Created by Max Kanat-Alexander on 2009-09-10 and last modified on 2014-10-07
Get this branch:
bzr branch lp:bugzilla.gnome.org
Members of GNOME Bugzilla maintainers can upload to this branch. Log in for directions.

Related bugs

Related blueprints

Branch information

GNOME Bugzilla maintainers

Recent revisions

6730. By Muelli on 2014-10-07

I think I am merging here, but I don't really know

6729. By Muelli on 2014-10-07

Backported relevant hunks of the CVE-2014-1573 patch

This is being tracked at

The hunks of the Attachment.pm reg. the contenttypemethod
needed to be adapted manually as they didn't fit out of the box.
But it was easy enough and it shouldn't break anything.

Some other hunks didn't not apply, but it seems that the architecture of
this Bugzilla 3 is sufficiently different so that the modifications are
not necessary. I.e. when creating attachments (e.g. in post_bug), we
apparently cannot provide a URL, so this cannot be an attack vector.
However, I don't really understand how the actual attachments (i.e. the
file contents of an upload) are created. So I am not able to assess
whether we are vulnerable here.

The buglist.pm hunks didn't apply for new Bugzilla::Product. We do not
use the CGI input directly, so I guess we are doing fine.

As far as I can see, the GroupCheck in editgroups.pm works as intended,
so we do not need to patch.

6728. By Christian Kirbach on 2013-03-01

Fix for upstream Bug 745397 - (CVE-2012-0466) [SECURITY] The JS template for buglists permits attackers to access all bugs that the victim can see

6727. By Christian Kirbach on 2013-03-01

Fix for Bug 785470 - (CVE-2012-3981) [SECURITY] Missing escaping of the username can lead to LDAP injection

6726. By Christian Kirbach on 2013-02-23

Apply upstream Bug 842038 - (CVE-2013-0785) [SECURITY] XSS in show_bug.cgi when using an invalid page format

6725. By Muelli on 2012-04-02

Config/Query.pm: Make My Bugs direct to the describeuser page. Fixes bgo#601250

We have the entire "My Bugs" story handled by the "describeuser" page.

6724. By Muelli on 2012-04-02

Make My Bugs search for NEEDINFO bugs, too. Fixes bgo#601250

From a quick grep through the code, this seems to be the necessary change to fix

6723. By Olav Vitters on 2011-12-28

merge upstream changes

6722. By Olav Vitters on 2011-12-24

merge upstream changes

6721. By Olav Vitters on 2011-12-24

merge upstream changes

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
This branch contains Public information 
Everyone can see this information.