bug tracking system
Summary
=======
Bugzilla is a Web-based bug-tracking system used by a large number of
software projects. The following security issues have been discovered
in Bugzilla:
* When a user creates a new account, Bugzilla doesn't correctly
reject email addresses containing non-ASCII characters, which
could be used to impersonate another user account.
Summary
=======
Bugzilla is a Web-based bug-tracking system used by a large number of
software projects. The following security issue has been discovered
in Bugzilla:
* A CSRF vulnerability in the implementation of the XML-RPC API
when running under mod_perl could be used to make changes to
bugs or execute some admin tasks without the victim's knowledge.
Introduction
============
"Bugzilla is a 'Defect Tracking System' or 'Bug-Tracking System'. Defect
Tracking Systems allow individual or groups of developers to keep track
of outstanding bugs in their product effectively. Most commercial
defect-tracking software vendors charge enormous licensing fees. Despite
being 'free', Bugzilla has many features its expensive counterparts
lack. Consequently, Bugzilla has quickly become a favorite of thousands
Hash: SHA1
Summary
=======
Bugzilla is a Web-based bug-tracking system used by a large number of
software projects. The following security issues have been discovered
in Bugzilla:
* There is a way to inject both headers and content to users, causing
a serious Cross-Site Scripting vulnerability.
Hash: SHA1
Summary
=======
Bugzilla is a Web-based bug-tracking system, used by a large number of
software projects.
This advisory covers three security issues that have recently been
fixed in the Bugzilla code:
Hash: SHA1
Summary
=======
Bugzilla is a Web-based bug-tracking system, used by a large number of
software projects.
This advisory covers a critical security issue that has recently been
fixed in the Bugzilla code:
Summary
=======
Bugzilla is a Web-based bug-tracking system used by a large number of
software projects. The following security issues have been discovered
in Bugzilla:
* When viewing tabular or graphical reports as well as new charts,
an XSS vulnerability is possible in debug mode.
Summary
=======
Bugzilla is a Web-based bug-tracking system, used by a large number of
software projects.
This advisory covers three security issues that have recently been
fixed in the Bugzilla code:
* Users without the "canconfirm" privilege could enter a bug as NEW
Hash: SHA1
Summary
=======
Bugzilla is a Web-based bug-tracking system, used by a large number of
software projects.
Bugzilla 3.2.1, 3.0.7, and 3.3.2, when running under mod_perl,
generated insufficiently random numbers, resulting in all random
tokens being the same, all CSRF protection being defeated, and the
Kawanishi and Martin Havlat.
. 2009-11-10:
Martin Havlat replies acknowledging reception of the advisory draft,
and tells Core that internal issue #2947 has been created in their bug
tracking system to fix these bugs. He mentions these issues shall be
fixed on release 1.8.5 of TestLink.
. 2009-11-12:
Core replies asking for more information regarding the release date of
TestLink 1.8.5. An account is created by Core in TestLink's internal
Summary
=======
Bugzilla is a Web-based bug-tracking system, used by a large number of
software projects.
This advisory covers two security issues that have recently been
fixed in the Bugzilla code:
+ Some files stored on the web server are not correctly protected
Application : FireAnt
version : <= 1.3
Vendor : http://chaozz.nl/software/fireant/
Description :
FireAnt is a Bug Tracking System (BTS) without the fancy bells ‘n whistles. It’s very small (about 30 kb) and easy to install/maintain (no MYSQL needed).
It’s a really straight forward simple BTS, initially made to support the FreeWebshop.org project.
--------------------------------------------------------------------------
Vulnerability:
Summary
=======
Bugzilla is a Web-based bug-tracking system used by a large number of
software projects. The following security issues have been discovered
in Bugzilla:
* When abusing the X-FORWARDED-FOR header, an attacker could bypass
the lockout policy allowing a possible brute-force discovery of a
valid user password.
leading to privilege escalation.
Background
==========
Bugzilla is the bug-tracking system from the Mozilla project.
Affected packages
=================
-------------------------------------------------------------------
JFreeChart Project
http://sourceforge.net/projects/jfreechart/
The JFreeChart project was notified of this vulnerability on
November 28th, 2007 via their online bug tracking system. The
vulnerability was fixed on December 6th 2007 with a commit
to their SVN repository.
4. Solution
Arrangements have been made to ensure that Firebird in the upcoming
Debian 5.0 release will be supportable with regular backported
security bugfixes again.
For a more detailed descriptions of the security problems, please refer
to the entries in the Debian Bug Tracking System referenced above and
the following URLs:
http://www.firebirdsql.org/rlsnotes/Firebird-2.0-ReleaseNotes.pdf
http://www.firebirdsql.org/rlsnotes/Firebird-2.0.1-ReleaseNotes.pdf
http://www.firebirdsql.org/rlsnotes/Firebird-2.0.2-ReleaseNotes.pdf
Mantis.
Background
==========
Mantis is a web-based bug tracking system.
Affected packages
=================
-------------------------------------------------------------------
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-017
Application: Flyspray (web-based bug tracking system)
Versions Affected: 0.9.9.4
Vendor URL: http://www.flyspray.org
Bugs: SiXSS, Stored XSS, Brute Force
Exploits: YES
Reported: 08.02.2008
Date 20080520
I. BACKGROUND
From the Mantis web site: "Mantis is a free popular web-based
bug tracking system. It is written in the PHP scripting language and
works with MySQL, MS SQL, and PostgreSQL databases and a webserver.".
II. DESCRIPTION
Multiple vulnerabilities exist in Mantis software (XSS, CSRF, Remote
Sample code demonstrating this issue is available at
http://www.mochimedia.com/~matthew/flashcrash/.
On 2008.09.22, I submitted this issue to Adobe's JIRA bug tracking
system, which recorded it as issue #FP-677. On 2008.09.23, the ticket
was changed to private for security reasons, and Adobe told me they
were able to reproduce the issue and were investigating it. On
2008.09.26, I told Adobe I planned on submitting this issue to BugTraq
and asked if they had found any workarounds for users that I could
include. On 2008.10.01, they told me they had resolved the problem
Bugzilla is prone to multiple medium severity vulnerabilities.
Background
==========
Bugzilla is a bug tracking system from the Mozilla project.
Affected packages
=================
-------------------------------------------------------------------
for Quicktime.
01/06/2009 : Ask for an update and if the DoS condition has been fixed
02/06/2009 : Apple states that
"According to our bug tracking system the null-dereference crasher
issue is not yet addressed in QuickTime. We are investigating
now to see if for some reason the latest version has picked up
changes that address this issue and will send you feedback
today about it."
Debian bug : 547132
CVE Id : CVE-2009-3165
Max Kanat-Alexander, Bradley Baetz, and Frédéric Buclin discovered an SQL
injection vulnerability in the Bug.create WebService function in Bugzilla, a
web-based bug tracking system, which allows remote attackers to execute
arbitrary SQL commands.
For the stable distribution (lenny), this problem has been fixed in version
3.0.4.1-2+lenny2.
Problem type : local
Debian-specific: yes
Debian Bug : 425010
It was discovered that the Debian Mantis package, a web based bug
tracking system, installed the database credentials in a file with
world-readable permissions onto the local filesystem. This allows
local users to acquire the credentials used to control the Mantis
database.
This updated package corrects this problem for new installations and
|
