-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathBugzilla.xml
187 lines (187 loc) · 14 KB
/
Bugzilla.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
<Vulns> <Vulnerability addData="2004-11-01" gvid="ID103753" id="103753" modifyDate="2013-12-04"> <cvsscode>7.5</cvsscode> <severity>Critical</severity> <name>Bugzilla创建SQL注入漏洞 </name> <Tags> <tag></tag> </Tags> <cvss></cvss> <Description>创建新账户时,Bugzilla将其融入SQL查询前未充分清理用户输入。因此,远程攻击者可从数据库获取敏感信息或损坏数据。</Description> <cnnvd>CNNVD-200210-297</cnnvd> <AlternateIds> <id name="CVE">CVE-2002-1198</id> </AlternateIds> <Solutions>This issue was introduced in Bugzilla 2.16 and has been addressed in Bugzilla 2.16.1.
Mozilla Bugzilla 2.16
<ul><li>
Mozilla bugzilla-2.16.1.tar.gz
<a href="
http://ftp.mozilla.org/pub/webtools/bugzilla-2.16.1.tar.gz">
http://ftp.mozilla.org/pub/webtools/bugzilla-2.16.1.tar.gz</a></li>
</ul></Solutions> <Check scope="endpoint"> <NetworkService type="HTTP|HTTPS">
<Product name="Bugzilla">
<version> <range> <low>2.16</low> <high>2.16.1</high> </range> </version>
</Product>
</NetworkService> </Check> </Vulnerability> <Vulnerability addData="2004-11-01" gvid="ID103754" id="103754" modifyDate="2013-12-04"> <cvsscode>7.5</cvsscode> <severity>Critical</severity> <name>Bugzilla命令执行漏洞</name> <Tags> <tag></tag> </Tags> <cvss></cvss> <Description>在Bugzilla数据包中的&#39;bugzilla_email_append.pl&#39;脚本未充分地过滤用户输入。因此用户可能插入恶意词条到Bugzilla数据库中并可能执行任意指令。</Description> <cnnvd>CNNVD-200210-308</cnnvd> <AlternateIds> <id name="CVE">CVE-2002-1197</id> </AlternateIds> <Solutions>Fixes available:
Mozilla Bugzilla 2.14
<ul><li>
Mozilla bugzilla-2.14.4.tar.gz
<a href="
http://ftp.mozilla.org/pub/webtools/bugzilla-2.14.4.tar.gz">
http://ftp.mozilla.org/pub/webtools/bugzilla-2.14.4.tar.gz</a></li>
</ul>
Mozilla Bugzilla 2.14.1
<ul><li>
Mozilla bugzilla-2.14.4.tar.gz
<a href="
http://ftp.mozilla.org/pub/webtools/bugzilla-2.14.4.tar.gz">
http://ftp.mozilla.org/pub/webtools/bugzilla-2.14.4.tar.gz</a></li>
</ul>
Mozilla Bugzilla 2.14.2
<ul><li>
Mozilla bugzilla-2.14.4.tar.gz
<a href="
http://ftp.mozilla.org/pub/webtools/bugzilla-2.14.4.tar.gz">
http://ftp.mozilla.org/pub/webtools/bugzilla-2.14.4.tar.gz</a></li>
</ul>
Mozilla Bugzilla 2.14.3
<ul><li>
Mozilla bugzilla-2.14.4.tar.gz
<a href="
http://ftp.mozilla.org/pub/webtools/bugzilla-2.14.4.tar.gz">
http://ftp.mozilla.org/pub/webtools/bugzilla-2.14.4.tar.gz</a></li>
</ul>
Mozilla Bugzilla 2.16
<ul><li>
Mozilla bugzilla-2.16.1.tar.gz
<a href="
http://ftp.mozilla.org/pub/webtools/bugzilla-2.16.1.tar.gz">
http://ftp.mozilla.org/pub/webtools/bugzilla-2.16.1.tar.gz</a></li>
</ul></Solutions> <Check scope="endpoint"> <NetworkService type="HTTP|HTTPS">
<Product name="Bugzilla">
<version>
<range> <low>2.14</low> <high>2.14.4</high> </range>
<range> <low>2.16</low> <high>2.16.1</high> </range>
</version>
</Product>
</NetworkService> </Check> </Vulnerability> <Vulnerability addData="2004-11-01" gvid="ID103755" id="103755" modifyDate="2013-12-04"> <cvsscode>2.1</cvsscode> <severity>Moderate</severity> <name>Bugzilla数据挖掘不安全的目录权限漏洞</name> <Tags> <tag></tag> </Tags> <cvss></cvss> <Description>Bugzilla包中的数据收集脚本,其目的是作为一个cron作业运行,设置数据/挖掘目录上的不安全权限。所以本地攻击者可利用此争用条件来修改目录内容。</Description> <cnnvd>CNNVD-200301-021</cnnvd> <AlternateIds> <id name="CVE">CVE-2003-0012</id> </AlternateIds> <Solutions>厂商补丁:
Mozilla
