Bug 73166 - [PATCH] security fixed version - bugzill 2.16.7
Summary: [PATCH] security fixed version - bugzill 2.16.7
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-ports-bugs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-10-26 17:00 UTC by Dmitry A Grigorovich
Modified: 2004-10-27 20:24 UTC (History)
1 user (show)

See Also:

Attachments
file.diff (173 bytes, patch)
2004-10-26 17:00 UTC, Dmitry A Grigorovich 		no flags Details | Diff
file.diff (382 bytes, patch)
2004-10-26 17:00 UTC, Dmitry A Grigorovich 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Dmitry A Grigorovich 2004-10-26 17:00:45 UTC 
See http://www.bugzilla.org/security/2.16.6/

Class:       Unauthorized Bug Change
Versions:    2.9 through 2.18rc2 and 2.19
Description: It is possible to send a carefully crafted HTTP POST
             message to process_bug.cgi which will remove keywords from
             a bug even if you don't have permissions to edit all bug
             fields (the "editbugs" permission).  Such changes are
             reported in "bug changed" email notifications, so they are
             easily detected and reversed if someone abuses it.
Reference:   https://bugzilla.mozilla.org/show_bug.cgi?id=252638

Fix: Apply patch
Reinstall bugzilla

PORTNAME?=     bugzilla
-PORTVERSION?=  2.16.6
+PORTVERSION?=  2.16.7
 CATEGORIES?=   devel
 MASTER_SITES=  ${MASTER_SITE_MOZILLA}
 MASTER_SITE_SUBDIR=    webtools webtools/archived
How-To-Repeat: 
See http://www.bugzilla.org/security/2.16.6/
Comment 1 Pav Lucistnik freebsd_committer freebsd_triage 2004-10-27 20:24:00 UTC 
State Changed
From-To: open->closed

Committed, thanks!