Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/metadata/glsa/glsa-201006-19.xml
diff options
context:
space:
mode:
Diffstat (limited to 'metadata/glsa/glsa-201006-19.xml')
-rw-r--r--metadata/glsa/glsa-201006-19.xml84
1 files changed, 84 insertions, 0 deletions
diff --git a/metadata/glsa/glsa-201006-19.xml b/metadata/glsa/glsa-201006-19.xml
new file mode 100644
index 000000000000..06418c9c76c3
--- /dev/null
+++ b/metadata/glsa/glsa-201006-19.xml
@@ -0,0 +1,84 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201006-19">
+ <title>Bugzilla: Multiple vulnerabilities</title>
+ <synopsis>
+ Bugzilla is prone to multiple medium severity vulnerabilities.
+ </synopsis>
+ <product type="ebuild">bugzilla</product>
+ <announced>2010-06-04</announced>
+ <revised count="02">2010-06-04</revised>
+ <bug>239564</bug>
+ <bug>258592</bug>
+ <bug>264572</bug>
+ <bug>284824</bug>
+ <bug>303437</bug>
+ <bug>303725</bug>
+ <access>remote</access>
+ <affected>
+ <package name="www-apps/bugzilla" auto="yes" arch="*">
+ <unaffected range="ge">3.2.6</unaffected>
+ <vulnerable range="lt">3.2.6</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>
+ Bugzilla is a bug tracking system from the Mozilla project.
+ </p>
+ </background>
+ <description>
+ <p>
+ Multiple vulnerabilities have been reported in Bugzilla. Please review
+ the CVE identifiers referenced below for details.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>
+ A remote attacker might be able to disclose local files, bug
+ information, passwords, and other data under certain circumstances.
+ Furthermore, a remote attacker could conduct SQL injection, Cross-Site
+ Scripting (XSS) or Cross-Site Request Forgery (CSRF) attacks via
+ various vectors.
+ </p>
+ </impact>
+ <workaround>
+ <p>
+ There is no known workaround at this time.
+ </p>
+ </workaround>
+ <resolution>
+ <p>
+ All Bugzilla users should upgrade to an unaffected version:
+ </p>
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=www-apps/bugzilla-3.2.6"</code>
+ <p>
+ Bugzilla 2.x and 3.0 have reached their end of life. There will be no
+ more security updates. All Bugzilla 2.x and 3.0 users should update to
+ a supported Bugzilla 3.x version.
+ </p>
+ </resolution>
+ <references>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4437">CVE-2008-4437</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6098">CVE-2008-6098</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0481">CVE-2009-0481</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0482">CVE-2009-0482</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0483">CVE-2009-0483</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0484">CVE-2009-0484</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0485">CVE-2009-0485</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0486">CVE-2009-0486</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1213">CVE-2009-1213</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3125">CVE-2009-3125</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3165">CVE-2009-3165</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3166">CVE-2009-3166</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3387">CVE-2009-3387</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3989">CVE-2009-3989</uri>
+ </references>
+ <metadata tag="submitter" timestamp="2009-02-14T18:17:01Z">
+ a3li
+ </metadata>
+ <metadata tag="bugReady" timestamp="2009-10-10T16:01:17Z">
+ jaervosz
+ </metadata>
+</glsa>