Debian Bug report logs - #611176
Multiple security vulnerabilities, including account compromise

version graph

Package: bugzilla; Maintainer for bugzilla is Raphael Bossek <bossekr@debian.org>;

Reported by: Jonathan Wiltshire <jmw@debian.org>

Date: Wed, 26 Jan 2011 12:57:01 UTC

Severity: grave

Tags: security, squeeze-ignore

Found in version 3.0.4.1-2

Fixed in versions 3.6.3.0-2+rm, 3.6.2.0-4.4

Done: Jonathan Wiltshire <jmw@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Raphael Bossek <bossekr@debian.org>:
Bug#611176; Package bugzilla. (Wed, 26 Jan 2011 12:57:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jonathan Wiltshire <jmw@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Raphael Bossek <bossekr@debian.org>. (Wed, 26 Jan 2011 12:57:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Jonathan Wiltshire <jmw@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: bugzilla: CVE-2010-4568 Account compromise vulnerability
Date: Wed, 26 Jan 2011 12:55:08 +0000
Package: bugzilla
Version: 3.0.4.1-2+lenny2
Severity: grave
Tags: security
Justification: user security hole

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Package: bugzilla
Version: FILLINAFFECTEDVERSION
Severity: FILLINSEVERITY
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for bugzilla.

CVE-2010-4568[0]:
| ** RESERVED **
| This candidate has been reserved by an organization or individual that
| will use it when announcing a new security problem.  When the
| candidate has been publicized, the details for this candidate will be
| provided.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4568
    http://security-tracker.debian.org/tracker/CVE-2010-4568

- -- System Information:
Debian Release: 6.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJNQBmsAAoJEFOUR53TUkxRgrAP/jL0yZw/L/rJNDukhVM+J4DT
3XJp1+PGnP7/kLf16tWz3TTiJnKEXBEp/mlZPdjgl6wvtaT7HAa0XxoGEEKvb9zg
o0pgdVnpLIh1Uod+vAlNKZgcISD/3Mdj1QRUxZCRRLeGz6C1drajMA9PZVGEYSd1
hcGXxcfFbOkOrNOsubXFgMgrr8lW7xlcVo5PEsFFuXpCK8CxEAaCP4F5IkKq9kA5
gbqZnW4yx4wuEAS/5KyN1FAz1yhAjhhiN1bD08didBmOM0d49GmP4mPDo7XqmW22
SI2AWHpYsVSdbnu5X7SWWWJTqw6FPSWTeAIDTRXkgO6LCnY6jz+EwltGmVNecRjv
5SerGEv3mdO9UCQ7rfdfHwQHhuMp78jkg+mqa94wIVjj9IqEslhZpLvOyhEKwuXm
9CCw83J7v/v76C90A8T3VZN64RX76Fxs/kGnbsyeiCsDTbVYEPKgUKbBd78AnuOI
5sncfwe6YxKuYvfKMz9LK5GSuk6pmL6K4B8kNVdDY5Xl38HFbw73Yg1GEqOmdqRi
xdMzfIdUgDKniiC6CDJs6sixCNf9H4EC/fKzzkacOJ6s3XqcSVJFBiPH4ZL7ypAp
TPtHIP54SiDKJqOqhP4HnyeCQLQ9BOKt6poTqtnjOz5zwveZCndIOI/YnQyYmaZQ
w+MYBc5b2s7d0FkFKTXS
=50Zi
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Raphael Bossek <bossekr@debian.org>:
Bug#611176; Package bugzilla. (Wed, 26 Jan 2011 13:03:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Raphael Bossek <bossekr@debian.org>. (Wed, 26 Jan 2011 13:03:03 GMT) Full text and rfc822 format available.

Message #10 received at 611176@bugs.debian.org (full text, mbox):

From: Jonathan Wiltshire <jmw@debian.org>
To: 611176@bugs.debian.org
Subject: Re: Bug#611176: bugzilla: CVE-2010-4568 Account compromise vulnerability
Date: Wed, 26 Jan 2011 12:59:15 +0000
[Message part 1 (text/plain, inline)]
Sorry about the unhelpful report body...!

