Date: Wed, 14 Nov 2012 19:29:42 +0000 (UTC) From: Olli Hauer <ohauer@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r307425 - in head: devel/bugzilla devel/bugzilla3 devel/bugzilla42 security/vuxml Message-ID: <201211141929.qAEJThwg036322@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ohauer Date: Wed Nov 14 19:29:42 2012 New Revision: 307425 URL: http://svnweb.freebsd.org/changeset/ports/307425 Log: - bugzilla security updates to version(s) 3.6.11, 4.0.8, 4.2.4 Summary ======= The following security issues have been discovered in Bugzilla: * Confidential product and component names can be disclosed to unauthorized users if they are used to control the visibility of a custom field. * When calling the 'User.get' WebService method with a 'groups' argument, it is possible to check if the given group names exist or not. * Due to incorrectly filtered field values in tabular reports, it is possible to inject code which can lead to XSS. * When trying to mark an attachment in a bug you cannot see as obsolete, the description of the attachment is disclosed in the error message. * A vulnerability in swfstore.swf from YUI2 can lead to XSS. Feature safe: yes Security: CVE-2012-4199 https://bugzilla.mozilla.org/show_bug.cgi?id=731178 CVE-2012-4198 https://bugzilla.mozilla.org/show_bug.cgi?id=781850 CVE-2012-4189 https://bugzilla.mozilla.org/show_bug.cgi?id=790296 CVE-2012-4197 https://bugzilla.mozilla.org/show_bug.cgi?id=802204 CVE-2012-5475 https://bugzilla.mozilla.org/show_bug.cgi?id=808845 http://yuilibrary.com/support/20121030-vulnerability/ Modified: head/devel/bugzilla/Makefile head/devel/bugzilla/distinfo head/devel/bugzilla3/Makefile head/devel/bugzilla3/distinfo head/devel/bugzilla42/Makefile head/devel/bugzilla42/distinfo head/security/vuxml/vuln.xml Modified: head/devel/bugzilla/Makefile ============================================================================== --- head/devel/bugzilla/Makefile Wed Nov 14 19:10:45 2012 (r307424) +++ head/devel/bugzilla/Makefile Wed Nov 14 19:29:42 2012 (r307425) @@ -1,7 +1,7 @@ # $FreeBSD$ PORTNAME= bugzilla -PORTVERSION= 4.0.8 +PORTVERSION= 4.0.9 CATEGORIES= devel MASTER_SITES= ${MASTER_SITE_MOZILLA} MASTER_SITE_SUBDIR= webtools webtools/archived Modified: head/devel/bugzilla/distinfo ============================================================================== --- head/devel/bugzilla/distinfo Wed Nov 14 19:10:45 2012 (r307424) +++ head/devel/bugzilla/distinfo Wed Nov 14 19:29:42 2012 (r307425) @@ -1,2 +1,2 @@ -SHA256 (bugzilla/bugzilla-4.0.8.tar.gz) = 0d44ab29863ffe6ef7637f078c31e52805f1b2ff0ff4f5c39a0d7daebe326b0c -SIZE (bugzilla/bugzilla-4.0.8.tar.gz) = 2801982 +SHA256 (bugzilla/bugzilla-4.0.9.tar.gz) = af79b2f2b39f428e19122707d1334db5e447742ca6098f74803c35277117e394 +SIZE (bugzilla/bugzilla-4.0.9.tar.gz) = 2803607 Modified: head/devel/bugzilla3/Makefile ============================================================================== --- head/devel/bugzilla3/Makefile Wed Nov 14 19:10:45 2012 (r307424) +++ head/devel/bugzilla3/Makefile Wed Nov 14 19:29:42 2012 (r307425) @@ -1,7 +1,7 @@ # $FreeBSD$ PORTNAME= bugzilla -PORTVERSION= 3.6.11 +PORTVERSION= 3.6.12 CATEGORIES= devel MASTER_SITES= ${MASTER_SITE_MOZILLA} MASTER_SITE_SUBDIR= webtools webtools/archived Modified: head/devel/bugzilla3/distinfo ============================================================================== --- head/devel/bugzilla3/distinfo Wed Nov 14 19:10:45 2012 (r307424) +++ head/devel/bugzilla3/distinfo Wed Nov 14 19:29:42 2012 (r307425) @@ -1,2 +1,2 @@ -SHA256 (bugzilla/bugzilla-3.6.11.tar.gz) = 01b99ec5b1e6efc9d0a0352ebe2ea6e8b8c7471a3f4dd80c3b99b5be575c4585 -SIZE (bugzilla/bugzilla-3.6.11.tar.gz) = 2509551 +SHA256 (bugzilla/bugzilla-3.6.12.tar.gz) = 1b3ebd08545b0093cd64a6f2e6c1310c7e85e691c83bd79c10960329f1bdca77 +SIZE (bugzilla/bugzilla-3.6.12.tar.gz) = 