Bugzilla Security Advisory

October 1st, 2002
All Bugzilla installations are advised to upgrade to the latest versions
of Bugzilla, 2.14.4 and 2.16.1, both released today. Security issues of 
varying importance have been fixed in both.  These vulnerabilities affect 
all previous 2.14 and 2.16 releases.

2.14.x users are additionally encouraged to upgrade to 2.16.1 as soon as 
possible, as the 2.14 branch is now a mostly DEAD BRANCH and is slated to be
no longer maintained by the Bugzilla team by the end of this year.

Individual patches to upgrade Bugzilla are available at 
 http://ftp.mozilla.org/pub/webtools/ 
(however these patches are only valid for 2.14.3 and 2.16 users).

Full release downloads and CVS upgrade instructions are available at
 http://www.bugzilla.org/download.html

Complete bug reports for all the following bugs may be obtained at
http://bugzilla.mozilla.org/

The following security issues were fixed in both 2.14.4 and 2.16.1:

- Permissions leak when using "usebuggroups" and more than 47 groups;
  permissions are granted to users in higher groups when they shouldn't be.
  (bug 167485; comment 12 has additional detection/recovery information)

- bugzilla_email_append.pl calls processmail insecurely; command injection
  possible.
  (bug 163024) 

The following additional security issue was fixed in 2.16.1:

- Apostrophes are not properly handled during account creation; SQL
  injection possible.
  (bug 165221)

General information about the Bugzilla bug-tracking system can be found at
http://www.bugzilla.org/

Comments and follow-ups can be directed to the
netscape.public.mozilla.webtools newsgroup or the mozilla-webtools mailing
list; http://www.mozilla.org/community.html has directions for accessing
these forums.