Bugzilla Security Advisory October 1st, 2002 All Bugzilla installations are advised to upgrade to the latest versions of Bugzilla, 2.14.4 and 2.16.1, both released today. Security issues of varying importance have been fixed in both. These vulnerabilities affect all previous 2.14 and 2.16 releases. 2.14.x users are additionally encouraged to upgrade to 2.16.1 as soon as possible, as the 2.14 branch will no longer be maintained by the Bugzilla team beyond the end of this year. Individual patches to upgrade Bugzilla are available at http://ftp.mozilla.org/pub/webtools/ (however these patches are only valid for 2.14.3 and 2.16 users). Full release downloads and CVS upgrade instructions are available at http://www.bugzilla.org/download.html Complete bug reports for all the following bugs may be obtained at http://bugzilla.mozilla.org/ The following security issues were fixed in both 2.14.4 and 2.16.1: - Permissions leak when using "usebuggroups" and more than 47 groups; permissions are granted to users in higher groups when they shouldn't be. (bug 167485; comment 12 has additional detection/recovery information) http://bugzilla.mozilla.org/show_bug.cgi?id=167485#c12 - bugzilla_email_append.pl calls processmail insecurely; command injection possible. (bug 163024) The following additional security issue was fixed in 2.16.1: - Apostrophes are not properly handled during account creation; SQL injection possible. (bug 165221) General information about the Bugzilla bug-tracking system can be found at http://www.bugzilla.org/ Comments and follow-ups can be directed to the netscape.public.mozilla.webtools newsgroup or the mozilla-webtools mailing list; http://www.mozilla.org/community.html has directions for accessing these forums. -- Dave Miller Project Leader, Bugzilla Bug Tracking System Lead Software Engineer/System Administrator, Syndicomm Online http://www.syndicomm.com/ http://www.bugzilla.org/
