2.14.1 Security Advisory

Saturday, Jan 5th, 2002

2.14.1 Security Advisory

Jan 5th, 2002
 
All users of Bugzilla, the bug-tracking system from mozilla.org, who are
using a version of Bugzilla installed from a downloaded tarball or package
file are strongly recommended to update to version 2.14.1.

All users of Bugzilla who are currently using version 2.15 checked out of
cvs prior to 03 January 2002 are strongly recommended to use 'cvs update'
to obtain the current cvs code.

Bugzilla 2.14.1 is a security update; patches from a number of
security-related bugs which have already been applied to the working
source version 2.15 in cvs, have been applied to Bugzilla 2.14 to create
the new stable release 2.14.1, which fixes several security issues
discovered since version 2.14 was released, which we believe are too
serious to wait for our upcoming 2.16 release.

There are many patches that need to be applied to properly close these
holes, so they are not included here.  If you will not be upgrading your
system and instead wish to apply these patches to your existing system, a
single patch which can be applied to a Bugzilla 2.14 installation is
available at https://www.bugzilla.org/bugzilla2.14to2.14.1.patch

Complete bug reports for all bugs can be obtained by visiting the
following URL:  https://bugzilla.mozilla.org/show_bug.cgi?id=XXXXX
where you replace the XXXXX at the end of the URL with a bug number as
listed below.  You may also enter the bug numbers in the "enter a bug#" box
on the main page at https://bugzilla.mozilla.org/ or in the footer of any
other page on bugzilla.mozilla.org.

*** SECURITY ISSUES RESOLVED ***

- Multiple instances of user-account hijacking capability were fixed (Bugs
54901, 108385, 108516)

- Two occurrences of allowing data protected by Bugzilla's groupset
restrictions to be visible to users outside of those groups were fixes
(Bugs 102141, 108821)

- One instance of an untrusted variable being echoed back to a user via
HTML was fixed (Bug 98146)

- Multiple instances of untrusted variables being passed to SQL queries
were fixed (Bugs 108812, 108822, 109679, 109690)

More detailed summaries of the specific exploits are available in the
release notes, which are available on the project web site.

General information about the Bugzilla bug-tracking system can be found at
https://www.bugzilla.org/

Comments and follow-ups can be directed to the
netscape.public.mozilla.webtools newsgroup or the mozilla-webtools mailing
list (see https://www.mozilla.org/community.html for directions how to
access these forums).