Re: [Maxlinux-devel] Fwd: [BUGZILLA] Security Advisory

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Kelledin,

We may be running Bugzilla, but is anyone using Bugzilla...just like me
asking for IOS to be put up on CVS; Enrico has uploaded a installer
program to his site on inceptionos.org but no one has comitted anything
to CVS.  :(

Michael

On Tue, 1 Oct 2002 14:21:00 -0500, "Kelledin"
<kel...@sk...> said:
> Thought I'd pass this on, since we're running bugzilla ourselves 
> on inceptionos.org. ;)
> 
> ----------  Forwarded Message  ----------
> 
> Subject: [BUGZILLA] Security Advisory
> Date: Tue, 1 Oct 2002 12:50:46 -0400
> From: David Miller <jus...@sy...>
> To: bu...@se..., ann...@bu...,   
> moz...@mo...
> 
> Bugzilla Security Advisory
> 
> October 1st, 2002
> 
> All Bugzilla installations are advised to upgrade to the latest
>  versions of Bugzilla, 2.14.4 and 2.16.1, both released today.
>  Security issues of varying importance have been fixed in both. 
>  These vulnerabilities affect all previous 2.14 and 2.16
>  releases.
> 
> 2.14.x users are additionally encouraged to upgrade to 2.16.1 as
>  soon as possible, as the 2.14 branch will no longer be
>  maintained by the Bugzilla team beyond the end of this year.
> 
> Individual patches to upgrade Bugzilla are available at
>  http://ftp.mozilla.org/pub/webtools/
> (however these patches are only valid for 2.14.3 and 2.16
>  users).
> 
> Full release downloads and CVS upgrade instructions are
>  available at http://www.bugzilla.org/download.html
> 
> Complete bug reports for all the following bugs may be obtained
>  at http://bugzilla.mozilla.org/
> 
> The following security issues were fixed in both 2.14.4 and
>  2.16.1:
> 
> - Permissions leak when using "usebuggroups" and more than 47
>  groups; permissions are granted to users in higher groups when
>  they shouldn't be. (bug 167485; comment 12 has additional
>  detection/recovery information)
>  http://bugzilla.mozilla.org/show_bug.cgi?id=167485#c12
> 
> - bugzilla_email_append.pl calls processmail insecurely; command
>  injection possible.
>   (bug 163024)
> 
> The following additional security issue was fixed in 2.16.1:
> 
> - Apostrophes are not properly handled during account creation;
>  SQL injection possible.
>   (bug 165221)
> 
> General information about the Bugzilla bug-tracking system can
>  be found at http://www.bugzilla.org/
> 
> Comments and follow-ups can be directed to the
> netscape.public.mozilla.webtools newsgroup or the
>  mozilla-webtools mailing list;
>  http://www.mozilla.org/community.html has directions for
>  accessing these forums.
> --
> Dave Miller      Project Leader, Bugzilla Bug Tracking System
> Lead Software Engineer/System Administrator, Syndicomm Online
> http://www.syndicomm.com/            http://www.bugzilla.org/
> 
> -------------------------------------------------------
> 
> -- 
> Kelledin
> "If a server crashes in a server farm and no one pings it, does 
> it still cost four figures to fix?"
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by: DEDICATED SERVERS only $89!
> Linux or FreeBSD, FREE setup, FAST network. Get your own server
> today at http://www.ServePath.com/indexfm.htm
> _______________________________________________
> Maxlinux-devel mailing list
> Max...@li...
> https://lists.sourceforge.net/lists/listinfo/maxlinux-devel
> 

--
Michael Lauzon
Founder & Lead Project Manager
InceptionOS Project
http://www.inceptionos.org/
mi...@in...

-- 
http://fastmail.fm/ - Access your email from home and the web