lp:bugzilla.gnome.org
- Get this branch:
- bzr branch lp:bugzilla.gnome.org
Branch information
Recent revisions
- 6729. By Muelli
-
Backported relevant hunks of the CVE-2014-1573 patch
This is being tracked at
https://bugzilla. mozilla. org/show_ bug.cgi? id=1075578 The hunks of the Attachment.pm reg. the contenttypemethod
needed to be adapted manually as they didn't fit out of the box.
But it was easy enough and it shouldn't break anything.Some other hunks didn't not apply, but it seems that the architecture of
this Bugzilla 3 is sufficiently different so that the modifications are
not necessary. I.e. when creating attachments (e.g. in post_bug), we
apparently cannot provide a URL, so this cannot be an attack vector.
However, I don't really understand how the actual attachments (i.e. the
file contents of an upload) are created. So I am not able to assess
whether we are vulnerable here.The buglist.pm hunks didn't apply for new Bugzilla::Product. We do not
use the CGI input directly, so I guess we are doing fine.As far as I can see, the GroupCheck in editgroups.pm works as intended,
so we do not need to patch. - 6728. By Christian Kirbach
-
Fix for upstream Bug 745397 - (CVE-2012-0466) [SECURITY] The JS template for buglists permits attackers to access all bugs that the victim can see
- 6727. By Christian Kirbach
-
Fix for Bug 785470 - (CVE-2012-3981) [SECURITY] Missing escaping of the username can lead to LDAP injection
- 6726. By Christian Kirbach
-
Apply upstream Bug 842038 - (CVE-2013-0785) [SECURITY] XSS in show_bug.cgi when using an invalid page format
- 6725. By Muelli
-
Config/Query.pm: Make My Bugs direct to the describeuser page. Fixes bgo#601250
We have the entire "My Bugs" story handled by the "describeuser" page.
- 6724. By Muelli
-
Make My Bugs search for NEEDINFO bugs, too. Fixes bgo#601250
From a quick grep through the code, this seems to be the necessary change to fix
https://bugzilla. gnome.org/ show_bug. cgi?id= 601250
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)