Security Updates for Bugzilla
The developers of the Bugzilla bug tracking system have released new versions that should correct several problems. The issues are essentialy related to Cross-Site Request Forgery (CSRF) and Cross-site scripting vulnerabilities (XSS). These could allow an attacker to execute certain actions in the bug database as if they were another user. These issues can be exploited through use of a maliciously crafted attached document, which the targetted user would have to view.
The updates to version 2.22.7, 3.0.7, 3.2.1 and 3.3.2 should actually fix the problems and, as an extra benefit, introduce additional CSRF protection. By default, a new parameter "allow_attachment_display" is set to off. When enabled, administrators can specify an alternate serve domain for attachments. Another issue was that some Bugzilla sites used mod_perl in combination with Bugzilla, to run with Apache's web server. In this configuration, URL tokens were predictable and therefore the CSRF-protection cancelled out; this issue is fixed in versions 3.2.2, 3.0.8 and 3.3.3.
- 3.2, 3.0.6, 2.22.6, and 3.3.1 Security Advisory, report by Bugzilla.
- 3.2.1, 3.0.7, and 3.3.2 Security Advisory, report by Bugzilla.