Mageia Linux Local Security Checks : Mageia: Security Advisory (MGASA-2014-0412)

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 146377 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.1.10.2014.0412

Categoría: Mageia Linux Local Security Checks

Título: Mageia: Security Advisory (MGASA-2014-0412)

Resumen: The remote host is missing an update for the 'bugzilla' package(s) announced via the MGASA-2014-0412 advisory.

Descripción: Summary:
The remote host is missing an update for the 'bugzilla' package(s) announced via the MGASA-2014-0412 advisory.

Vulnerability Insight:
Updated bugzilla packages fix security vulnerabilities:

If a new comment was marked private to the insider group, and a flag was set
in the same transaction, the comment would be visible to flag recipients
even if they were not in the insider group (CVE-2014-1571).

An attacker creating a new Bugzilla account can override certain parameters
when finalizing the account creation that can lead to the user being created
with a different email address than originally requested. The overridden
login name could be automatically added to groups based on the group's
regular expression setting (CVE-2014-1572).

During an audit of the Bugzilla code base, several places were found where
cross-site scripting exploits could occur which could allow an attacker to
access sensitive information (CVE-2014-1573).

Affected Software/OS:
'bugzilla' package(s) on Mageia 3, Mageia 4.

Solution:
Please install the updated package(s).

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:N/I:P/A:N

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2014-1571
http://lists.fedoraproject.org/pipermail/package-announce/2014-October/141321.html
http://lists.fedoraproject.org/pipermail/package-announce/2014-October/141309.html
http://lists.fedoraproject.org/pipermail/package-announce/2014-November/142524.html
http://www.mandriva.com/security/advisories?name=MDVSA-2014:200
http://packetstormsecurity.com/files/128578/Bugzilla-Account-Creation-XSS-Information-Leak.html
http://www.securitytracker.com/id/1030978
Common Vulnerability Exposure (CVE) ID: CVE-2014-1572
https://security.gentoo.org/glsa/201607-11
http://blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/
http://www.opennet.ru/opennews/art.shtml?num=40766
http://www.reddit.com/r/netsec/comments/2ihen0/new_class_of_vulnerability_in_perl_web/
http://openwall.com/lists/oss-security/2014/10/07/20
Common Vulnerability Exposure (CVE) ID: CVE-2014-1573
BugTraq ID: 70257
http://www.securityfocus.com/bid/70257

Copyright Copyright (C) 2022 Greenbone AG

Esta es sólo una de 146377 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.1.10.2014.0412
Categoría:	Mageia Linux Local Security Checks
Título:	Mageia: Security Advisory (MGASA-2014-0412)
Resumen:	The remote host is missing an update for the 'bugzilla' package(s) announced via the MGASA-2014-0412 advisory.
Descripción:	Summary: The remote host is missing an update for the 'bugzilla' package(s) announced via the MGASA-2014-0412 advisory. Vulnerability Insight: Updated bugzilla packages fix security vulnerabilities: If a new comment was marked private to the insider group, and a flag was set in the same transaction, the comment would be visible to flag recipients even if they were not in the insider group (CVE-2014-1571). An attacker creating a new Bugzilla account can override certain parameters when finalizing the account creation that can lead to the user being created with a different email address than originally requested. The overridden login name could be automatically added to groups based on the group's regular expression setting (CVE-2014-1572). During an audit of the Bugzilla code base, several places were found where cross-site scripting exploits could occur which could allow an attacker to access sensitive information (CVE-2014-1573). Affected Software/OS: 'bugzilla' package(s) on Mageia 3, Mageia 4. Solution: Please install the updated package(s). CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2014-1571 http://lists.fedoraproject.org/pipermail/package-announce/2014-October/141321.html http://lists.fedoraproject.org/pipermail/package-announce/2014-October/141309.html http://lists.fedoraproject.org/pipermail/package-announce/2014-November/142524.html http://www.mandriva.com/security/advisories?name=MDVSA-2014:200 http://packetstormsecurity.com/files/128578/Bugzilla-Account-Creation-XSS-Information-Leak.html http://www.securitytracker.com/id/1030978 Common Vulnerability Exposure (CVE) ID: CVE-2014-1572 https://security.gentoo.org/glsa/201607-11 http://blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/ http://www.opennet.ru/opennews/art.shtml?num=40766 http://www.reddit.com/r/netsec/comments/2ihen0/new_class_of_vulnerability_in_perl_web/ http://openwall.com/lists/oss-security/2014/10/07/20 Common Vulnerability Exposure (CVE) ID: CVE-2014-1573 BugTraq ID: 70257 http://www.securityfocus.com/bid/70257
Copyright	Copyright (C) 2022 Greenbone AG