|
Message-ID: <Pine.GSO.4.51.0902091206050.25237@faron.mitre.org> Date: Mon, 9 Feb 2009 12:06:42 -0500 (EST) From: "Steven M. Christey" <coley@...us.mitre.org> To: oss-security@...ts.openwall.com Subject: Re: CVE requests: Bugzilla ====================================================== Name: CVE-2008-6098 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6098 Reference: CONFIRM:http://www.bugzilla.org/security/2.20.6/ Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=449931 Bugzilla 3.2 before 3.2 RC2, 3.0 before 3.0.6, 2.22 before 2.22.6, 2.20 before 2.20.7, and other versions after 2.17.4 allows remote authenticated users to bypass moderation to approve and disapprove quips via a direct request to quips.cgi with the action parameter set to "approve." ====================================================== Name: CVE-2009-0481 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0481 Reference: CONFIRM:http://www.bugzilla.org/security/2.22.6/ Bugzilla 2.x before 2.22.7, 3.0 before 3.0.7, 3.2 before 3.2.1, and 3.3 before 3.3.2 allows remote authenticated users to conduct cross-site scripting (XSS) and related attacks by uploading HTML and JavaScript attachments that are rendered by web browsers. ====================================================== Name: CVE-2009-0482 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0482 Reference: CONFIRM:http://www.bugzilla.org/security/2.22.6/ Cross-site request forgery (CSRF) vulnerability in Bugzilla before 3.2 before 3.2.1, 3.3 before 3.3.2, and other versions before 3.2 allows remote attackers to perform bug updating activities as other users via a link or IMG tag to process_bug.cgi. ====================================================== Name: CVE-2009-0483 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0483 Reference: CONFIRM:http://www.bugzilla.org/security/2.22.6/ Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=466692 Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=472362 Cross-site request forgery (CSRF) vulnerability in Bugzilla 2.22 before 2.22.7, 3.0 before 3.0.7, 3.2 before 3.2.1, and 3.3 before 3.3.2 allows remote attackers to delete keywords and user preferences via a link or IMG tag to (1) editkeywords.cgi or (2) userprefs.cgi. ====================================================== Name: CVE-2009-0484 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0484 Reference: CONFIRM:http://www.bugzilla.org/security/2.22.6/ Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=466748 Cross-site request forgery (CSRF) vulnerability in Bugzilla 3.0 before 3.0.7, 3.2 before 3.2.1, and 3.3 before 3.3.2 allows remote attackers to delete shared or saved searches via a link or IMG tag to buglist.cgi. ====================================================== Name: CVE-2009-0485 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0485 Reference: CONFIRM:http://www.bugzilla.org/security/2.22.6/ Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=466692 Cross-site request forgery (CSRF) vulnerability in Bugzilla 2.17 to 2.22.7, 3.0 before 3.0.7, 3.2 before 3.2.1, and 3.3 before 3.3.2 allows remote attackers to delete unused flag types via a link or IMG tag to editflagtypes.cgi. ====================================================== Name: CVE-2009-0486 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0486 Reference: CONFIRM:http://www.bugzilla.org/security/3.0.7/ Bugzilla 3.2.1, 3.0.7, and 3.3.2, when running under mod_perl, calls the srand function at startup time, which causes Apache children to have the same seed and produce insufficiently random numbers for random tokens, which allows remote attackers to bypass cross-site request forgery (CSRF) protection mechanisms and conduct unauthorized activities as other users.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.