87425 2003-01-02 22:36 /94 rader/ David Miller <justdave@syndicomm.com>
Importerad: 2003-01-02 22:36 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: announce@bugzilla.org
Extern mottagare: mozilla-webtools@mozilla.org
Mottagare: Bugtraq (import) <2922>
Ärende: [BUGZILLA] Security Advisory - remote database password disclosure
------------------------------------------------------------
Bugzilla Security Advisory
January 2nd, 2002
Severity: major (remote database password disclosure, bug 186383)
minor (local file permissions, bug 183188)
Summary
=======
All Bugzilla installations are advised to upgrade to the latest
versions of Bugzilla, 2.14.5 and 2.16.2, both released
today. Security issues of varying importance have been fixed in both
branches. These vulnerabilities affect all previous 2.14 and 2.16
releases.
Development snapshots prior to version 2.17.3 are also affected, so
if you are using a development snapshot, you should obtain a newer
one or use CVS to update.
2.14.x users are additionally encouraged to upgrade to 2.16.2 as soon
as possible, as this is the last 2.14.x release and the 2.14 branch
will no longer be supported by the Bugzilla team.
This advisory covers two security bugs: one involves incorrect local
permissions on a directory, allowing local users access. The other
involves protecting configuration information leaks due to backup
files created by editors.
Vulnerability Details
=====================
The following security issues were fixed in 2.14.5, 2.16.2, and
2.17.3:
- The provided data collection script intended to be run as a nightly cron
job changes the permissions of the data/mining directory to be world-
writable every time it runs. This would enable local users to alter or
delete the collected data. (Bugzilla bug 183188 / Bugtraq ID 6502).
- The default .htaccess scripts provided by checksetup.pl do not block
access to backups of the localconfig file that might be created by
editors such as vi or emacs (typically these will have a .swp or ~
suffix). This allows an end user to download one of the backup copies
and potentially obtain your database password. If you already have such
an editor backup in your bugzilla directory it would be advisable to
change your database password in addition to upgrading.
In addition, we also continue to recommend hardening access to the
Bugzilla database user account by limiting access to the account to
the machine Bugzilla is served from (typically localhost); consult
the MySQL documentation for more information on how to accomplish
this. (Bugzilla bug 186383 / Bugtraq ID 6501)
Also included in these releases are the patches that were posted as
part of our earlier security advisory on November 26th, 2002.
(Bugzilla bug 179329, Bugtraq ID 6257 - see
http://online.securityfocus.com/archive/1/301316 )
Vulnerability Solutions
=======================
The fixes for both security bugs contained in this release, as well
as the previously announced security bug involving cross-site
scripting vulnerabilities are contained in the 2.14.5, 2.16.2, and
2.17.3 releases. Upgrading to these releases will protect
installations against exploitations of these security bugs.
Individual patches to upgrade Bugzilla are available at:
http://ftp.mozilla.org/pub/webtools/
(these patches are only valid for 2.14.4 and 2.16.1 users).
Full release downloads and CVS upgrade instructions are available at:
http://www.bugzilla.org/download.html
References
==========
Complete bug reports for the security bugs covered herein may be obtained
at:
http://bugzilla.mozilla.org/show_bug.cgi?id=183188
http://bugzilla.mozilla.org/show_bug.cgi?id=186383
General information about the Bugzilla bug-tracking system can be found at
http://www.bugzilla.org/
Comments and follow-ups can be directed to the
netscape.public.mozilla.webtools newsgroup or the mozilla-webtools
mailing list; http://www.mozilla.org/community.html has directions
for accessing these forums.
-30-
--
Dave Miller Project Leader, Bugzilla Bug Tracking System
http://www.justdave.net/ http://www.bugzilla.org/
(87425) /David Miller <justdave@syndicomm.com>/(Ombruten)