diff options
| author | skv <skv@FreeBSD.org> | 2010-07-05 23:41:26 +0800 |
|---|---|---|
| committer | skv <skv@FreeBSD.org> | 2010-07-05 23:41:26 +0800 |
| commit | d00a0897e123e806ffd83e7691c5a94d9cd39aa7 (patch) | |
| tree | fdf4009b96bfbb774b7119155293049425f821a3 /security/vuxml | |
| parent | 63e333ead0a672af844dbb0b16b76705f81910e6 (diff) | |
| download | freebsd-ports-gnome-d00a0897e123e806ffd83e7691c5a94d9cd39aa7.tar.gz freebsd-ports-gnome-d00a0897e123e806ffd83e7691c5a94d9cd39aa7.tar.zst freebsd-ports-gnome-d00a0897e123e806ffd83e7691c5a94d9cd39aa7.zip | |
Document "bugzilla" - information disclosure.
Feature safe: yes
Diffstat (limited to 'security/vuxml')
| -rw-r--r-- | security/vuxml/vuln.xml | 43 |
1 files changed, 43 insertions, 0 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 4d2f104184c7..821f0b37e3cd 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -34,6 +34,49 @@ Note: Please add new entries to the beginning of this file. --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="f1331504-8849-11df-89b8-00151735203a"> + <topic>bugzilla -- information disclosure</topic> + <affects> + <package> + <name>bugzilla</name> + <range><gt>2.17.1</gt><lt>3.6.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>A Bugzilla Security Advisory reports:</p> + <blockquote cite="http://www.bugzilla.org/security/3.2.6/"> + <ul> + <li>Normally, information about time-tracking (estimated + hours, actual hours, hours worked, and deadlines) is + restricted to users in the "time-tracking group". + However, any user was able, by crafting their own + search URL, to search for bugs based using those + fields as criteria, thus possibly exposing sensitive + time-tracking information by a user seeing that a bug + matched their search.</li> + <li>If $use_suexec was set to "1" in the localconfig file, + then the localconfig file's permissions were set as + world-readable by checksetup.pl. This allowed any user + with local shell access to see the contents of the file, + including the database password and the site_wide_secret + variable used for CSRF protection.</li> + </ul> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2010-1204</cvename> + <cvename>CVE-2010-0180</cvename> + <url>https://bugzilla.mozilla.org/show_bug.cgi?id=309952</url> + <url>https://bugzilla.mozilla.org/show_bug.cgi?id=561797</url> + </references> + <dates> + <discovery>2010-06-24</discovery> + <entry>2010-07-05</entry> + </dates> + </vuln> + <vuln vid="8685d412-8468-11df-8d45-001d7d9eb79a"> <topic>kvirc -- multiple vulnerabilities</topic> <affects> |