Date: Fri, 11 Oct 2002 01:28:38 -0700 (PDT) From: Liu Kang <lazykang@hotmai.com> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/43920: bugzilla should be locked or updated immediately Message-ID: <200210110828.g9B8ScuM070205@www.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 43920
>Category: ports
>Synopsis: bugzilla should be locked or updated immediately
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-ports
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Oct 11 01:30:04 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator: Liu Kang
>Release: 4.7
>Organization:
Beijing Polytechnic University
>Environment:
FreeBSD ftp.bjpu.edu.cn 4.7-STABLE FreeBSD 4.7-STABLE #13: Thu Oct 10 02:24:10 CST 2002 lazy@ftp.bjpu.edu.cn:/usr/obj/usr/src/sys/FTP i386
>Description:
a page in bugzilla's home page said:
The following security issues were fixed in both 2.14.4 and 2.16.1:
- Permissions leak when using "usebuggroups" and more than 47 groups;
permissions are granted to users in higher groups when they shouldn't be.
(bug 167485; comment 12 has additional detection/recovery information)
- bugzilla_email_append.pl calls processmail insecurely; command injection
possible.
(bug 163024)
The ports for freebsd is still using 2.14.3
bugzilla said: 2.14.x users are additionally encouraged to upgrade to 2.16.1 as soon as possible, as the 2.14 branch is now a mostly DEAD BRANCH and is slated to be no longer maintained by the Bugzilla team by the end of this year.
>How-To-Repeat:
>Fix:
http://www.mozilla.org/projects/bugzilla/download.html
update the ports immediately or just lock it.
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200210110828.g9B8ScuM070205>