diff options
| author | ohauer <ohauer@FreeBSD.org> | 2012-11-15 03:29:42 +0800 |
|---|---|---|
| committer | ohauer <ohauer@FreeBSD.org> | 2012-11-15 03:29:42 +0800 |
| commit | fdc64894ac247ac30705d466c0b1c7bb2bbd520f (patch) | |
| tree | 9f6b263595c30290936791868c337fb512c0b644 | |
| parent | 12e096a1e4435b5f3aa9199ee1528e486de01dec (diff) | |
| download | freebsd-ports-gnome-fdc64894ac247ac30705d466c0b1c7bb2bbd520f.tar.gz freebsd-ports-gnome-fdc64894ac247ac30705d466c0b1c7bb2bbd520f.tar.zst freebsd-ports-gnome-fdc64894ac247ac30705d466c0b1c7bb2bbd520f.zip | |
- bugzilla security updates to version(s)
3.6.11, 4.0.8, 4.2.4
Summary
=======
The following security issues have been discovered in Bugzilla:
* Confidential product and component names can be disclosed to
unauthorized users if they are used to control the visibility of
a custom field.
* When calling the 'User.get' WebService method with a 'groups'
argument, it is possible to check if the given group names exist
or not.
* Due to incorrectly filtered field values in tabular reports, it is
possible to inject code which can lead to XSS.
* When trying to mark an attachment in a bug you cannot see as
obsolete, the description of the attachment is disclosed in the
error message.
* A vulnerability in swfstore.swf from YUI2 can lead to XSS.
Feature safe: yes
Security: CVE-2012-4199
https://bugzilla.mozilla.org/show_bug.cgi?id=731178
CVE-2012-4198
https://bugzilla.mozilla.org/show_bug.cgi?id=781850
CVE-2012-4189
https://bugzilla.mozilla.org/show_bug.cgi?id=790296
CVE-2012-4197
https://bugzilla.mozilla.org/show_bug.cgi?id=802204
CVE-2012-5475
https://bugzilla.mozilla.org/show_bug.cgi?id=808845
http://yuilibrary.com/support/20121030-vulnerability/
| -rw-r--r-- | devel/bugzilla/Makefile | 2 | ||||
| -rw-r--r-- | devel/bugzilla/distinfo | 4 | ||||
| -rw-r--r-- | devel/bugzilla3/Makefile | 2 | ||||
| -rw-r--r-- | devel/bugzilla3/distinfo | 4 | ||||
| -rw-r--r-- | devel/bugzilla42/Makefile | 2 | ||||
| -rw-r--r-- | devel/bugzilla42/distinfo | 4 | ||||
| -rw-r--r-- | security/vuxml/vuln.xml | 57 |
7 files changed, 66 insertions, 9 deletions
diff --git a/devel/bugzilla/Makefile b/devel/bugzilla/Makefile index 8ba49f1d3095..509e5c40579c 100644 --- a/devel/bugzilla/Makefile +++ b/devel/bugzilla/Makefile @@ -1,7 +1,7 @@ # $FreeBSD$ PORTNAME= bugzilla -PORTVERSION= 4.0.8 +PORTVERSION= 4.0.9 CATEGORIES= devel MASTER_SITES= ${MASTER_SITE_MOZILLA} MASTER_SITE_SUBDIR= webtools webtools/archived diff --git a/devel/bugzilla/distinfo b/devel/bugzilla/distinfo index 7a9b873bcfba..1de7f3984149 100644 --- a/devel/bugzilla/distinfo +++ b/devel/bugzilla/distinfo @@ -1,2 +1,2 @@ -SHA256 (bugzilla/bugzilla-4.0.8.tar.gz) = 0d44ab29863ffe6ef7637f078c31e52805f1b2ff0ff4f5c39a0d7daebe326b0c -SIZE (bugzilla/bugzilla-4.0.8.tar.gz) = 2801982 +SHA256 (bugzilla/bugzilla-4.0.9.tar.gz) = af79b2f2b39f428e19122707d1334db5e447742ca6098f74803c35277117e394 +SIZE (bugzilla/bugzilla-4.0.9.tar.gz) = 2803607 diff --git a/devel/bugzilla3/Makefile b/devel/bugzilla3/Makefile index 58e8b4fccea9..007b17057d96 100644 --- a/devel/bugzilla3/Makefile +++ b/devel/bugzilla3/Makefile @@ -1,7 +1,7 @@ # $FreeBSD$ PORTNAME= bugzilla -PORTVERSION= 3.6.11 +PORTVERSION= 3.6.12 CATEGORIES= devel MASTER_SITES= ${MASTER_SITE_MOZILLA} MASTER_SITE_SUBDIR= webtools webtools/archived diff --git a/devel/bugzilla3/distinfo b/devel/bugzilla3/distinfo index 1b8ee555c2af..ae276a77af25 100644 --- a/devel/bugzilla3/distinfo +++ b/devel/bugzilla3/distinfo @@ -1,2 +1,2 @@ -SHA256 (bugzilla/bugzilla-3.6.11.tar.gz) = 01b99ec5b1e6efc9d0a0352ebe2ea6e8b8c7471a3f4dd80c3b99b5be575c4585 -SIZE (bugzilla/bugzilla-3.6.11.tar.gz) = 2509551 +SHA256 (bugzilla/bugzilla-3.6.12.tar.gz) = 