- Update to 2.16.7, a security release:

Class: Unauthorized Bug Change Versions: 2.9 through 2.18rc2 and 2.19 Description: It is possible to send a carefully crafted HTTP POST message to process_bug.cgi which will remove keywords from a bug even if you don't have permissions to edit all bug fields (the "editbugs" permission). Such changes are reported in "bug changed" email notifications, so they are easily detected and reversed if someone abuses it. Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=252638 - Correct SQL command in pkg-message PR: ports/71161, ports/73166 Submitted by: Dmitry A Grigorovich <odip@bionet.nsc.ru>
author: Pav Lucistnik <pav@FreeBSD.org> 2004-10-27 19:23:53 +0000
committer: Pav Lucistnik <pav@FreeBSD.org> 2004-10-27 19:23:53 +0000
commit: a6b9ddac1dc97f1f02a8001a5dda77fb63ada322 (patch)
tree: 208693d7ca4fd415b907daa1f1891fddadc5842c /devel/bugzilla/pkg-message
parent: - Update to 20041017 (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/devel/bugzilla/pkg-message b/devel/bugzilla/pkg-message
index da839144465a..0474ba8f11ec 100644
--- a/devel/bugzilla/pkg-message
+++ b/devel/bugzilla/pkg-message
@@ -4,8 +4,9 @@
   1. Create database user who has rights on bugs database manipulation
      by following mysql commands:
 
-     GRANT SELECT,INSERT,UPDATE,DELETE,INDEX, ALTER,CREATE,DROP,REFERENCES \
-           ON <database>.* TO <dbuser>@<host> IDENTIFIED BY '<password>'; 
+     GRANT SELECT,INSERT,UPDATE,DELETE,INDEX,ALTER,CREATE,DROP,REFERENCES,\
+	   LOCK TABLES ON <database>.* TO <dbuser>@<host> \
+	   IDENTIFIED BY '<password>';
      FLUSH PRIVILEGES;
 
      where <database> is a bugs database name; <dbuser> is a bugs database
author	Pav Lucistnik <pav@FreeBSD.org>	2004-10-27 19:23:53 +0000
committer	Pav Lucistnik <pav@FreeBSD.org>	2004-10-27 19:23:53 +0000
commit	a6b9ddac1dc97f1f02a8001a5dda77fb63ada322 (patch)
tree	208693d7ca4fd415b907daa1f1891fddadc5842c /devel/bugzilla/pkg-message
parent	- Update to 20041017 (diff)