Bugzilla developers remedy vulnerabilities
Versions 2.20.4, 2.22.2, and 2.23.4 of the bug tracking system Bugzilla, have been released. According to an advisory, with this update the developers have remedied two critical vulnerabilities that may have allowed for cross-site scripting (XSS) by means of manipulated database entries and the disclosure of the password for the database.
The XSS hole concerns the Atom feeds in Bugzilla 2.20.1 and later versions, which may pass on JavaScript code contained in the database entries to the feed reader. This code may then be executed in readers that support JavaScript, possibly allowing attackers to gain access to sensitive user data.
The flaw in the handling of the database password exclusively concerns version 2.23.2 of Bugzilla, provided it is running with Apache module mod_perl. A missing entry in a block of the Apache configuration renders the .htaccess file, designed to prevent unauthorized access through the Web server, ineffective. Attackers may then be able to remotely read out the file containing database access data.
The Bugzilla developers say that versions 2.18.x do not contain the two vulnerabilities. However, administrators of more recent versions should switch to the remedied version of their software as quickly as possible.
See also:
- 2.20.3, 2.22.1, and 2.23.3 Security Advisory, information from the developers of Bugzilla
(trk)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
