2.17.5 Security Advisory

November 9th, 2003
Summary
=======

Bugzilla is a Web-based bug-tracking system, currently used by a large
number of software projects.

This advisory covers a security bug which was accidently introduced in
development version 2.17.5 and subsequently fixed in the Bugzilla code
involving unprivileged access to restricted data.

All Bugzilla installations who have upgraded to the 2.17.5 development
snapshot are encouraged to obtain version 2.17.6 or apply the relevant
patch.

The current stable version of Bugzilla is 2.16.4, and is not affected
by this advisory.


Vulnerability Details
=====================

Class:       Information leak
Versions:    2.17.5 is the only version affected.
Description: A new feature was introduced in version 2.17.5 which allows
             remote websites to build tooltips and other dynamically
             generated data using current bug information retrieved from
             Bugzilla.  A security lapse in the initial implementation
             of this feature allows the remote site to obtain that
             information from Bugzilla using the privileges of the
             client user.
Reference:   http://bugzilla.mozilla.org/show_bug.cgi?id=195530


Vulnerability Solutions
=======================

The fix for the security bug mentioned in this advisory is included in
the 2.17.6 release.  Upgrading to this release will protect
installations from this issue.  As stated above, this only affects
Bugzilla 2.17.5, and does not affect the stable version 2.16.4.

Full release downloads of Bugzilla 2.17.6 and CVS upgrade instructions
can be found at:
  http://www.bugzilla.org/download.html

A specific patch for this issue can be found on the corresponding bug
report, at the URL given in the reference for the issue in the
Vulnerability Details section above.


Credits
=======

The Bugzilla team wish to thank Jesse Ruderman for discovering this and
Gervase Markham (who also introduced it) for fixing it promptly.


General information about the Bugzilla bug-tracking system can be found
at http://www.bugzilla.org/

Comments and follow-ups can be directed to the
netscape.public.mozilla.webtools newsgroup or the mozilla-webtools
mailing list; http://www.bugzilla.org/discussion.html has directions for
accessing these forums.

-30-