Security Advisory for Bugzilla 3.0.1 and 3.1.1

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

Summary

Bugzilla is a Web-based bug-tracking system, used by a large number of software projects.

This advisory covers a critical security issue that has recently been fixed in the Bugzilla code:

• Even with account creation disabled, users can use the WebService to create an account.

We strongly advise that 2.23.x and 3.0.x users upgrade to 3.0.2 immediately. Users of CVS HEAD or 3.1.1 should upgrade to 3.1.2 immediately. This is critical if you have a "requirelogin" installation and also have the WebService enabled.

Vulnerability Details

Class: Unauthorized Access
Versions: 2.23.3 and above.
Description: Bugzilla::WebService::User::offer_account_by_email does

             not check the "createemailregexp" parameter, and thus
             allows users to create accounts who would normally be
             denied account creation.
             The "emailregexp" parameter is still checked.
             If you do not have the SOAP::Lite Perl module installed on
             your Bugzilla system, your system is not vulnerable
             (because the Bugzilla WebService will not be enabled).

Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=395632

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Vulnerability Solutions

The fix for the security bug mentioned in this advisory is included in the 3.0.2 and 3.1.2 releases. Upgrading to these releases will protect installations from possible exploits of this issue.

Full release downloads, patches to upgrade Bugzilla from previous versions, and CVS upgrade instructions are available at:

  http://www.bugzilla.org/download/

If you are unable to upgrade, you should IMMEDIATELY apply the appropriate patch for your version:

2.23.x & 3.0.x: https://bugzilla.mozilla.org/attachment.cgi?id=280385

         3.1.x: https://bugzilla.mozilla.org/attachment.cgi?id=280316

Credits

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The Bugzilla team wish to thank the following people for their assistance in locating, advising us of, and assisting us to fix this issue:

Sascha Jensen
Frédéric Buclin
Max Kanat-Alexander
Marc Schumann

General information about the Bugzilla bug-tracking system can be found at:

  http://www.bugzilla.org/

Comments and follow-ups can be directed to the mozilla.support.bugzilla newsgroup or the support-bugzilla mailing list. http://www.bugzilla.org/support/ has directions for accessing these forums.

• -Max Kanat-Alexander Release Manager, Bugzilla Project
  -----BEGIN PGP SIGNATURE-----
  Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFG8aCnaL2D/aEJPK4RAmvIAKDV/8QLPzBh3FIquCISug1SScQIQwCg568R sDrDqfbLXfcjA/MQ+rTdPLM=
=CH0G
-----END PGP SIGNATURE-----
Received on Thu Sep 20 11:08:53 2007