Bug 73166

Summary: [PATCH] security fixed version - bugzill 2.16.7
Product: Ports & Packages Reporter: Dmitry A Grigorovich <odip>
Component: Individual Port(s)Assignee: freebsd-ports-bugs (Nobody) <ports-bugs>
Status: Closed FIXED    
Severity: Affects Only Me CC: ports
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
file.diff
none
file.diff none

Description Dmitry A Grigorovich 2004-10-26 17:00:45 UTC 
See http://www.bugzilla.org/security/2.16.6/

Class:       Unauthorized Bug Change
Versions:    2.9 through 2.18rc2 and 2.19
Description: It is possible to send a carefully crafted HTTP POST
             message to process_bug.cgi which will remove keywords from
             a bug even if you don't have permissions to edit all bug
             fields (the "editbugs" permission).  Such changes are
             reported in "bug changed" email notifications, so they are
             easily detected and reversed if someone abuses it.
Reference:   https://bugzilla.mozilla.org/show_bug.cgi?id=252638

Fix: Apply patch
Reinstall bugzilla

PORTNAME?=     bugzilla
-PORTVERSION?=  2.16.6
+PORTVERSION?=  2.16.7
 CATEGORIES?=   devel
 MASTER_SITES=  ${MASTER_SITE_MOZILLA}
 MASTER_SITE_SUBDIR=    webtools webtools/archived
How-To-Repeat: 
See http://www.bugzilla.org/security/2.16.6/
Comment 1 Pav Lucistnik freebsd_committer freebsd_triage 2004-10-27 20:24:00 UTC 
State Changed
From-To: open->closed

Committed, thanks!