OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Dave Miller (bugdude1syndicomm.com)
Date: Sat Jan 05 2002 - 17:45:29 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    All users of Bugzilla, the bug-tracking system from mozilla.org, who are
    using a version of Bugzilla installed from a downloaded tarball or package
    file are strongly recommended to update to version 2.14.1.

    All users of Bugzilla who are currently using version 2.15 checked out of
    cvs prior to 15 December 2001 are strongly recommended to use 'cvs update'
    to obtain the current cvs code.

    Bugzilla 2.14.1 is a security update; patches from a number of
    security-related bugs which have already been applied to the working source
    version 2.15 in cvs, have been applied to Bugzilla 2.14 to create the new
    stable release 2.14.1, which fixes several security issues discovered since
    version 2.14 was released, which we believe are too serious to wait for our
    upcoming 2.16 release.

    There are many patches that need to be applied to properly close these
    holes, so they are not included here. If you will not be upgrading your
    system and instead wish to apply these patches to your existing
    system, a single patch which can be applied to a Bugzilla 2.14 installation
    is available at http://www.bugzilla.org/bugzilla2.14to2.14.1.patch

    Complete bug reports for all bugs can be obtained by visiting the
    following URL: http://bugzilla.mozilla.org/show_bug.cgi?id=XXXXX
    where you replace the XXXXX at the end of the URL with a bug number as
    listed below. You may also enter the bug numbers in the "enter a bug#" box
    on the main page at http://bugzilla.mozilla.org/ or in the footer of any
    other page on bugzilla.mozilla.org.

    *** SECURITY ISSUES RESOLVED ***

    - Multiple instances of user-account hijacking capability were fixed (Bugs
    54901, 108385, 185516)

    - Two occurrences of allowing data protected by Bugzilla's groupset
    restrictions to be visible to users outside of those groups were fixes
    (Bugs 102141, 108821)

    - One instance of an untrusted variable being echoed back to a user via
    HTML was fixed (Bug 98146)

    - Multiple instances of untrusted variables being passed to SQL queries
    were fixed (Bugs 108812, 108822, 109679, 109690)

    More detailed summaries of the specific exploits are available in the
    release notes, which are available on the project web site.

    General information about the Bugzilla bug-tracking system can be found at
    http://www.bugzilla.org/

    Comments and follow-ups can be directed to the
    netscape.public.mozilla.webtools newsgroup or the mozilla-webtools mailing
    list (see http://www.mozilla.org/community.html for directions how to
    access these forums).

    -- 
    Dave Miller
    Lead Software Engineer/System Administrator, Syndicomm Online
    http://www.syndicomm.com/              bugdude1syndicomm.com