Your message dated Mon, 03 Oct 2005 08:32:15 -0700 with message-id <[EMAIL PROTECTED]> and subject line Bug#331206: fixed in bugzilla 2.18.4-1 has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 2 Oct 2005 10:12:37 +0000 >From [EMAIL PROTECTED] Sun Oct 02 03:12:37 2005 Return-path: <[EMAIL PROTECTED]> Received: from (vserver151.vserver151.serverflex.de) [193.22.164.111] by spohr.debian.org with esmtp (Exim 3.36 1 (Debian)) id 1EM0pd-00086V-00; Sun, 02 Oct 2005 03:12:34 -0700 Received: from jmm by vserver151.vserver151.serverflex.de with local (Exim 4.50) id 1EM0pZ-00083d-4f for [EMAIL PROTECTED]; Sun, 02 Oct 2005 12:12:29 +0200 Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Moritz Muehlenhoff <[EMAIL PROTECTED]> To: Debian Bug Tracking System <[EMAIL PROTECTED]> Subject: bugzilla: Two information disclosure vulnerabilities in Bugzilla X-Mailer: reportbug 3.8 Date: Sun, 02 Oct 2005 12:12:29 +0200 Message-Id: <[EMAIL PROTECTED]> X-SA-Exim-Connect-IP: <locally generated> X-SA-Exim-Mail-From: [EMAIL PROTECTED] X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond expanded to false Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Level: X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2005_01_02 Package: bugzilla Version: 2.18.3-2 Severity: grave Tags: security Justification: user security hole Two information disclosure vulnerabilities have been found in Bugzilla: + It is possible to bypass the "user visibility groups" restrictions if user-matching is turned on in "substring" mode. + config.cgi exposes information to users who aren't logged in, even when "requirelogin" is turned on in Bugzilla. Please see http://www.bugzilla.org/security/2.18.4/ for the full advisory. 2.18.4 fixes these issue. Cheers, Moritz -- System Information: Debian Release: 3.1 Architecture: i386 (i686) Kernel: Linux 2.4.29-vs1.2.10 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages bugzilla depends on: pn apache | roxen2 | apache-ssl Not found. ii debconf 1.4.30.13 Debian configuration management sy ii exim4-daemon-light [mail-tran 4.50-8 lightweight exim MTA (v4) daemon ii libdbd-mysql-perl 2.9006-1 A Perl5 database interface to the ii libtimedate-perl 1.1600-4 Time and date functions for Perl --------------------------------------- Received: (at 331206-close) by bugs.debian.org; 3 Oct 2005 15:38:38 +0000 >From [EMAIL PROTECTED] Mon Oct 03 08:38:38 2005 Return-path: <[EMAIL PROTECTED]> Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian)) id 1EMSIZ-0004RG-00; Mon, 03 Oct 2005 08:32:15 -0700 From: Alexis Sukrieh <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] X-Katie: $Revision: 1.56 $ Subject: Bug#331206: fixed in bugzilla 2.18.4-1 Message-Id: <[EMAIL PROTECTED]> Sender: Archive Administrator <[EMAIL PROTECTED]> Date: Mon, 03 Oct 2005 08:32:15 -0700 Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Level: X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2005_01_02 Source: bugzilla Source-Version: 2.18.4-1 We believe that the bug you reported is fixed in the latest version of bugzilla, which is due to be installed in the Debian FTP archive: bugzilla-doc_2.18.4-1_all.deb to pool/main/b/bugzilla/bugzilla-doc_2.18.4-1_all.deb bugzilla_2.18.4-1.diff.gz to pool/main/b/bugzilla/bugzilla_2.18.4-1.diff.gz bugzilla_2.18.4-1.dsc to pool/main/b/bugzilla/bugzilla_2.18.4-1.dsc bugzilla_2.18.4-1_all.deb to pool/main/b/bugzilla/bugzilla_2.18.4-1_all.deb bugzilla_2.18.4.orig.tar.gz to pool/main/b/bugzilla/bugzilla_2.18.4.orig.tar.gz A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Alexis Sukrieh <[EMAIL PROTECTED]> (supplier of updated bugzilla package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Mon, 3 Oct 2005 16:51:01 +0200 Source: bugzilla Binary: bugzilla bugzilla-doc Architecture: source all Version: 2.18.4-1 Distribution: unstable Urgency: high Maintainer: Alexis Sukrieh <[EMAIL PROTECTED]> Changed-By: Alexis Sukrieh <[EMAIL PROTECTED]> Description: bugzilla - web-based bug tracking system bugzilla-doc - comprehensive guide to Bugzilla Closes: 331206 Changes: bugzilla (2.18.4-1) unstable; urgency=high . * New upstream minor release + Fixed a security issue: It was possible to bypass the "user visibility groups" restrictions if user-matching was turned on in "substring" mode. + Fixed a security issue: config.cgi exposed information to users who weren't logged in, even when "requirelogin" was turned on in Bugzilla. (closes: #331206) Files: de9aaf36e4604b9c9a1db628d0b9a120 668 web optional bugzilla_2.18.4-1.dsc b181cef2ed8bbc7bc277c5fa7ebebbe7 1640300 web optional bugzilla_2.18.4.orig.tar.gz f34f7bc99646c8d60c9df4aba72c28d4 69174 web optional bugzilla_2.18.4-1.diff.gz 4619b68c27fecde00d71d47988d1ef9f 616198 web optional bugzilla_2.18.4-1_all.deb 2a3a8f71b63400abe460cfa103a54fcc 578586 doc optional bugzilla-doc_2.18.4-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFDQUpypFNRmenyx0cRAreEAKC/M8gs68LVauC2ycFkB/AgYCIcjwCfZQhr Nhappya0QOwRBhUryJTOlD0= =kjPo -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]