2509580 Modified: head/devel/bugzilla42/Makefile ============================================================================== --- head/devel/bugzilla42/Makefile Wed Nov 14 19:10:45 2012 (r307424) +++ head/devel/bugzilla42/Makefile Wed Nov 14 19:29:42 2012 (r307425) @@ -1,7 +1,7 @@ # $FreeBSD$ PORTNAME= bugzilla -PORTVERSION= 4.2.3 +PORTVERSION= 4.2.4 CATEGORIES= devel MASTER_SITES= ${MASTER_SITE_MOZILLA} MASTER_SITE_SUBDIR= webtools webtools/archived Modified: head/devel/bugzilla42/distinfo ============================================================================== --- head/devel/bugzilla42/distinfo Wed Nov 14 19:10:45 2012 (r307424) +++ head/devel/bugzilla42/distinfo Wed Nov 14 19:29:42 2012 (r307425) @@ -1,2 +1,2 @@ -SHA256 (bugzilla/bugzilla-4.2.3.tar.gz) = 712d645c5b2b081e42b2a364c26edf8a8a0048f463a426ac38cc482d31b11fb3 -SIZE (bugzilla/bugzilla-4.2.3.tar.gz) = 2977764 +SHA256 (bugzilla/bugzilla-4.2.4.tar.gz) = bede0cf893ad8ac99715614af0cf4624bc0e8552852f51290f546006105ce695 +SIZE (bugzilla/bugzilla-4.2.4.tar.gz) = 2976363 Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Wed Nov 14 19:10:45 2012 (r307424) +++ head/security/vuxml/vuln.xml Wed Nov 14 19:29:42 2012 (r307425) @@ -51,6 +51,63 @@ Note: Please add new entries to the beg --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="2b841f88-2e8d-11e2-ad21-20cf30e32f6d"> + <topic>bugzilla -- multiple vulnerabilities</topic> + <affects> + <package> + <name>bugzilla</name> + <range><ge>3.6.0</ge><lt>3.6.12</lt></range> + <range><ge>4.0.0</ge><lt>4.0.9</lt></range> + <range><ge>4.2.0</ge><lt>4.2.4</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <h1>A Bugzilla Security Advisory reports:</h1> + <blockquote cite="http://www.bugzilla.org/security/3.6.11/">; + <p>The following security issues have been discovered in + Bugzilla:</p> + <h1>Information Leak</h1> + <p>If the visibility of a custom field is controlled by a product + or a component of a product you cannot see, their names are + disclosed in the JavaScript code generated for this custom field + despite they should remain confidential.</p> + <p>Calling the User.get method with a 'groups' argument leaks the + existence of the groups depending on whether an error is thrown + or not. This method now also throws an error if the user calling + this method does not belong to these groups (independently of + whether the groups exist or not).</p> + <p>Trying to mark an attachment in a bug you cannot see as obsolete + discloses its description in the error message. The description + of the attachment is now removed from the error message.</p> + <h1>Cross-Site Scripting</h1> + <p>Due to incorrectly filtered field values in tabular reports, + it is possible to inject code leading to XSS.</p> + <p>A vulnerability in swfstore.swf from YUI2 allows JavaScript + injection exploits to be created against domains that host this + affected YUI .swf file.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2012-4199</cvename> + <url>https://bugzilla.mozilla.org/show_bug.cgi?id=731178</url>; + <cvename>CVE-2012-4198</cvename> + <url>https://bugzilla.mozilla.org/show_bug.cgi?id=781850</url>; + <cvename>CVE-2012-4197</cvename> + <url>https://bugzilla.mozilla.org/show_bug.cgi?id=802204</url>; + <cvename>CVE-2012-4189</cvename> + <url>https://bugzilla.mozilla.org/show_bug.cgi?id=790296</url>; + <cvename>CVE-2012-5475</cvename> + <url>https://bugzilla.mozilla.org/show_bug.cgi?id=808845</url>; + <url>http://yuilibrary.com/support/20121030-vulnerability/</url>; + </references> + <dates> + <discovery>2012-11-13</discovery> + <entry>2012-11-14</entry> + </dates> + </vuln> + <vuln vid="79818ef9-2d10-11e2-9160-00262d5ed8ee"> <topic>typo3 -- Multiple vulnerabilities in TYPO3 Core</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201211141929.qAEJThwg036322>