Updated bugzilla packages fix security vulnerabilities
Publication date: 09 Oct 2014Modification date: 09 Oct 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-1571 , CVE-2014-1572 , CVE-2014-1573
Description
Updated bugzilla packages fix security vulnerabilities:
If a new comment was marked private to the insider group, and a flag was set
in the same transaction, the comment would be visible to flag recipients
even if they were not in the insider group (CVE-2014-1571).
An attacker creating a new Bugzilla account can override certain parameters
when finalizing the account creation that can lead to the user being created
with a different email address than originally requested. The overridden
login name could be automatically added to groups based on the group's
regular expression setting (CVE-2014-1572).
During an audit of the Bugzilla code base, several places were found where
cross-site scripting exploits could occur which could allow an attacker to
access sensitive information (CVE-2014-1573).
References
- https://bugs.mageia.org/show_bug.cgi?id=14241
- http://www.bugzilla.org/security/4.0.14/
- http://www.bugzilla.org/releases/4.4.6/release-notes.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1571
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1572
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1573
SRPMS
3/core
- bugzilla-4.4.6-1.mga3
4/core
- bugzilla-4.4.6-1.mga4