4.2, 4.0.5, and 3.6.8 Security Advisory
Wednesday, Apr 18th, 2012Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * When abusing the X-FORWARDED-FOR header, an attacker could bypass the lockout policy allowing a possible brute-force discovery of a valid user password. * An attacker can get access to some bug information using the victim's credentials using a specially crafted HTML page. All affected installations are encouraged to upgrade as soon as possible. Vulnerability Details ===================== Class: Unauthorized Access Affected: 3.5.3 to 3.6.8, 3.7.1 to 4.0.5, 4.1.1 to 4.2 Fixed In: 3.6.9, 4.0.6, 4.2.1 Description: Due to a lack of proper validation of the X-FORWARDED-FOR header of an authentication request, an attacker could bypass the current lockout policy used for protection against brute- force password discovery. This vulnerability can only be exploited if the 'inbound_proxies' parameter is set. References: https://bugzilla.mozilla.org/show_bug.cgi?id=728639 CVE Number: CVE-2012-0465 Class: Cross Site Scripting Affected: 2.17.4 to 3.6.8, 3.7.1 to 4.0.5, 4.1.1 to 4.2 Fixed In: 3.6.9, 4.0.6, 4.2.1 Description: A JavaScript template used by buglist.cgi could be used by a malicious script to permit an attacker to gain access to some information about bugs he would not normally be allowed to see, using the victim's credentials. To be exploitable, the victim must be logged in when visiting the attacker's malicious page. References: https://bugzilla.mozilla.org/show_bug.cgi?id=745397 CVE Number: CVE-2012-0466 Vulnerability Solutions ======================= The fix for these issues is included in the releases. Upgrading to a release with the relevant fix will protect your installation from possible exploits of these issues. If you are unable to upgrade but would like to patch just the security vulnerability, there are patches available for the issues at the "References" URL. Full release downloads, patches to upgrade Bugzilla from previous versions, and git upgrade instructions are available at: https://www.bugzilla.org/download/ Credits ======= The Bugzilla team wish to thank the following people for their assistance in locating, advising us of, and assisting us to fix this issue: Issue 1 Reporter: Soroush Dalili Issue 1 Fixed by: Frédéric Buclin, Byron Jones Issue 2 Reporter: Frédéric Buclin Issue 2 Fixed by: Frédéric Buclin, Byron Jones General information about the Bugzilla bug-tracking system can be found at: https://www.bugzilla.org/ Comments and follow-ups can be directed to the support-bugzilla mailing list. https://www.bugzilla.org/support/ has directions for accessing this forum.