From the Mozilla advisory:

|Class:       Account Compromise
|Versions:    2.14 to 3.2.9, 3.4.9, 3.6.3, 4.0rc1
|Fixed In:    3.2.10, 3.4.10, 3.6.4, 4.0rc2
|Description: It was possible for a user to gain unauthorized access to
|             any Bugzilla account in a very short amount of time (short
|             enough that the attack is highly effective). This is a
|             critical vulnerability that should be patched immediately
|             by all Bugzilla installations.
|References:  https://bugzilla.mozilla.org/show_bug.cgi?id=621591
|             https://bugzilla.mozilla.org/show_bug.cgi?id=619594
|CVE Number:  CVE-2010-4568

http://www.bugzilla.org/security/3.2.9/


-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
[signature.asc (application/pgp-signature, inline)]

Bug No longer marked as found in versions 3.0.4.1-2+lenny2. Request was from Jonathan Wiltshire <jmw@debian.org> to control@bugs.debian.org. (Wed, 26 Jan 2011 13:15:06 GMT) Full text and rfc822 format available.

Bug Marked as found in versions 3.0.4.1-2. Request was from Jonathan Wiltshire <jmw@debian.org> to control@bugs.debian.org. (Wed, 26 Jan 2011 13:15:07 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Raphael Bossek <bossekr@debian.org>:
Bug#611176; Package bugzilla. (Wed, 26 Jan 2011 13:21:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Raphael Bossek <bossekr@debian.org>. (Wed, 26 Jan 2011 13:21:06 GMT) Full text and rfc822 format available.

Message #19 received at 611176@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: Jonathan Wiltshire <jmw@debian.org>, 611176@bugs.debian.org
Subject: Re: Bug#611176: bugzilla: CVE-2010-4568 Account compromise vulnerability
Date: Wed, 26 Jan 2011 14:19:51 +0100
[Message part 1 (text/plain, inline)]
user release.debian.org@packages.debian.org
usertag 611176 squeeze-can-defer
tag 611176 squeeze-ignore
kthxbye

On Wed, Jan 26, 2011 at 12:55:08 +0000, Jonathan Wiltshire wrote:

> Package: bugzilla
> Version: 3.0.4.1-2+lenny2
> Severity: grave
> Tags: security
> Justification: user security hole
> 
Can be fixed post release, so not a blocker.

Cheers,
Julien
[signature.asc (application/pgp-signature, inline)]

Added tag(s) squeeze-ignore. Request was from Julien Cristau <jcristau@debian.org> to control@bugs.debian.org. (Wed, 26 Jan 2011 13:21:08 GMT) Full text and rfc822 format available.

Changed Bug title to 'Multiple security vulnerabilities, including account compromise' from 'bugzilla: CVE-2010-4568 Account compromise vulnerability' Request was from Jonathan Wiltshire <jmw@debian.org> to control@bugs.debian.org. (Thu, 10 Feb 2011 17:45:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Raphael Bossek <bossekr@debian.org>:
Bug#611176; Package bugzilla. (Thu, 10 Feb 2011 18:24:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Raphael Bossek <bossekr@debian.org>. (Thu, 10 Feb 2011 18:24:03 GMT) Full text and rfc822 format available.

Message #28 received at 611176@bugs.debian.org (full text, mbox):

From: Jonathan Wiltshire <jmw@debian.org>
To: 611176@bugs.debian.org
Subject: Re: Bug#611176: bugzilla: multiple security vulnerabilities
Date: Thu, 10 Feb 2011 18:22:07 +0000
[Message part 1 (text/plain, inline)]
This is the list of outstanding security problems. As you haven't reacted
to the account compromise problem, I intend to NMU these fixes by packaging
3.6.4 from upstream (as soon as I can work out how to integrate a new
upstream release).

