Bugzilla developers remedy vulnerabilities
Versions 2.20.4, 2.22.2, and 2.23.4 of the bug tracking system Bugzilla, have been released. According to an advisory, with this update the developers have remedied two critical vulnerabilities that may have allowed for cross-site scripting (XSS) by means of manipulated database entries and the disclosure of the password for the database.
The flaw in the handling of the database password exclusively concerns version 2.23.2 of Bugzilla, provided it is running with Apache module mod_perl. A missing entry in a block of the Apache configuration renders the .htaccess file, designed to prevent unauthorized access through the Web server, ineffective. Attackers may then be able to remotely read out the file containing database access data.
The Bugzilla developers say that versions 2.18.x do not contain the two vulnerabilities. However, administrators of more recent versions should switch to the remedied version of their software as quickly as possible.
- 2.20.3, 2.22.1, and 2.23.3 Security Advisory, information from the developers of Bugzilla