Advisories ยป MGASA-2014-0412

Updated bugzilla packages fix security vulnerabilities

Publication date: 09 Oct 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-1571 , CVE-2014-1572 , CVE-2014-1573


Updated bugzilla packages fix security vulnerabilities:

If a new comment was marked private to the insider group, and a flag was set
in the same transaction, the comment would be visible to flag recipients
even if they were not in the insider group (CVE-2014-1571).

An attacker creating a new Bugzilla account can override certain parameters
when finalizing the account creation that can lead to the user being created
with a different email address than originally requested. The overridden
login name could be automatically added to groups based on the group's
regular expression setting (CVE-2014-1572).

During an audit of the Bugzilla code base, several places were found where
cross-site scripting exploits could occur which could allow an attacker to
access sensitive information (CVE-2014-1573).