Your message dated Mon, 03 Oct 2005 08:32:15 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#331206: fixed in bugzilla 2.18.4-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 2 Oct 2005 10:12:37 +0000
>From [EMAIL PROTECTED] Sun Oct 02 03:12:37 2005
Return-path: <[EMAIL PROTECTED]>
Received: from (vserver151.vserver151.serverflex.de) [193.22.164.111]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1EM0pd-00086V-00; Sun, 02 Oct 2005 03:12:34 -0700
Received: from jmm by vserver151.vserver151.serverflex.de with local (Exim 4.50)
id 1EM0pZ-00083d-4f
for [EMAIL PROTECTED]; Sun, 02 Oct 2005 12:12:29 +0200
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Moritz Muehlenhoff <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: bugzilla: Two information disclosure vulnerabilities in Bugzilla
X-Mailer: reportbug 3.8
Date: Sun, 02 Oct 2005 12:12:29 +0200
Message-Id: <[EMAIL PROTECTED]>
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Mail-From: [EMAIL PROTECTED]
X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond
expanded to false
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
Package: bugzilla
Version: 2.18.3-2
Severity: grave
Tags: security
Justification: user security hole
Two information disclosure vulnerabilities have been found in Bugzilla:
+ It is possible to bypass the "user visibility groups" restrictions
if user-matching is turned on in "substring" mode.
+ config.cgi exposes information to users who aren't logged in, even
when "requirelogin" is turned on in Bugzilla.
Please see http://www.bugzilla.org/security/2.18.4/ for the full advisory.
2.18.4 fixes these issue.
Cheers,
Moritz
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.4.29-vs1.2.10
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages bugzilla depends on:
pn apache | roxen2 | apache-ssl Not found.
ii debconf 1.4.30.13 Debian configuration management sy
ii exim4-daemon-light [mail-tran 4.50-8 lightweight exim MTA (v4) daemon
ii libdbd-mysql-perl 2.9006-1 A Perl5 database interface to the
ii libtimedate-perl 1.1600-4 Time and date functions for Perl
---------------------------------------
Received: (at 331206-close) by bugs.debian.org; 3 Oct 2005 15:38:38 +0000
>From [EMAIL PROTECTED] Mon Oct 03 08:38:38 2005
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian))
id 1EMSIZ-0004RG-00; Mon, 03 Oct 2005 08:32:15 -0700
From: Alexis Sukrieh <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#331206: fixed in bugzilla 2.18.4-1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Mon, 03 Oct 2005 08:32:15 -0700
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
Source: bugzilla
Source-Version: 2.18.4-1
We believe that the bug you reported is fixed in the latest version of
bugzilla, which is due to be installed in the Debian FTP archive:
bugzilla-doc_2.18.4-1_all.deb
to pool/main/b/bugzilla/bugzilla-doc_2.18.4-1_all.deb
bugzilla_2.18.4-1.diff.gz
to pool/main/b/bugzilla/bugzilla_2.18.4-1.diff.gz
bugzilla_2.18.4-1.dsc
to pool/main/b/bugzilla/bugzilla_2.18.4-1.dsc
bugzilla_2.18.4-1_all.deb
to pool/main/b/bugzilla/bugzilla_2.18.4-1_all.deb
bugzilla_2.18.4.orig.tar.gz
to pool/main/b/bugzilla/bugzilla_2.18.4.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alexis Sukrieh <[EMAIL PROTECTED]> (supplier of updated bugzilla package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 3 Oct 2005 16:51:01 +0200
Source: bugzilla
Binary: bugzilla bugzilla-doc
Architecture: source all
Version: 2.18.4-1
Distribution: unstable
Urgency: high
Maintainer: Alexis Sukrieh <[EMAIL PROTECTED]>
Changed-By: Alexis Sukrieh <[EMAIL PROTECTED]>
Description:
bugzilla - web-based bug tracking system
bugzilla-doc - comprehensive guide to Bugzilla
Closes: 331206
Changes:
bugzilla (2.18.4-1) unstable; urgency=high
.
* New upstream minor release
+ Fixed a security issue: It was possible to bypass the "user
visibility groups" restrictions if user-matching was turned on
in "substring" mode.
+ Fixed a security issue: config.cgi exposed information to users who
weren't logged in, even when "requirelogin" was turned on in Bugzilla.
(closes: #331206)
Files:
de9aaf36e4604b9c9a1db628d0b9a120 668 web optional bugzilla_2.18.4-1.dsc
b181cef2ed8bbc7bc277c5fa7ebebbe7 1640300 web optional
bugzilla_2.18.4.orig.tar.gz
f34f7bc99646c8d60c9df4aba72c28d4 69174 web optional bugzilla_2.18.4-1.diff.gz
4619b68c27fecde00d71d47988d1ef9f 616198 web optional bugzilla_2.18.4-1_all.deb
2a3a8f71b63400abe460cfa103a54fcc 578586 doc optional
bugzilla-doc_2.18.4-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDQUpypFNRmenyx0cRAreEAKC/M8gs68LVauC2ycFkB/AgYCIcjwCfZQhr
Nhappya0QOwRBhUryJTOlD0=
=kjPo
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