CVE-2011-0048[0]:
| Bugzilla before 3.2.10, 3.4.x before 3.4.10, 3.6.x before 3.6.4, and
| 4.0.x before 4.0rc2 creates a clickable link for a (1) javascript: or
| (2) data: URI in the URL (aka bug_file_loc) field, which allows remote
| attackers to conduct cross-site scripting (XSS) attacks against
| logged-out users via a crafted URI.

CVE-2011-0046[1]:
| Multiple cross-site request forgery (CSRF) vulnerabilities in Bugzilla
| before 3.2.10, 3.4.x before 3.4.10, 3.6.x before 3.6.4, and 4.0.x
| before 4.0rc2 allow remote attackers to hijack the authentication of
| arbitrary users for requests related to (1) adding a saved search in
| buglist.cgi, (2) voting in votes.cgi, (3) sanity checking in
| sanitycheck.cgi, (4) creating or editing a chart in chart.cgi, (5)
| column changing in colchange.cgi, and (6) adding, deleting, or
| approving a quip in quips.cgi.

CVE-2010-4572[2]:
| CRLF injection vulnerability in chart.cgi in Bugzilla before 3.2.10,
| 3.4.x before 3.4.10, 3.6.x before 3.6.4, and 4.0.x before 4.0rc2
| allows remote attackers to inject arbitrary HTTP headers and conduct
| HTTP response splitting attacks via the query string, a different
| vulnerability than CVE-2010-2761 and CVE-2010-4411.

CVE-2010-4568[3]:
| Bugzilla 2.14 through 2.22.7; 3.0.x, 3.1.x, and 3.2.x before 3.2.10;
| 3.4.x before 3.4.10; 3.6.x before 3.6.4; and 4.0.x before 4.0rc2 does
| not properly generate random values for cookies and tokens, which
| allows remote attackers to obtain access to arbitrary accounts via
| unspecified vectors, related to an insufficient number of calls to the
| srand function.

CVE-2010-4567[4]:
| Bugzilla before 3.2.10, 3.4.x before 3.4.10, 3.6.x before 3.6.4, and
| 4.0.x before 4.0rc2 does not properly handle whitespace preceding a
| (1) javascript: or (2) data: URI, which allows remote attackers to
| conduct cross-site scripting (XSS) attacks via the URL (aka
| bug_file_loc) field.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0048
    http://security-tracker.debian.org/tracker/CVE-2011-0048
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0046
    http://security-tracker.debian.org/tracker/CVE-2011-0046
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4572
    http://security-tracker.debian.org/tracker/CVE-2010-4572
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4568
    http://security-tracker.debian.org/tracker/CVE-2010-4568
[4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4567
    http://security-tracker.debian.org/tracker/CVE-2010-4567



-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
[signature.asc (application/pgp-signature, inline)]

Reply sent to Debian FTP Masters <ftpmaster@ftp-master.debian.org>:
You have taken responsibility. (Tue, 23 Aug 2011 09:31:20 GMT) Full text and rfc822 format available.

Notification sent to Jonathan Wiltshire <jmw@debian.org>:
Bug acknowledged by developer. (Tue, 23 Aug 2011 09:31:23 GMT) Full text and rfc822 format available.

Message #33 received at 611176-done@bugs.debian.org (full text, mbox):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 511331-done@bugs.debian.org,511866-done@bugs.debian.org,519568-done@bugs.debian.org,607006-done@bugs.debian.org,607720-done@bugs.debian.org,611176-done@bugs.debian.org,614603-done@bugs.debian.org,616751-done@bugs.debian.org,620040-done@bugs.debian.org,624827-done@bugs.debian.org,628791-done@bugs.debian.org,628823-done@bugs.debian.org,631065-done@bugs.debian.org,632203-done@bugs.debian.org,633912-done@bugs.debian.org,
Cc: bugzilla@packages.debian.org, bugzilla@packages.qa.debian.org
Subject: Bug#638705: Removed package(s) from unstable
Date: Tue, 23 Aug 2011 09:24:17 +0000
Version: 3.6.3.0-2+rm

Dear submitter,

as the package bugzilla has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see http://bugs.debian.org/638705

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@debian.org.

