Nom du paquet
bugzilla
Date
2013-11-26
Advisory ID
MDVSA-2013:285
Affected versions
MBS1 x86_64

Problem description

Multiple vulnerabilities was found and corrected in bugzilla:

Cross-site request forgery (CSRF) vulnerability in process_bug.cgi
in Bugzilla 4.4.x before 4.4.1 allows remote attackers to hijack the
authentication of arbitrary users for requests that modify bugs via
vectors involving a midair-collision token (CVE-2013-1733).

Cross-site request forgery (CSRF) vulnerability in attachment.cgi in
Bugzilla 2.x, 3.x, and 4.0.x before 4.0.11; 4.1.x and 4.2.x before
4.2.7; and 4.3.x and 4.4.x before 4.4.1 allows remote attackers to
hijack the authentication of arbitrary users for requests that commit
an attachment change via an update action (CVE-2013-1734).

Multiple cross-site scripting (XSS) vulnerabilities in
editflagtypes.cgi in Bugzilla 2.x, 3.x, and 4.0.x before 4.0.11;
4.1.x and 4.2.x before 4.2.7; and 4.3.x and 4.4.x before 4.4.1 allow
remote attackers to inject arbitrary web script or HTML via the (1)
id or (2) sortkey parameter (CVE-2013-1742).

Multiple cross-site scripting (XSS) vulnerabilities in report.cgi
in Bugzilla 4.1.x and 4.2.x before 4.2.7 and 4.3.x and 4.4.x before
4.4.1 allow remote attackers to inject arbitrary web script or HTML
via a field value that is not properly handled during construction
of a tabular report, as demonstrated by the (1) summary or (2) real
name field. NOTE: this issue exists because of an incomplete fix
for CVE-2012-4189 (CVE-2013-1743).

The updated packages have been upgraded to the 4.2.7 version which
is not affected by these issues.

Updated packages

MBS1 x86_64

 9a1a55ee22eeeac4627983498b7f595c  mbs1/x86_64/bugzilla-4.2.7-1.mbs1.noarch.rpm
 0a3fa051b8bc513811ffc89bfd7aff22  mbs1/x86_64/bugzilla-contrib-4.2.7-1.mbs1.noarch.rpm 
 56ca09432b832fad00398056f148e3cc  mbs1/SRPMS/bugzilla-4.2.7-1.mbs1.src.rpm

References