Package: bugzilla Version: 2.18.3-2 Severity: grave Tags: security Justification: user security hole
Two information disclosure vulnerabilities have been found in Bugzilla: + It is possible to bypass the "user visibility groups" restrictions if user-matching is turned on in "substring" mode. + config.cgi exposes information to users who aren't logged in, even when "requirelogin" is turned on in Bugzilla. Please see http://www.bugzilla.org/security/2.18.4/ for the full advisory. 2.18.4 fixes these issue. Cheers, Moritz -- System Information: Debian Release: 3.1 Architecture: i386 (i686) Kernel: Linux 2.4.29-vs1.2.10 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages bugzilla depends on: pn apache | roxen2 | apache-ssl Not found. ii debconf 1.4.30.13 Debian configuration management sy ii exim4-daemon-light [mail-tran 4.50-8 lightweight exim MTA (v4) daemon ii libdbd-mysql-perl 2.9006-1 A Perl5 database interface to the ii libtimedate-perl 1.1600-4 Time and date functions for Perl -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