Debian distribution maintenance software
pp.
Alexander Reichle-Schmehl (the ftpmaster behind the curtain)




Bug Marked as fixed in versions 3.6.2.0-4.4. Request was from Jonathan Wiltshire <jmw@debian.org> to control@bugs.debian.org. (Mon, 10 Oct 2011 17:51:05 GMT) Full text and rfc822 format available.

Reply sent to Jonathan Wiltshire <jmw@debian.org>:
You have taken responsibility. (Wed, 12 Oct 2011 01:57:03 GMT) Full text and rfc822 format available.

Notification sent to Jonathan Wiltshire <jmw@debian.org>:
Bug acknowledged by developer. (Wed, 12 Oct 2011 01:57:03 GMT) Full text and rfc822 format available.

Message #40 received at 611176-close@bugs.debian.org (full text, mbox):

From: Jonathan Wiltshire <jmw@debian.org>
To: 611176-close@bugs.debian.org
Subject: Bug#611176: fixed in bugzilla 3.6.2.0-4.4
Date: Wed, 12 Oct 2011 01:55:16 +0000
Source: bugzilla
Source-Version: 3.6.2.0-4.4

We believe that the bug you reported is fixed in the latest version of
bugzilla, which is due to be installed in the Debian FTP archive:

bugzilla3-doc_3.6.2.0-4.4_all.deb
  to main/b/bugzilla/bugzilla3-doc_3.6.2.0-4.4_all.deb
bugzilla3_3.6.2.0-4.4_all.deb
  to main/b/bugzilla/bugzilla3_3.6.2.0-4.4_all.deb
bugzilla_3.6.2.0-4.4.debian.tar.gz
  to main/b/bugzilla/bugzilla_3.6.2.0-4.4.debian.tar.gz
bugzilla_3.6.2.0-4.4.dsc
  to main/b/bugzilla/bugzilla_3.6.2.0-4.4.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 611176@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonathan Wiltshire <jmw@debian.org> (supplier of updated bugzilla package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 09 Oct 2011 14:35:55 +0100
Source: bugzilla
Binary: bugzilla3 bugzilla3-doc
Architecture: source all
Version: 3.6.2.0-4.4
Distribution: stable-security
Urgency: low
Maintainer: Raphael Bossek <bossekr@debian.org>
Changed-By: Jonathan Wiltshire <jmw@debian.org>
Description: 
 bugzilla3  - web-based bug tracking system
 bugzilla3-doc - comprehensive guide to Bugzilla
Closes: 611176
Changes: 
 bugzilla (3.6.2.0-4.4) stable-security; urgency=low
 .
   * Non-maintainer upload.
   * Add security patches (Closes: #611176):
     - 79_cve-2010-4572.sh (CVE-2010-4572)
     - 80_cve-2010-4567_cve-2011-0048.sh
        (CVE-2010-4567 CVE-2011-0048)
     - 81_cve-2010-4568.sh (CVE-2010-4568)
     - 82_cve-2011-0046.sh (CVE-2011-0046)
     - 83_cve-2011-2978.sh (CVE-2011-2978)
     - 84_cve-2011-2381.sh (CVE-2011-2381)
