Vulnerability Details
=====================
Class: Cross-Site Request Forgery
Versions: 4.0.2 to 4.0.4, 4.1.1 to 4.2rc2
Fixed In: 4.0.5, 4.2
Description: Due to a lack of validation of the enctype form
attribute when making POST requests to xmlrpc.cgi,
a possible CSRF vulnerability was discovered. If a user
visits an HTML page with some malicious HTML code in it,
an attacker could make changes to a remote Bugzilla installation
on behalf of the victim's account by using the XML-RPC API
on a site running mod_perl. Sites running under mod_cgi
are not affected. Also the user would have had to be
already logged in to the target site for the vulnerability
to work.
References: https://bugzilla.mozilla.org/show_bug.cgi?id=725663
CVE Number: CVE-2012-0453
Approved by: skv (implicit)
- CVE-2011-3657
- CVE-2011-3667
Summary
=======
The following security issues have been discovered in Bugzilla:
* When viewing tabular or graphical reports as well as new charts,
an XSS vulnerability is possible in debug mode.
* The User.offer_account_by_email WebService method lets you create
a new user account even if the active authentication method forbids
users to create an account.
* A CSRF vulnerability in post_bug.cgi and in attachment.cgi could
lead to the creation of unwanted bug reports and attachments.
All affected installations are encouraged to upgrade as soon as possible.
Full Release Notes:
http://www.bugzilla.org/security/3.4.12/
Approved by: skv@ (explicit)
- use DIST_SUBDIR for bugzilla and all translations
- sort pkg-plist (genplist)
OK from bugzilla maintainers per PM.
PR: ports/158766
Submitted by: ohauer
- order pkg-plist so it match autmated tools like genplist
- add missing empty directories (used by checksetup.pl) [1]
commit with hat apache@
PR: [1] ports/154295
Submitted by: me
- Use WWWDIR instead of some other custom locations [2]
- Add Makefile.common which Makefiles in devel/bugzilla, russian/bugzilla-ru
and japanese/bugzilla include to use WWWDIR in common [2]
Changes: http://www.bugzilla.org/releases/3.6.3/release-notes.html [1]
Security: http://www.bugzilla.org/security/3.2.8/ [1]
PR: ports/151912 [1], [2]
Submitted by: ohauer [1], tota (myself) [2]
Approved by: skv
- Remove ja-bugzilla-2.* from CONFLICT entries of devel/bugzilla,
devel/bugzilla2 and russian/bugzilla-ru [2]
- Change MAINTAINER address from tota@rtfm.jp to tota@FreeBSD.org
[1] This port has been updated from the bugzilla Japanized patch to
bugzilla Japanese language pack installation, both of which are
maintained differently.
* Japanized patch is not actively maintained anymore.
* More sophisticated language pack framework has been introduced since
Bugzilla 3.0.
[2] This port no longer conflicts with those ports due to the new language
pack framework.
Approved by: maho (mentor)
- Remove mail/p5-Email-MIME-Modifier, it has been folded into mail/p5-Email-MIME
- Remove mail/p5-Email-Simple-Creator, it has been folded into mail/p5-Email-Simple
- Adjust dependencies
Reported by: pointyhat
With hat: portmgr
