XSS Error in Bugzilla Removed
The developers of the free Bugzilla bug management system have fixed several bugs including a vulnerability that enabled cross site scripting attacks.
In the current security advisory for the Bugzilla bug management system the developers report that three vulnerabilities have been closed. One bug let attackers trick users into visiting a rogque website if the user viewed bugs in the "Format for Printing", or extended view. For more information on the cross site scripting vulnerability read security report 425665.
An error in the XML-RPC interface gave arbitrary users the ability to create new bug reports with "NEW" or "ASSIGNED" status. Normally users require "canconfirm" privileges for this. The developers classified the third bug as less critical. It gave users the ability to use fake names. A lack of authentication in the "email_in.pl" module gave users the ability to manipulate the FROM header.
The bugs affected Bugzilla prior to version 3.0.4, 3.1.4, 2.22.4 and 2.20.6. Patches and how-tos on fixing the bugs are available on bugzilla.org/download. You can also download a full release from the same site.
Issue 14: Raspberry Pi Handbook/Special Editions
Tag Cloud
News
-
SCO Rises from the Swamp
Longtime litigator revives an ancient suit against IBM alleging Linux infringes on Unix copyrights.
-
UberStudent Project Releases UberStudent 3.0
Specialty distro keeps the focus on advanced learning.
-
openSUSE Conference Approaches
The openSUSE Conference will be held July 18-22, 2013, at the Olympic Museum in Thessaloniki, Greece.
-
Drupal.org Hacked
Security breached at home sites of the CMS project.
-
Oracle Takes Action on Java Security
Lead Java developer vows policy changes and more attention to fixing problems.
-
Google and NASA Partner in Quantum Computing Project
Vendor D-Wave scores big with a sale to NASA's Quantum Intelligence Lab.
-
Mageia Project Announces Mageia 3 Linux
Many package updates and Steam integration highlight the latest from the Mandriva-based community Linux.
-
FSF Outs the World Wide Web Consortium over DRM Proposal
Richard Stallman calls for the W3C to remain independent of vendor interests.
-
Debian 7.0 Debuts
The new release supports nine architectures, 73 human languages, and zero non-Free components.
-
Alpha Version of Fedora 19 Released
Fedora developers release the first alpha version of Fedora 19, known as Schrödinger’s Cat, for general testing. The final release is expected in July 2013.