[Webapps-common-packages] bugzilla oldstable update for CVE-2009-0481 CVE-2009-0482 CVE-2009-0483 CVE-2009-0484 CVE-2009-0485
Giuseppe Iuculano
giuseppe at iuculano.it
Mon Jul 6 13:30:32 UTC 2009
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for bugzilla some time ago.
CVE-2009-0481[0]:
| Bugzilla 2.x before 2.22.7, 3.0 before 3.0.7, 3.2 before 3.2.1, and
| 3.3 before 3.3.2 allows remote authenticated users to conduct
| cross-site scripting (XSS) and related attacks by uploading HTML and
| JavaScript attachments that are rendered by web browsers.
CVE-2009-0482[1]:
| Cross-site request forgery (CSRF) vulnerability in Bugzilla before 3.2
| before 3.2.1, 3.3 before 3.3.2, and other versions before 3.2 allows
| remote attackers to perform bug updating activities as other users via
| a link or IMG tag to process_bug.cgi.
CVE-2009-0483[2]:
| Cross-site request forgery (CSRF) vulnerability in Bugzilla 2.22
| before 2.22.7, 3.0 before 3.0.7, 3.2 before 3.2.1, and 3.3 before
| 3.3.2 allows remote attackers to delete keywords and user preferences
| via a link or IMG tag to (1) editkeywords.cgi or (2) userprefs.cgi.
CVE-2009-0484[3]:
| Cross-site request forgery (CSRF) vulnerability in Bugzilla 3.0 before
| 3.0.7, 3.2 before 3.2.1, and 3.3 before 3.3.2 allows remote attackers
| to delete shared or saved searches via a link or IMG tag to
| buglist.cgi.
CVE-2009-0485[4]:
| Cross-site request forgery (CSRF) vulnerability in Bugzilla 2.17 to
| 2.22.7, 3.0 before 3.0.7, 3.2 before 3.2.1, and 3.3 before 3.3.2
| allows remote attackers to delete unused flag types via a link or IMG
| tag to editflagtypes.cgi.
Unfortunately the vulnerabilities described above are not important enough
to get them fixed via regular security update in Debian oldstable. They do
not warrant a DSA.
However it would be nice if these could get fixed via a regular point update[5].
Please contact the release team for this.
This is an automatically generated mail, in case you are already working on an
upgrade this is of course pointless.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0481
http://security-tracker.debian.net/tracker/CVE-2009-0481
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0482
http://security-tracker.debian.net/tracker/CVE-2009-0482
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0483
http://security-tracker.debian.net/tracker/CVE-2009-0483
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0484
http://security-tracker.debian.net/tracker/CVE-2009-0484
[4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0485
http://security-tracker.debian.net/tracker/CVE-2009-0485
[5] http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/webapps-common-packages/attachments/20090706/a13bfb25/attachment.pgp>
More information about the Webapps-common-packages
mailing list