-------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
Mozilla Bugzilla 2.14:
Bugzilla Upgrade Bugzilla 2.14.5
<a href="
http://www.bugzilla.org/download.html" target="_blank">
http://www.bugzilla.org/download.html</a>
Mozilla Bugzilla 2.14.1:
Bugzilla Upgrade Bugzilla 2.14.5
<a href="
http://www.bugzilla.org/download.html" target="_blank">
http://www.bugzilla.org/download.html</a>
Mozilla Bugzilla 2.14.2:
Bugzilla Upgrade Bugzilla 2.14.5
<a href="
http://www.bugzilla.org/download.html" target="_blank">
http://www.bugzilla.org/download.html</a>
Mozilla Bugzilla 2.14.3:
Bugzilla Upgrade Bugzilla 2.14.5
<a href="
http://www.bugzilla.org/download.html" target="_blank">
http://www.bugzilla.org/download.html</a>
Mozilla Bugzilla 2.14.4:
Bugzilla Upgrade Bugzilla 2.14.5
<a href="
http://www.bugzilla.org/download.html" target="_blank">
http://www.bugzilla.org/download.html</a>
Bugzilla Patch bugzilla-2.14.4-to-2.14.5.diff.gz
<a href="
http://ftp.mozilla.org/pub/webtools/bugzilla-2.14.4-to-2.14.5.diff.gz" target="_blank">
http://ftp.mozilla.org/pub/webtools/bugzilla-2.14.4-to-2.14.5.diff.gz</a>
Mozilla Bugzilla 2.16:
Bugzilla Upgrade Bugzilla 2.16.2
<a href="
http://www.bugzilla.org/download.html" target="_blank">
http://www.bugzilla.org/download.html</a>
Mozilla Bugzilla 2.16.1:
Bugzilla Upgrade Bugzilla 2.16.2
<a href="
http://www.bugzilla.org/download.html" target="_blank">
http://www.bugzilla.org/download.html</a>
Bugzilla Patch bugzilla-2.16.1-to-2.16.2.diff.gz
<a href="
http://ftp.mozilla.org/pub/webtools/bugzilla-2.16.1-to-2.16.2.diff.gz" target="_blank">
http://ftp.mozilla.org/pub/webtools/bugzilla-2.16.1-to-2.16.2.diff.gz</a>
Mozilla Bugzilla 2.17:
Bugzilla Upgrade Bugzilla 2.17.3
<a href="
http://www.bugzilla.org/download.html" target="_blank">
http://www.bugzilla.org/download.html</a>
Mozilla Bugzilla 2.17.1:
Bugzilla Upgrade Bugzilla 2.17.3
<a href="
http://www.bugzilla.org/download.html" target="_blank">
http://www.bugzilla.org/download.html</a></Solutions> <Check scope="endpoint"> <NetworkService type="HTTP|HTTPS">
<Product name="Bugzilla">
<version>
<range> <low>2.14</low> <high>2.14.5</high> </range>
<range> <low>2.16</low> <high>2.16.2</high> </range>
<range> <low>2.17</low> <high>2.17.3</high> </range>
</version>
</Product>
</NetworkService> </Check> </Vulnerability> <Vulnerability addData="2004-11-01" gvid="ID103757" id="103757" modifyDate="2013-12-04"> <cvsscode>7.5</cvsscode> <severity>Critical</severity> <name>Bugzilla组的创建权提升漏洞性</name> <Tags> <tag></tag> </Tags> <cvss></cvss> <Description>利用&#39;usebuggroups&#39;功能的Bugzilla 装置易受到特权升级问题的影响。当新产品添加到包含多个 bug 组的网站时,新组将在额外特权中被自动创建。因此,添加到此组的任何新用户将获得这些额外的特权。</Description> <cnnvd>CNNVD-200210-301</cnnvd> <AlternateIds> <id name="CVE">CVE-2002-1196</id> </AlternateIds> <Solutions>Fixes are available:
Mozilla Bugzilla 2.14
<ul><li>
Mozilla bugzilla-2.14.4.tar.gz
<a href="
http://ftp.mozilla.org/pub/webtools/bugzilla-2.14.4.tar.gz">
http://ftp.mozilla.org/pub/webtools/bugzilla-2.14.4.tar.gz</a></li>
</ul>
Mozilla Bugzilla 2.14.1
<ul><li>
Mozilla bugzilla-2.14.4.tar.gz
<a href="
http://ftp.mozilla.org/pub/webtools/bugzilla-2.14.4.tar.gz">
http://ftp.mozilla.org/pub/webtools/bugzilla-2.14.4.tar.gz</a></li>
</ul>
Mozilla Bugzilla 2.14.2
<ul><li>
Debian bugzilla-doc_2.14.2-0woody2_all.debDebian GNU/Linux 3.0 architecture independent package.
