CONECTIVA LINUX SECURITY ANNOUNCEMENT
PACKAGE : | bugzilla |
SUMMARY : | Cross site scripting and temporary file vulnerabilities |
DATE : | 2003-05-21 17:04:00 |
ID : | CLA-2003:653 |
RELEVANT RELEASES : |
9 |
DESCRIPTION
Bugzilla[1] is a bug tracking system used by many software
projects.
This update fixes the following problems with the bugzilla
package shipped with Conectiva Linux 9:
- New dependencies The bugzilla package provided via this update
has the following new dependencies:- perl-doc[3];
- perl-timedate >= 1.14: bugzilla needs a newer version[4] of
the perl-timedate package than the one shipped with Conectiva Linux
9.
- Cross site scripting vulnerabilities[2]
Cross site scripting vulnerabilities have been found in the
template system and in the dependency graphs which show dependency
relationships between bugs (not enabled by default). These have
been fixed in bugzilla 2.16.3. - Temporary file vulnerability[2]
Several scripts create insecure temporary files. A local attacker
could attempt, with the privileges of the “www” user and via
symlink attacks, to overwrite or alter files in the system. This
vulnerability has also been fixed in bugzilla 2.16.3.
SOLUTION
It is recommended that all bugzilla users upgrade their
packages.
IMPORTANT: after the upgrade, please run the following bugzilla
script:
/srv/www/default/html/bugzilla/checksetup.pl
This script will make all necessary adjustments for this upgrade
as well as alert about possible problems.
NOTE: since this update introduces two new dependencies to the
bugzilla packge (perl-doc and perl-timedate >= 1.14), we
recommend the following command to install the new versions of
these packages:
apt-get install bugzilla
Otherwise, if perl-doc or perl-timedate >= 1.14 are not
installed, “apt-get upgrade” will not upgrade bugzilla.
REFERENCES
- http://www.bugzilla.org/
- http://www.bugzilla.org/security/2.16.2/
- http://bugzilla.conectiva.com.br/show_bug.cgi?id=8338
- http://bugzilla.mozilla.org/show_bug.cgi?id=200472
UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/9/SRPMS/bugzilla-2.16.3-29154U90_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/perl-timedate-1.14-27918U90_3cl.src.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/bugzilla-2.16.3-29154U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/bugzilla-doc-2.16.3-29154U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/perl-timedate-1.14-27918U90_3cl.i386.rpm
ADDITIONAL INSTRUCTIONS
The apt tool can be used to perform RPM packages upgrades:
- run: apt-get update
- after that, execute: apt-get upgrade
Detailed instructions reagarding the use of apt and upgrade
examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en
All packages are signed with Conectiva’s GPG key. The key and
instructions on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can
be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en
Copyright (c) 2003 Conectiva Inc.
http://www.conectiva.com