2.14.4, 2.16.1 Security Advisory
Thursday, Jan 2nd, 20032.14.4, 2.16.1 Security Advisory
January 2nd, 2003Severity: major (remote database password disclosure, bug 186383) minor (local file permissions, bug 183188) Summary ======= All Bugzilla installations are advised to upgrade to the latest versions of Bugzilla, 2.14.5 and 2.16.2, both released today. Security issues of varying importance have been fixed in both branches. These vulnerabilities affect all previous 2.14 and 2.16 releases. Development snapshots prior to version 2.17.3 are also affected, so if you are using a development snapshot, you should obtain a newer one or use CVS to update. 2.14.x users are additionally encouraged to upgrade to 2.16.2 as soon as possible, as this is the last 2.14.x release and the 2.14 branch will no longer be supported by the Bugzilla team. This advisory covers two security bugs: one involves incorrect local permissions on a directory, allowing local users access. The other involves protecting configuration information leaks due to backup files created by editors. Vulnerability Details ===================== The following security issues were fixed in 2.14.5, 2.16.2, and 2.17.3: - The provided data collection script intended to be run as a nightly cron job changes the permissions of the data/mining directory to be world- writable every time it runs. This would enable local users to alter or delete the collected data. (Bugzilla bug 183188 / Bugtraq ID 6502). - The default .htaccess scripts provided by checksetup.pl do not block access to backups of the localconfig file that might be created by editors such as vi or emacs (typically these will have a .swp or ~ suffix). This allows an end user to download one of the backup copies and potentially obtain your database password. If you already have such an editor backup in your bugzilla directory it would be advisable to change your database password in addition to upgrading. In addition, we also continue to recommend hardening access to the Bugzilla database user account by limiting access to the account to the machine Bugzilla is served from (typically localhost); consult the MySQL documentation for more information on how to accomplish this. (Bugzilla bug 186383 / Bugtraq ID 6501) Also included in these releases are the patches that were posted as part of our earlier security advisory on November 26th, 2002. (Bugzilla bug 179329, Bugtraq ID 6257 - see http://online.securityfocus.com/archive/1/301316 ) Vulnerability Solutions ======================= The fixes for both security bugs contained in this release, as well as the previously announced security bug involving cross-site scripting vulnerabilities are contained in the 2.14.5, 2.16.2, and 2.17.3 releases. Upgrading to these releases will protect installations against exploitation of these security bugs. Individual patches to upgrade Bugzilla are available at: https://ftp.mozilla.org/pub/webtools/ (these patches are only valid for 2.14.4 and 2.16.1 users). Full release downloads and CVS upgrade instructions are available at: https://www.bugzilla.org/download.html References ========== Complete bug reports for the security bugs covered herein may be obtained at: https://bugzilla.mozilla.org/show_bug.cgi?id=183188 https://bugzilla.mozilla.org/show_bug.cgi?id=186383 General information about the Bugzilla bug-tracking system can be found at https://www.bugzilla.org/ Comments and follow-ups can be directed to the netscape.public.mozilla.webtools newsgroup or the mozilla-webtools mailing list; https://www.mozilla.org/community.html has directions for accessing these forums. -30-