid JavaScript code. As the buglist is generated based on the privileges of the user logged into Bugzilla, the external page could collect confidential data contained in the CSV file. References: https://bugzilla.mozilla.org/show_bug.cgi?id=1232785 CVE Number: CVE-2015-8509 Vulnerability Solutions ======================= The fixes for these issues are included in the 4.2.16, 4.4.11 and 5.0.2 releases. Upgrading to a release with the relevant fixes will protect your installation from possible exploits of these issues. If you are unable to upgrade but would like to patch just the security vulnerabilities, there are patches available for the issues at the "References" URL for each vulnerability. Full release downloads, patches to upgrade Bugzilla from previous versions, and git upgrade instructions are available at: https://www.bugzilla.org/download/ Credits ======= The Bugzilla team wish to thank the following people for their assistance in locating, advising us of, and assisting us to fix these issues: Issue 1 reported by: Holger Fuhrmannek Issue 2 reported by: Mario Gomes Fixed by: Frédéric Buclin, Dylan William Hardison, David Lawrence, Gervase Markham General information about the Bugzilla bug-tracking system can be found at: https://www.bugzilla.org/ Comments and follow-ups can be directed to the mozilla.support.bugzilla newsgroup or the support-bugzilla mailing list. https://www.bugzilla.org/support/ has directions for accessing these forums. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVntBzX6ZAP0PgtI9AQJ26A/6Aji3agufpvu2RU4pU4wT6129NH6o6Hdq P9zZyWNecAi1gSA+hHledKk/JgbF5XhAXy320dGYcy+ObvtS/7fGGGyHGk0oSHWK 2MjXIGRfhSo5//V3mseO4xdG22rzSZkK631PUwx8LS11YaW9XvvasE14LRPjlFL6 fPUAohj5g2qJvvEUMg/xpXS5PCm4vj5I0t5vVZMiEJMbx/788KUJ01MloGxapAdT w013u106afuIsL38jfEwmtJeKibrpav+klcf6/eiHMfy6asEEZPk5cQuKHJxVAjY pV46TM9olKuQKj66c6pBPSEdVCcQKApKaSrSC/nu37iepz5KCH6Sy8tbZozIP8t3 Tl4lw0SBRjAYqdJUa8fORNqADU5wg0Jpm7tVobLs5BkggLbwibEd3dM4wZYhgMH5 OelLALFGfYHc051rhnvX//pZk9VyuZEQgUi/LslGsC4zXBjXcqHn5aZZETlmbm/t FXDk+3Oy+Gojz/6IsJskGSpBXB4/CFsF02YAaqidZi4neHs0RqZpQNY27J3dcdQj CKlmvL+x0XPGx2iGT6Yd33gT/FyrcJraauqtJTZ98YNuN8Fo18i2F+QhCHq7IJIX DsCUae002V/apFPJCHCTEmsO8Ww/ZMndJNSv1ODw58jAEbnh39K9V4xbT6F01XUJ rVVl20tWbBo= =/d8D -----END PGP SIGNATURE-----