FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

bugzilla -- multiple vulnerabilities

Affected packages
2.17.1 <= bugzilla < 2.18.2
2.17.1 <= ja-bugzilla < 2.18.2


VuXML ID 6e33f4ab-efed-11d9-8310-0001020eed82
Discovery 2005-07-07
Entry 2005-07-08
Modified 2005-07-18

A Bugzilla Security Advisory reports:

Any user can change any flag on any bug, even if they don't have access to that bug, or even if they can't normally make bug changes. This also allows them to expose the summary of a bug.

Bugs are inserted into the database before they are marked as private, in Bugzilla code. Thus, MySQL replication can lag in between the time that the bug is inserted and when it is marked as private (usually less than a second). If replication lags at this point, the bug summary will be accessible to all users until replication catches up. Also, on a very slow machine, there may be a pause longer than a second that allows users to see the title of the newly-filed bug.


CVE Name CVE-2005-2173
CVE Name CVE-2005-2174