FreeBSD : bugzilla -- multiple vulnerabilities (6e33f4ab-efed-11d9-8310-0001020eed82)

medium Nessus Plugin ID 18976

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

A Bugzilla Security Advisory reports :

Any user can change any flag on any bug, even if they don't have access to that bug, or even if they can't normally make bug changes.
This also allows them to expose the summary of a bug.

Bugs are inserted into the database before they are marked as private, in Bugzilla code. Thus, MySQL replication can lag in between the time that the bug is inserted and when it is marked as private (usually less than a second). If replication lags at this point, the bug summary will be accessible to all users until replication catches up.
Also, on a very slow machine, there may be a pause longer than a second that allows users to see the title of the newly-filed bug.

Solution

Update the affected packages.

See Also

https://www.bugzilla.org/security/2.18.1/

https://bugzilla.mozilla.org/show_bug.cgi?id=292544

https://bugzilla.mozilla.org/show_bug.cgi?id=293159

http://www.nessus.org/u?36b5fec1

Plugin Details

Severity: Medium

ID: 18976

File Name: freebsd_pkg_6e33f4abefed11d983100001020eed82.nasl

Version: 1.19

Type: local

Published: 7/13/2005

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:bugzilla, p-cpe:/a:freebsd:freebsd:ja-bugzilla, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 7/8/2005

Vulnerability Publication Date: 7/7/2005

Reference Information

CVE: CVE-2005-2173, CVE-2005-2174