Advisories » MGASA-2014-0349

Updated bugzilla packages fix a CSRF vulnerability

Publication date: 25 Aug 2014
Modification date: 25 Aug 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-1546

Description

Updated bugzilla packages fix security vulnerabilities:

Adobe does not properly restrict the SWF file format, which allows remote
attackers to conduct cross-site request forgery (CSRF) attacks against
Bugzilla's JSONP endpoint, possibly obtaining sensitive bug information, via
a crafted OBJECT element with SWF content satisfying the character-set
requirements of a callback API (CVE-2014-1546).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=13840
• https://lists.fedoraproject.org/pipermail/package-announce/2014-August/136217.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1546

SRPMS

3/core

• bugzilla-4.4.5-1.mga3

4/core

• bugzilla-4.4.5-1.mga4