     - 85_cve-2011-2380.sh (CVE-2011-2979, CVE-2011-2380)
     - 86_cve-2011-2379.sh (CVE-2011-2379)
Checksums-Sha1: 
 3d4bd0d3f7f8243f9e5413e30802e60a49c7a72a 1819 bugzilla_3.6.2.0-4.4.dsc
 d6152f6bbfe3c685c00865bfc324ca3f1f1a8450 4452904 bugzilla_3.6.2.0.orig.tar.gz
 0c0763676985d6c3e9d79b093374fa7dadbc2243 108758 bugzilla_3.6.2.0-4.4.debian.tar.gz
 ff518d8d4a83439f4331dc6fd419003c46d47b78 2771036 bugzilla3_3.6.2.0-4.4_all.deb
 de42e26e263020a14e49182f6cf5eef2d34e473b 1416190 bugzilla3-doc_3.6.2.0-4.4_all.deb
Checksums-Sha256: 
 21945539aa93086d3be477074e1fca95172faefb9dde218a4821a51f550b3bba 1819 bugzilla_3.6.2.0-4.4.dsc
 3f31675b546f76eab611c37ceaa7462ab0fb207f7edd6b2820c6b56f598f37f2 4452904 bugzilla_3.6.2.0.orig.tar.gz
 8137454990478afbee4a668e73b77cca26f7c0efe152850ee2f45261d2a9047b 108758 bugzilla_3.6.2.0-4.4.debian.tar.gz
 5c983661e6e50a1daac4f5549573bf224b7a46719f13536f635901218d30df79 2771036 bugzilla3_3.6.2.0-4.4_all.deb
 2f68fab762618cef4cb94286a93c6b55b2d0d540f5cc454f0fb374691cdbad58 1416190 bugzilla3-doc_3.6.2.0-4.4_all.deb
Files: 
 bc28d8fc22a5caa1a840fb69cf06be33 1819 web optional bugzilla_3.6.2.0-4.4.dsc
 07ba25fb3c6aa9de846813fd9dedf1d7 4452904 web optional bugzilla_3.6.2.0.orig.tar.gz
 6aec84d8f5b569e234e3c6a600633c09 108758 web optional bugzilla_3.6.2.0-4.4.debian.tar.gz
 4881eac89b514991fb221daec5004608 2771036 web optional bugzilla3_3.6.2.0-4.4_all.deb
 deed43001e2088b93a919d4b09353538 1416190 doc optional bugzilla3-doc_3.6.2.0-4.4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJOka2wAAoJEFOUR53TUkxRb0kP/3wdwJoOor9sjDaZeeIHrLBz
KI5SwCDZdz3FYxd5FV+lFnLGc97I9amrq00clyUyGBf+ejSEIpJV/LVCU8KPaNNj
edoDNETPcX1dowisp6GeCLJvVnVCpeVq0ZE8hNfdzKVrttZ+gjQjbFUpQEoW9ib9
M+lPMhDFYoV4KHyU5ntv0Jmi8N0WOjqtrNvPK0NXlwrQT8lHMkDoIJTt5Z7MZonD
+S+pW1/b/r+7shOZ5h2krPT1fiHl5ANU0/68LoMblB97fR41yVS6XymMKKDNk/YB
YyjsUPBzVOWuYmXoQnyoPbC8sFfYA+a6wPecqmKYgpuxPpn1FbdefHFRYH67dDVf
A09F+MFA+OUSh3a8xZuoEHqmXJRSVz+Om2Axg4AR0HYuLeg+qVhZqkisNgO4tZ5A
UzUBXcQSLYpYq65KfcdLfxCQwzgzTSPYh6bpUwE05VTFVH1HlwkoGBgS0Y+HLZbG
oVxJdPiWUFAD9WQv7G5ioJpvEgZ3+dNzm8wICKH/OeDIS0kIja4C5PyFeoi9g122
Xtr/16fYMIBK0rBWnTP6ZsZAIjPZqI3knfkEc8DLEhhbpzNebZWBo5x/5oYwFl1G
EiU+bi0ZdQDoFZWaTMc62zgT8EPBaTssRwIrL1SiX2xx3N9zNVbxtVsCBN6Yk44+
PnyFonfEz7jOxKnErTu1
=zRn/
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 26 Feb 2012 07:38:31 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 19:53:14 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.