1b3ebd08545b0093cd64a6f2e6c1310c7e85e691c83bd79c10960329f1bdca77 +SIZE (bugzilla/bugzilla-3.6.12.tar.gz) = 2509580 diff --git a/devel/bugzilla42/Makefile b/devel/bugzilla42/Makefile index 4e845b908f54..69a7b6db5f63 100644 --- a/devel/bugzilla42/Makefile +++ b/devel/bugzilla42/Makefile @@ -1,7 +1,7 @@ # $FreeBSD$ PORTNAME= bugzilla -PORTVERSION= 4.2.3 +PORTVERSION= 4.2.4 CATEGORIES= devel MASTER_SITES= ${MASTER_SITE_MOZILLA} MASTER_SITE_SUBDIR= webtools webtools/archived diff --git a/devel/bugzilla42/distinfo b/devel/bugzilla42/distinfo index 71380ba82091..0e3200562660 100644 --- a/devel/bugzilla42/distinfo +++ b/devel/bugzilla42/distinfo @@ -1,2 +1,2 @@ -SHA256 (bugzilla/bugzilla-4.2.3.tar.gz) = 712d645c5b2b081e42b2a364c26edf8a8a0048f463a426ac38cc482d31b11fb3 -SIZE (bugzilla/bugzilla-4.2.3.tar.gz) = 2977764 +SHA256 (bugzilla/bugzilla-4.2.4.tar.gz) = bede0cf893ad8ac99715614af0cf4624bc0e8552852f51290f546006105ce695 +SIZE (bugzilla/bugzilla-4.2.4.tar.gz) = 2976363 diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 508242d058f5..23e8d515d82d 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -51,6 +51,63 @@ Note: Please add new entries to the beginning of this file. --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="2b841f88-2e8d-11e2-ad21-20cf30e32f6d"> + <topic>bugzilla -- multiple vulnerabilities</topic> + <affects> + <package> + <name>bugzilla</name> + <range><ge>3.6.0</ge><lt>3.6.12</lt></range> + <range><ge>4.0.0</ge><lt>4.0.9</lt></range> + <range><ge>4.2.0</ge><lt>4.2.4</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <h1>A Bugzilla Security Advisory reports:</h1> + <blockquote cite="http://www.bugzilla.org/security/3.6.11/"> + <p>The following security issues have been discovered in + Bugzilla:</p> + <h1>Information Leak</h1> + <p>If the visibility of a custom field is controlled by a product + or a component of a product you cannot see, their names are + disclosed in the JavaScript code generated for this custom field + despite they should remain confidential.</p> + <p>Calling the User.get method with a 'groups' argument leaks the + existence of the groups depending on whether an error is thrown + or not. This method now also throws an error if the user calling + this method does not belong to these groups (independently of + whether the groups exist or not).</p> + <p>Trying to mark an attachment in a bug you cannot see as obsolete + discloses its description in the error message. The description + of the attachment is now removed from the error message.</p> + <h1>Cross-Site Scripting</h1> + <p>Due to incorrectly filtered field values in tabular reports, + it is possible to inject code leading to XSS.</p> + <p>A vulnerability in swfstore.swf from YUI2 allows JavaScript + injection exploits to be created against domains that host this + affected YUI .swf file.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2012-4199</cvename> + <url>https://bugzilla.mozilla.org/show_bug.cgi?id=731178</url> + <cvename>CVE-2012-4198</cvename> + <url>https://bugzilla.mozilla.org/show_bug.cgi?id=781850</url> + <cvename>CVE-2012-4197</cvename> + <url>https://bugzilla.mozilla.org/show_bug.cgi?id=802204</url> + <cvename>CVE-2012-4189</cvename> + <url>https://bugzilla.mozilla.org/show_bug.cgi?id=790296</url> + <cvename>CVE-2012-5475</cvename> + <url>https://bugzilla.mozilla.org/show_bug.cgi?id=808845</url> + <url>http://yuilibrary.com/support/20121030-vulnerability/</url> + </references> + <dates> + <discovery>2012-11-13</discovery> + <entry>2012-11-14</entry> + </dates> + </vuln> + <vuln vid="79818ef9-2d10-11e2-9160-00262d5ed8ee"> <topic>typo3 -- Multiple vulnerabilities in TYPO3 Core</topic> <affects> |