Your message dated Sun, 08 Nov 2009 22:32:46 +0000
with message-id <[email protected]>
and subject line Bug#547132: fixed in bugzilla 3.2.5.0-1
has caused the Debian Bug report #547132,
regarding CVE-2009-3165: SQL injection vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
547132: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=547132
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: bugzilla
Severity: serious
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for bugzilla.
CVE-2009-3165[0]:
| SQL injection vulnerability in the Bug.create WebService function in
| Bugzilla 2.23.4 through 3.0.8, 3.1.1 through 3.2.4, and 3.3.1 through
| 3.4.1 allows remote attackers to execute arbitrary SQL commands via
| unspecified parameters.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3165
http://security-tracker.debian.net/tracker/CVE-2009-3165
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkqx3+cACgkQNxpp46476aq31gCeLMfMJuutOzPwP+0uouISHD4/
fjAAn1q/BdldzmPcE/W9vh5Im9h3FoRj
=Kbgf
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: bugzilla
Source-Version: 3.2.5.0-1
We believe that the bug you reported is fixed in the latest version of
bugzilla, which is due to be installed in the Debian FTP archive:
bugzilla3-doc_3.2.5.0-1_all.deb
to main/b/bugzilla/bugzilla3-doc_3.2.5.0-1_all.deb
bugzilla3_3.2.5.0-1_all.deb
to main/b/bugzilla/bugzilla3_3.2.5.0-1_all.deb
bugzilla_3.2.5.0-1.diff.gz
to main/b/bugzilla/bugzilla_3.2.5.0-1.diff.gz
bugzilla_3.2.5.0-1.dsc
to main/b/bugzilla/bugzilla_3.2.5.0-1.dsc
bugzilla_3.2.5.0.orig.tar.gz
to main/b/bugzilla/bugzilla_3.2.5.0.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Raphael Bossek <[email protected]> (supplier of updated bugzilla package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 06 Nov 2009 20:47:23 +0100
Source: bugzilla
Binary: bugzilla3 bugzilla3-doc
Architecture: source all
Version: 3.2.5.0-1
Distribution: unstable
Urgency: medium
Maintainer: Raphael Bossek <[email protected]>
Changed-By: Raphael Bossek <[email protected]>
Description:
bugzilla3 - web-based bug tracking system
bugzilla3-doc - comprehensive guide to Bugzilla
Closes: 495107 511839 511839 520935 522401 522455 538286 539401 539440 544870
544987 547132 549700 550045 550055 550071 554965
Changes:
bugzilla (3.2.5.0-1) unstable; urgency=medium
.
* Increased Standards-Version to 3.8.3; no changes.
* Fixed creation of /etc/bugzilla3/localconfig from debconf settings.
* In case where access to database is protected the user/password is revoked
und recreated again; dpkg-reconfigure -phigh bugzilla3.
* Removed dependency against libemail-reply-perl.
* Changed processing of /etc/bugzilla3/localconfig. Closes: #538286
* Fixed usage of skins by moving away from /cgi-bin/bugzilla3/.
Closes: #495107
* Support for new version of Germzilla added. Closes: #522401
* Added support for 2 digit version numbers for uscan. Closes: #539401
* libtemplate-plugin-gd-perl is recomended. Closes: #539440
* Uses Debian's YUI files for security concerns with JavaScript.
Closes: #544987, #544870
* The post-checksetup.d/10permissions script fix directory/file access
rights. Closes: #550045
* Fixed typo in checksetup(_debian).sh script. Closes: #550055
* Include path /usr/share/bugzilla3 added. Closes: #549700
* The localhost mta/smtp/email server have to accept email sending.
Closes: #522455
* Fixed SQL injection vulnerability in the Bug.create WebService function
CVE-2009-3165, Closes: #547132
* Fixed typo in recomends (imagemagick). Closes: #554965
.
[ NEWS.Debian ]
* The directory /usr/lib/cgi-bin/bugzilla3 moved to
/usr/share/bugzilla3/web. The /usr/share/doc/bugzilla3/examples/basic.conf
file show the changes mandatory for apache2.
This change was required to be able to install bugzilla3 for apache2
out-of-the box with apache2 default setup for /cgi-bin/ directory.
Closes: #520935
* New basic.conf/vh-basic.conf files fix /cgi-bin/ issues with default
apache2 configuration. Closes: #511839
* urlbase (/etc/bugzilla3/param) changed from /cgi-bin/bugzilla3/ to
/bugzilla3/.
* docs_urlbase (/etc/bugzilla3/param) changed from
/docs/bugzilla3-doc/%lang%/html to /doc/bugzilla3-doc/%lang%/html with
changed directory structure within bugzilla3-doc. Closes: #511839
* The directories /etc/bugzilla3/pre-checksetup.d and
/etc/bugzilla3/post-checksetup.d contain executables which are started in
alphanumerical order befor and after checksetup.pl is called. Save your
own scripts which should be executed if checksetup.pl is called, e.g.
while upgrade of the package.
* /usr/share/bugzilla3/lib/sanitycheck.pl added; will be executed daily.
Closes: #550071
Checksums-Sha1:
55fb3c4a8d8375b9bbe8c5a6dfa1b2535739fe06 1047 bugzilla_3.2.5.0-1.dsc
ca30dcf262ded69d12936620ff7bb35db7ccf016 4238899 bugzilla_3.2.5.0.orig.tar.gz
e9871c62a28afc6bf686c2774d30bf7ea40ab06f 79515 bugzilla_3.2.5.0-1.diff.gz
ece765bc0a9feec5ac6379c068556e9cf5095c13 2905370 bugzilla3_3.2.5.0-1_all.deb
39871e6dc2ecfcc4bfd0331d6583520ee2064631 1453664
bugzilla3-doc_3.2.5.0-1_all.deb
Checksums-Sha256:
103ad38a0271461855647008383071b0c95759d2cfb3477b0179d8bda95ee0bc 1047
bugzilla_3.2.5.0-1.dsc
4e75f3270d62a3d57b1c91d199fd9e7a38d30ef71ea20df3a8c4aa612b5d0294 4238899
bugzilla_3.2.5.0.orig.tar.gz
d682314d02f10b6aa3d45257e3bb3439f7852e023db2d1d26f66c81a856e760b 79515
bugzilla_3.2.5.0-1.diff.gz
3e6115c86d7513deb93e9c8dc823edcf29ef4600083e306b51b1b2f691745266 2905370
bugzilla3_3.2.5.0-1_all.deb
95facf8e4ea2516c8e0648ace0a6cce86860eeac54f0b0888b19bb634d732d26 1453664
bugzilla3-doc_3.2.5.0-1_all.deb
Files:
568dfa811bf83f5ca73b6ecf0097185a 1047 web optional bugzilla_3.2.5.0-1.dsc
37bc4fd16775c5d2236f84064eab10db 4238899 web optional
bugzilla_3.2.5.0.orig.tar.gz
cffe99945ea843157f40d9bbdfd06d0d 79515 web optional bugzilla_3.2.5.0-1.diff.gz
72f71058e52b2cd8db1da26c4edfce2f 2905370 web optional
bugzilla3_3.2.5.0-1_all.deb
cc7e10c21063e82a1cd31058ab2fb5af 1453664 doc optional
bugzilla3-doc_3.2.5.0-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iD8DBQFK90OAN2lBq4Nesv8RAhbpAJ0UPbzc9UmT9S5MjRfLTt+FyHyDTgCbBEGU
OV1s0bt7ckT399VpxK6j9wo=
=nBnH
-----END PGP SIGNATURE-----
--- End Message ---
