freebsd-ports/russian/bugzilla-ru
Olli Hauer 5e7bd302a1 - update to 4.0.5
Vulnerability Details
=====================

Class:       Cross-Site Request Forgery
Versions:    4.0.2 to 4.0.4, 4.1.1 to 4.2rc2
Fixed In:    4.0.5, 4.2
Description: Due to a lack of validation of the enctype form
             attribute when making POST requests to xmlrpc.cgi,
             a possible CSRF vulnerability was discovered. If a user
             visits an HTML page with some malicious HTML code in it,
             an attacker could make changes to a remote Bugzilla installation
             on behalf of the victim's account by using the XML-RPC API
             on a site running mod_perl. Sites running under mod_cgi
             are not affected. Also the user would have had to be
             already logged in to the target site for the vulnerability
             to work.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=725663
CVE Number:  CVE-2012-0453

Approved by:	skv (implicit)
2012-04-10 05:15:47 +00:00
..
distinfo - update to 4.0.5 2012-04-10 05:15:47 +00:00
Makefile - update to 4.0.5 2012-04-10 05:15:47 +00:00
pkg-descr
pkg-message
pkg-plist - update to 4.0.5 2012-04-10 05:15:47 +00:00