Mageia Linux Local Security Checks : Mageia: Security Advisory (MGASA-2014-0412)

Anfälligkeitssuche		Suche in 324607 CVE Beschreibungen und 145615 Test Beschreibungen, Zugriff auf 10,000+ Quellverweise.
	Tests CVE Alle

Test Kennung: 1.3.6.1.4.1.25623.1.1.10.2014.0412

Kategorie: Mageia Linux Local Security Checks

Titel: Mageia: Security Advisory (MGASA-2014-0412)

Zusammenfassung: The remote host is missing an update for the 'bugzilla' package(s) announced via the MGASA-2014-0412 advisory.

Beschreibung: Summary:
The remote host is missing an update for the 'bugzilla' package(s) announced via the MGASA-2014-0412 advisory.

Vulnerability Insight:
Updated bugzilla packages fix security vulnerabilities:

If a new comment was marked private to the insider group, and a flag was set
in the same transaction, the comment would be visible to flag recipients
even if they were not in the insider group (CVE-2014-1571).

An attacker creating a new Bugzilla account can override certain parameters
when finalizing the account creation that can lead to the user being created
with a different email address than originally requested. The overridden
login name could be automatically added to groups based on the group's
regular expression setting (CVE-2014-1572).

During an audit of the Bugzilla code base, several places were found where
cross-site scripting exploits could occur which could allow an attacker to
access sensitive information (CVE-2014-1573).

Affected Software/OS:
'bugzilla' package(s) on Mageia 3, Mageia 4.

Solution:
Please install the updated package(s).

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:N/I:P/A:N

Querverweis: Common Vulnerability Exposure (CVE) ID: CVE-2014-1571
http://lists.fedoraproject.org/pipermail/package-announce/2014-October/141321.html
http://lists.fedoraproject.org/pipermail/package-announce/2014-October/141309.html
http://lists.fedoraproject.org/pipermail/package-announce/2014-November/142524.html
http://www.mandriva.com/security/advisories?name=MDVSA-2014:200
http://packetstormsecurity.com/files/128578/Bugzilla-Account-Creation-XSS-Information-Leak.html
http://www.securitytracker.com/id/1030978
Common Vulnerability Exposure (CVE) ID: CVE-2014-1572
https://security.gentoo.org/glsa/201607-11
http://blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/
http://www.opennet.ru/opennews/art.shtml?num=40766
http://www.reddit.com/r/netsec/comments/2ihen0/new_class_of_vulnerability_in_perl_web/
http://openwall.com/lists/oss-security/2014/10/07/20
Common Vulnerability Exposure (CVE) ID: CVE-2014-1573
BugTraq ID: 70257
http://www.securityfocus.com/bid/70257

Copyright Copyright (C) 2022 Greenbone AG

Dies ist nur einer von 145615 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus.
Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.

Test Kennung:	1.3.6.1.4.1.25623.1.1.10.2014.0412
Kategorie:	Mageia Linux Local Security Checks
Titel:	Mageia: Security Advisory (MGASA-2014-0412)
Zusammenfassung:	The remote host is missing an update for the 'bugzilla' package(s) announced via the MGASA-2014-0412 advisory.
Beschreibung:	Summary: The remote host is missing an update for the 'bugzilla' package(s) announced via the MGASA-2014-0412 advisory. Vulnerability Insight: Updated bugzilla packages fix security vulnerabilities: If a new comment was marked private to the insider group, and a flag was set in the same transaction, the comment would be visible to flag recipients even if they were not in the insider group (CVE-2014-1571). An attacker creating a new Bugzilla account can override certain parameters when finalizing the account creation that can lead to the user being created with a different email address than originally requested. The overridden login name could be automatically added to groups based on the group's regular expression setting (CVE-2014-1572). During an audit of the Bugzilla code base, several places were found where cross-site scripting exploits could occur which could allow an attacker to access sensitive information (CVE-2014-1573). Affected Software/OS: 'bugzilla' package(s) on Mageia 3, Mageia 4. Solution: Please install the updated package(s). CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N
Querverweis:	Common Vulnerability Exposure (CVE) ID: CVE-2014-1571 http://lists.fedoraproject.org/pipermail/package-announce/2014-October/141321.html http://lists.fedoraproject.org/pipermail/package-announce/2014-October/141309.html http://lists.fedoraproject.org/pipermail/package-announce/2014-November/142524.html http://www.mandriva.com/security/advisories?name=MDVSA-2014:200 http://packetstormsecurity.com/files/128578/Bugzilla-Account-Creation-XSS-Information-Leak.html http://www.securitytracker.com/id/1030978 Common Vulnerability Exposure (CVE) ID: CVE-2014-1572 https://security.gentoo.org/glsa/201607-11 http://blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/ http://www.opennet.ru/opennews/art.shtml?num=40766 http://www.reddit.com/r/netsec/comments/2ihen0/new_class_of_vulnerability_in_perl_web/ http://openwall.com/lists/oss-security/2014/10/07/20 Common Vulnerability Exposure (CVE) ID: CVE-2014-1573 BugTraq ID: 70257 http://www.securityfocus.com/bid/70257
Copyright	Copyright (C) 2022 Greenbone AG