Bugzilla closes security holes
The developers have released new versions of the Bugzilla open-source software, a widely used system to manage bug reports and their processing status. They have published an advisory to explain which vulnerabilities have been remedied in the new versions.
Arguments that are passed to the mail software by a Email::Send::Sendmail()-call are not checked sufficiently, allowing attackers to inject shell commands. Bugzilla also does not properly escape the buildid parameter when filing bugs with the so-called guided form; this could be exploited for cross-site scripting attacks. Time-tracking fields such as deadlines or estimated time can be viewed by anyone through the Bugzilla WebService (XML-RPC) even if this person is not authorised to view these fields.
These vulnerabilities affect versions prior to the current patched versions 2.20.5, 2.22.3, 3.01 and the developer version 3.1.1. The Bugzilla team advises users to update to the new versions immediately.
- 2.20.4, 2.22.2, and 3.0 Security Advisory, advisory of the Bugzilla developers
- Download of the current Bugzilla version