Document "bugzilla" - information disclosure, denial of service.

author: Sergey Skvortsov <skv@FreeBSD.org> 2010-08-24 16:26:54 +0000
committer: Sergey Skvortsov <skv@FreeBSD.org> 2010-08-24 16:26:54 +0000
commit: 8bb83e14a690be1be398482b5bbfa5de7055c338 (patch)
tree: 351599bb3f667599b4903d9da32859ea0b124b77 /security
parent: Fix build with upcoming KDE 4.5 (diff)
1 files changed, 62 insertions, 0 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml
index dee38cd6efad..18035ac765a1 100644
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@@ -34,6 +34,68 @@ Note:  Please add new entries to the beginning of this file.
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="8cbf4d65-af9a-11df-89b8-00151735203a">
+    <topic>bugzilla -- information disclosure, denial of service</topic>
+    <affects>
+      <package>
+	<name>bugzilla</name>
+	<range><gt>2.17.1</gt><lt>3.6.2</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>A Bugzilla Security Advisory reports:</p>
+	<blockquote cite="http://www.bugzilla.org/security/3.2.7/">
+          <ul>
+	    <li>Remote Information Disclosure:
+              An unprivileged user is normally not allowed to view
+              other users' group membership. But boolean charts
+              let the user use group-based pronouns, indirectly
+              disclosing group membership. This security fix
+              restricts the use of pronouns to groups the user
+              belongs to.</li>
+	    <li>Notification Bypass:
+              Normally, when a user is impersonated, he receives
+              an email informing him that he is being impersonated,
+              containing the identity of the impersonator. However,
+              it was possible to impersonate a user without this
+              notification being sent.</li>
+            <li>Remote Information Disclosure:
+              An error message thrown by the "Reports" and "Duplicates"
+              page confirmed the non-existence of products, thus
+              allowing users to guess confidential product names.
+              (Note that the "Duplicates" page was not vulnerable
+              in Bugzilla 3.6rc1 and above though.)</li>
+            <li>Denial of Service:
+              If a comment contained the phrases "bug X" or
+              "attachment X", where X was an integer larger than the
+              maximum 32-bit signed integer size, PostgreSQL would
+              throw an error, and any page containing that comment would
+              not be viewable. On most Bugzillas, any user can enter
+              a comment on any bug, so any user could have used this to
+              deny access to one or all bugs. Bugzillas running on
+              databases other than PostgreSQL are not affected.</li>
+          </ul>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2010-2756</cvename>
+      <cvename>CVE-2010-2757</cvename>
+      <cvename>CVE-2010-2758</cvename>
+      <cvename>CVE-2010-2759</cvename>
+      <url>https://bugzilla.mozilla.org/show_bug.cgi?id=417048</url>
+      <url>https://bugzilla.mozilla.org/show_bug.cgi?id=450013</url>
+      <url>https://bugzilla.mozilla.org/show_bug.cgi?id=577139</url>
+      <url>https://bugzilla.mozilla.org/show_bug.cgi?id=519835</url>
+      <url>https://bugzilla.mozilla.org/show_bug.cgi?id=583690</url>
+    </references>
+    <dates>
+      <discovery>2010-08-05</discovery>
+      <entry>2010-08-24</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="b6069837-aadc-11df-82df-0015f2db7bde">
     <topic>OpenTTD -- Denial of service (server) via infinite loop</topic>
     <affects>
author	Sergey Skvortsov <skv@FreeBSD.org>	2010-08-24 16:26:54 +0000
committer	Sergey Skvortsov <skv@FreeBSD.org>	2010-08-24 16:26:54 +0000
commit	8bb83e14a690be1be398482b5bbfa5de7055c338 (patch)
tree	351599bb3f667599b4903d9da32859ea0b124b77 /security
parent	Fix build with upcoming KDE 4.5 (diff)