FreeBSD : bugzilla -- information disclosure, denial of service (8cbf4d65-af9a-11df-89b8-00151735203a)
Medium Nessus Plugin ID 48427
SynopsisThe remote FreeBSD host is missing a security-related update.
DescriptionA Bugzilla Security Advisory reports :
- Remote Information Disclosure : An unprivileged user is normally not allowed to view other users' group membership. But boolean charts let the user use group-based pronouns, indirectly disclosing group membership. This security fix restricts the use of pronouns to groups the user belongs to.
- Notification Bypass : Normally, when a user is impersonated, he receives an email informing him that he is being impersonated, containing the identity of the impersonator. However, it was possible to impersonate a user without this notification being sent.
- Remote Information Disclosure : An error message thrown by the 'Reports' and 'Duplicates' page confirmed the non-existence of products, thus allowing users to guess confidential product names.
(Note that the 'Duplicates' page was not vulnerable in Bugzilla 3.6rc1 and above though.)
- Denial of Service : If a comment contained the phrases 'bug X' or 'attachment X', where X was an integer larger than the maximum 32-bit signed integer size, PostgreSQL would throw an error, and any page containing that comment would not be viewable. On most Bugzillas, any user can enter a comment on any bug, so any user could have used this to deny access to one or all bugs. Bugzillas running on databases other than PostgreSQL are not affected.
SolutionUpdate the affected package.