-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2010-17274 2010-11-04 22:22:48 --------------------------------------------------------------------------------
Name : bugzilla Product : Fedora 14 Version : 3.6.3 Release : 1.fc14 URL : http://www.bugzilla.org/ Summary : Bug tracking system Description : Bugzilla is a popular bug tracking system used by multiple open source projects It requires a database engine installed - either MySQL, PostgreSQL or Oracle. Without one of these database engines (local or remote), Bugzilla will not work - see the Release Notes for details. -------------------------------------------------------------------------------- Update Information: The following security issues have been discovered in Bugzilla: * There is a way to inject both headers and content to users, causing a serious Cross-Site Scripting vulnerability. * It was possible to see graphs from Old Charts even if you did not have access to a particular product, and you could browse a particular URL to see all product names. * YUI 2.8.1, which shipped with Bugzilla starting with 3.7.x, contained a security vulnerability. The version of YUI shipped with Bugzilla 4.0rc1 and above has been updated to 2.8.2. These are tracked by CVE-2010-3764. -------------------------------------------------------------------------------- ChangeLog: * Wed Nov 3 2010 Emmanuel Seyman <[email protected]> - 3.6.3-1 - Update to 3.6.3 (#649406) - Fix webdot alias in /etc/httpd/conf.d/bugzilla (#630255) - Do not apply graphs patch (upstreamed) -------------------------------------------------------------------------------- References: [ 1 ] Bug #649398 - CVE-2010-3172 bugzilla: header and content injection vulnerability via Server Push https://bugzilla.redhat.com/show_bug.cgi?id=649398 [ 2 ] Bug #649404 - CVE-2010-3764 bugzilla: information leak via Old Charts system https://bugzilla.redhat.com/show_bug.cgi?id=649404 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update bugzilla' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/package-announce
