Your message dated Tue, 21 Jun 2005 15:47:16 -0400
with message-id <[EMAIL PROTECTED]>
and subject line Bug#308789: fixed in bugzilla 2.18-7
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 12 May 2005 11:11:58 +0000
>From [EMAIL PROTECTED] Thu May 12 04:11:58 2005
Return-path: <[EMAIL PROTECTED]>
Received: from inutil.org (vserver151.vserver151.serverflex.de)
[193.22.164.111]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DWBbi-0002Sg-00; Thu, 12 May 2005 04:11:58 -0700
Received: from jmm by vserver151.vserver151.serverflex.de with local (Exim 4.50)
id 1DWBak-0004h3-Qb
for [EMAIL PROTECTED]; Thu, 12 May 2005 13:10:58 +0200
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Moritz Muehlenhoff <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: Insecure password handling
X-Mailer: reportbug 3.8
Date: Thu, 12 May 2005 13:10:58 +0200
Message-Id: <[EMAIL PROTECTED]>
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Mail-From: [EMAIL PROTECTED]
X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond
expanded to false
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Package: bugzilla
Severity: important
Tags: security, sid
This issue affects only the Bugzilla version in sid:
Issue 2
-------
Class: User Password Embedded in URL
Versions: 2.17.1 through 2.18, 2.19.1, 2.19.2
Description: The user's password can be embedded as part of a report URL,
and thus visible in the web server logs, if the user is
prompted to log in while attempting to view a chart.
Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=287436
It's fixed in latest upstream version.
Cheers,
Moritz
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (990, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.29-vs1.2.10
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages bugzilla depends on:
pn apache | roxen2 | apache-ssl Not found.
ii debconf 1.4.30.13 Debian configuration management sy
ii exim4-daemon-light [mail-tran 4.50-4 lightweight exim MTA (v4) daemon
ii libdbd-mysql-perl 2.9006-1 A Perl5 database interface to the
ii libtimedate-perl 1.1600-4 Time and date functions for Perl
---------------------------------------
Received: (at 308789-close) by bugs.debian.org; 21 Jun 2005 19:53:35 +0000
>From [EMAIL PROTECTED] Tue Jun 21 12:53:33 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DkooO-0006jD-00; Tue, 21 Jun 2005 12:53:32 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1DkoiK-0008Vv-00; Tue, 21 Jun 2005 15:47:16 -0400
From: Alexis Sukrieh <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#308789: fixed in bugzilla 2.18-7
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Tue, 21 Jun 2005 15:47:16 -0400
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
X-CrossAssassin-Score: 2
Source: bugzilla
Source-Version: 2.18-7
We believe that the bug you reported is fixed in the latest version of
bugzilla, which is due to be installed in the Debian FTP archive:
bugzilla-doc_2.18-7_all.deb
to pool/main/b/bugzilla/bugzilla-doc_2.18-7_all.deb
bugzilla_2.18-7.diff.gz
to pool/main/b/bugzilla/bugzilla_2.18-7.diff.gz
bugzilla_2.18-7.dsc
to pool/main/b/bugzilla/bugzilla_2.18-7.dsc
bugzilla_2.18-7_all.deb
to pool/main/b/bugzilla/bugzilla_2.18-7_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alexis Sukrieh <[EMAIL PROTECTED]> (supplier of updated bugzilla package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 12 Jun 2005 15:45:07 +0200
Source: bugzilla
Binary: bugzilla bugzilla-doc
Architecture: source all
Version: 2.18-7
Distribution: unstable
Urgency: low
Maintainer: Alexis Sukrieh <[EMAIL PROTECTED]>
Changed-By: Alexis Sukrieh <[EMAIL PROTECTED]>
Description:
bugzilla - web-based bug tracking system
bugzilla-doc - comprehensive guide to Bugzilla
Closes: 308232 308789 309227 309236 309475 311169 311980
Changes:
bugzilla (2.18-7) unstable; urgency=low
.
* Change the datadir to /var/lib/bugzilla
+ Add a patch for replacing $datadir with /var/lib/bugzilla
+ Update bugzilla.postinst for fixing the permissions on /var/lib/bugzilla
+ Update bugzilla.postrm for purging /var/lib/bugzilla
+ data and graphs are under /var/lib/bugzilla instead of
/usr/share/bugzilla.
(closes: #308232)
* Add upstream security patch for closing Bugzilla's #287436
+ debian/patches/00_security_287436.dpatch
(closes: #308789)
* Add the possibility to manage several VirtualHosts thanks to Apache
configuration, using mod_env.
+ new patch for customizing Bugzilla::Config in order to read variables
set up by Apache configuration (Thanks to Yann Dirson).
+ add a section in README.Debian in order to explain how to set up a
VirtualHost with the package.
+ add two examples in order to help the creation of Bugzilla VirtualHosts.
(closes: #309227, #309236)
* Add debian/po/vi.po for debconf translations (thanks to Clytie Siddall).
(closes: #309475)
* New debian/po/ja.po for better debconf translations (thanks to Hideki
Yamane).
(closes: #311169)
* New debian/po/cs.po for better debian translations (thanks to Jan
Outrata).
(closes: #311980)
Files:
87a809f0d3cab21826c750cc3ce435d3 662 web optional bugzilla_2.18-7.dsc
e9922456a930807ff2913190696fbdcb 65187 web optional bugzilla_2.18-7.diff.gz
ab5cfbd201c3f8814f39dc18ae5c4eb8 603610 web optional bugzilla_2.18-7_all.deb
83f9571a9bdf5adcf3dcc342307f1d88 554770 doc optional
bugzilla-doc_2.18-7_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFCuDJ4pFNRmenyx0cRAhPCAKCfKYiLMPjWfVCkAbCL6h5bVLvjKACeIuf6
wRz0AYobwbtaW7RpzpIYRGM=
=IUcz
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
