Bug#395094: CVE-2006-545[3-5]: Multiple security issues in bugzilla
Upstream security advisory: http://www.bugzilla.org/security/2.18.5/ These are fixed in 2.22.1 which would be suitable for sid. There is no upstream fix for the 2.16 series, as used in sarge. I am looking at the upstream fix for the 2.18 series to see whether it is applicable or easily adaptable to 2.16. Ben. -- Ben Hutchings -- [EMAIL PROTECTED] shortened to [EMAIL PROTECTED] If you've signed my GPG key, please send a signature on and to the new uid. The world is coming to an end. Please log off. signature.asc Description: This is a digitally signed message part
Bug#395094: CVE-2006-545[3-5]: Multiple security issues in bugzilla
* Ben Hutchings ([EMAIL PROTECTED]) : Based on the advisory at http://www.bugzilla.org/security/2.18.5/ I would say that: [...] Ben, thanks a lot for your work regarding that issue. If you have an alioth account, feel free to ask Sean Finney to add you to the webapps-common team, so you can commit to the bugzilla SVN repo. I'm going to review and apply your patches as soon as possible. Thanks again, your help is pretty welcome, as bugzilla really needs attention, time and work. Regards, -- Alexis Sukrieh [EMAIL PROTECTED] 0x1EE5DD34 Debian http://www.debian.org Backup Manager http://www.backup-manager.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Processed: Re: Bug#395094: CVE-2006-545[3-5]: Multiple security issues in bugzilla
Processing commands for [EMAIL PROTECTED]: tags 395094 + confirmed Bug#395094: CVE-2006-545[3-5]: Multiple security issues in bugzilla Tags were: security Tags added: confirmed thanks Stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#395094: CVE-2006-545[3-5]: Multiple security issues in bugzilla
tags 395094 + confirmed thanks * Ben Hutchings ([EMAIL PROTECTED]) : Upstream security advisory: http://www.bugzilla.org/security/2.18.5/ These are fixed in 2.22.1 which would be suitable for sid. I'm working on the packaging of that new upstream release. -- Alexis Sukrieh [EMAIL PROTECTED] 0x1EE5DD34 Debian http://www.debian.org Backup Manager http://www.backup-manager.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#395094: CVE-2006-545[3-5]: Multiple security issues in bugzilla
Package: bugzilla Severity: grave Tags: security Several issues have beenfound in bugzilla: CVE-2006-5455: Cross-site request forgery (CSRF) vulnerability in editversions.cgi in Bugzilla before 2.22.1 and 2.23.x before 2.23.3 allows user-assisted remote attackers to create, modify, or delete arbitrary bug reports via a crafted URL. CVE-2006-5454: Bugzilla 2.18.x before 2.18.6, 2.20.x before 2.20.3, 2.22.x before 2.22.1, and 2.23.x before 2.23.3 allow remote attackers to obtain (1) the description of arbitrary attachments by viewing the attachment in diff mode in attachment.cgi, and (2) the deadline field by viewing the XML format of the bug in show_bug.cgi. CVE-2006-5453: Multiple cross-site scripting (XSS) vulnerabilities in Bugzilla 2.18.x before 2.18.6, 2.20.x before 2.20.3, 2.22.x before 2.22.1, and 2.23.x before 2.23.3 allow remote authenticated users to inject arbitrary web script or HTML via (1) page headers using the H1, H2, and H3 HTML tags in global/header.html.tmpl, (2) description fields of certain items in various edit cgi scripts, and (3) the id parameter in showdependencygraph.cgi. Please mention the CVE ids in the changelog. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]