<a href="
http://security.debian.org/pool/updates/main/b/bugzilla/bugzilla-doc_2.14.2-0woody2_all.deb">
http://security.debian.org/pool/updates/main/b/bugzilla/bugzilla-doc_2
.14.2-0woody2_all.deb</a></li>
<li>
Debian bugzilla_2.14.2-0woody2_all.debDebian GNU/Linux 3.0 architecture independent package.
<a href="
http://security.debian.org/pool/updates/main/b/bugzilla/bugzilla_2.14.2-0woody2_all.deb">
http://security.debian.org/pool/updates/main/b/bugzilla/bugzilla_2.14.
2-0woody2_all.deb</a></li>
<li>
Mozilla bugzilla-2.14.4.tar.gz
<a href="
http://ftp.mozilla.org/pub/webtools/bugzilla-2.14.4.tar.gz">
http://ftp.mozilla.org/pub/webtools/bugzilla-2.14.4.tar.gz</a></li>
</ul>
Mozilla Bugzilla 2.14.3
<ul><li>
Mozilla bugzilla-2.14.4.tar.gz
<a href="
http://ftp.mozilla.org/pub/webtools/bugzilla-2.14.4.tar.gz">
http://ftp.mozilla.org/pub/webtools/bugzilla-2.14.4.tar.gz</a></li>
</ul>
Mozilla Bugzilla 2.16
<ul><li>
Mozilla bugzilla-2.16.1.tar.gz
<a href="
http://ftp.mozilla.org/pub/webtools/bugzilla-2.16.1.tar.gz">
http://ftp.mozilla.org/pub/webtools/bugzilla-2.16.1.tar.gz</a></li>
</ul></Solutions> <Check scope="endpoint"> <NetworkService type="HTTP|HTTPS">
<Product name="Bugzilla">
<version>
<range> <low>2.14</low> <high>2.14.4</high> </range>
<range> <low>2.16</low> <high>2.16.1</high> </range>
</version>
</Product>
</NetworkService> </Check> </Vulnerability> <Vulnerability addData="2004-11-01" gvid="ID103758" id="103758" modifyDate="2012-07-31"> <cvsscode>6.8</cvsscode> <severity>Severe</severity> <name>Bugzilla不安全的文件名的跨站脚本漏洞</name> <Tags> <tag></tag> </Tags> <cvss></cvss> <Description>Bugzilla在全局可写的目录中创建临时文件而无需验证文件名是无用的。因此,本地攻击者可使用一个符号链接覆盖web服务器访问系统上的其他文件。
此外,在Bugzilla几个脚本易受到Cross-Site脚本(XSS)的攻击。</Description> <cnnvd></cnnvd> <AlternateIds> <id name="CVE">CVE-2003-0603,CVE-2003-0602</id> </AlternateIds> <Solutions></Solutions> <Check scope="endpoint"> <NetworkService type="HTTP|HTTPS">
<Product name="Bugzilla">
<version>
<range> <low>2.16</low> <high>2.16.3</high> </range>
<range> <low>2.17</low> <high>2.17.4</high> </range>
</version>
</Product>
</NetworkService> </Check> </Vulnerability> <Vulnerability addData="2005-02-16" gvid="ID103759" id="103759" modifyDate="2013-12-04"> <cvsscode>7.5</cvsscode> <severity>Critical</severity> <name>Bugzilla的多个漏洞</name> <Tags> <tag></tag> </Tags> <cvss></cvss> <Description>Bugzilla的某些版本容易受到多种问题的影响。用 &#39;grant membership&#39;权限的特权身份验证的用户可执行任意SQL代码或获取通过“editusers.cgi&#39;界面来访问不想关的群体。此外,发现用户和数据库口令在某些情况下泄露。</Description> <cnnvd></cnnvd> <AlternateIds> <id name="CVE">CVE-2004-0707,CVE-2004-0706,CVE-2004-0705,CVE-2004-0704,CVE-2004-0703,CVE-2004-0702</id> </AlternateIds> <Solutions></Solutions> <Check scope="endpoint"> <NetworkService type="HTTP|HTTPS">
<Product name="Bugzilla">
<version>
<range> <low>2.16.0</low> <high>2.16.6</high> </range>
<range> <low>2.17.1</low> <high>2.17.8</high> </range>
</version>
</Product>
</NetworkService> </Check> </Vulnerability></Vulns>