Martin Schulze wrote: > Not sure if you saw this already. Could you check whether our versions > in woody, sarge and/or sid are vulnerable and prepare updates?
The following CVE names have been assigned, please mention them in the changelog in sid when you alter the package. > ----- Forwarded message from [EMAIL PROTECTED] ----- > > Date: 1 Oct 2005 01:18:45 -0000 > From: [EMAIL PROTECTED] > To: [email protected] > Subject: Security Advisory for Bugzilla 2.18.3, 2.20rc2, and 2.21 > X-Folder: [EMAIL PROTECTED] > > Summary > ======= > > Bugzilla is a Web-based bug-tracking system, used by a large number of > software projects. > > This advisory covers two security bugs that have recently been > discovered and fixed in the Bugzilla code: > > + config.cgi exposes information to users who aren't logged in, even > when "requirelogin" is turned on in Bugzilla. This is CAN-2005-3138. > + It is possible to bypass the "user visibility groups" restrictions > if user-matching is turned on in "substring" mode. This is CAN-2005-3139. URL: http://marc.theaimsgroup.com/?l=bugtraq&m=112818466125484&w=2 Alex said: > Sarge has 2.16.7, so it's not vulnerable. > Etch and Sid have 2.18.3 and then, are vulnerable. Regards, Joey -- Ten years and still binary compatible. -- XFree86 _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
