[PATCH] security fixed version - bugzill 2.16.7

Dmitry A Grigorovich odip at bionet.nsc.ru
Tue Oct 26 08:52:14 PDT 2004


>Submitter-Id:	current-users
>Originator:	Dmitry A Grigorovich
>Organization:	ICiG
>Confidential:	no 
>Synopsis:	[PATCH] security fixed version - bugzill 2.16.7
>Severity:	critical
>Priority:	high
>Category:	ports
>Class:		update
>Release:	FreeBSD 4.8-RELEASE-p4 i386
>Environment:
System: FreeBSD hydra.bionet.nsc.ru 4.8-RELEASE-p4 FreeBSD 4.8-RELEASE-p4 #4: Sat Oct 4 02:33:02 NOVST 2003 root at hydra.bionet.nsc.ru:/usr/obj/usr/src/sys/ODIP i386
>Description:

See http://www.bugzilla.org/security/2.16.6/

Class:       Unauthorized Bug Change
Versions:    2.9 through 2.18rc2 and 2.19
Description: It is possible to send a carefully crafted HTTP POST
             message to process_bug.cgi which will remove keywords from
             a bug even if you don't have permissions to edit all bug
             fields (the "editbugs" permission).  Such changes are
             reported in "bug changed" email notifications, so they are
             easily detected and reversed if someone abuses it.
Reference:   https://bugzilla.mozilla.org/show_bug.cgi?id=252638

>How-To-Repeat:

See http://www.bugzilla.org/security/2.16.6/

>Fix:

Apply patch
Reinstall bugzilla

diff -ur bugzilla.old/Makefile bugzilla/Makefile
--- bugzilla.old/Makefile       Fri Jul 23 13:41:02 2004
+++ bugzilla/Makefile   Tue Oct 26 22:37:48 2004
@@ -6,7 +6,7 @@
 #

 PORTNAME?=     bugzilla
-PORTVERSION?=  2.16.6
+PORTVERSION?=  2.16.7
 CATEGORIES?=   devel
 MASTER_SITES=  ${MASTER_SITE_MOZILLA}
 MASTER_SITE_SUBDIR=    webtools webtools/archived
diff -ur bugzilla.old/distinfo bugzilla/distinfo
--- bugzilla.old/distinfo       Fri Jul 23 13:41:02 2004
+++ bugzilla/distinfo   Tue Oct 26 22:37:56 2004
@@ -1,2 +1,2 @@
-MD5 (bugzilla-2.16.6.tar.gz) = 5b694df8739be175f0358507f844b71d
-SIZE (bugzilla-2.16.6.tar.gz) = 1365080
+MD5 (bugzilla-2.16.7.tar.gz) = ee4c92bfd940521cc68ea91917f9f0dd
+SIZE (bugzilla-2.16.7.tar.gz) = 1368799



More information about the freebsd-ports mailing list