Created by Max Kanat-Alexander and last modified
Get this branch:
bzr branch lp:bugzilla.gnome.org
Members of GNOME Bugzilla maintainers can upload to this branch. Log in for directions.

Related bugs

Related blueprints

Branch information

GNOME Bugzilla maintainers

Recent revisions

6730. By Muelli

I think I am merging here, but I don't really know

6729. By Muelli

Backported relevant hunks of the CVE-2014-1573 patch

This is being tracked at

The hunks of the Attachment.pm reg. the contenttypemethod
needed to be adapted manually as they didn't fit out of the box.
But it was easy enough and it shouldn't break anything.

Some other hunks didn't not apply, but it seems that the architecture of
this Bugzilla 3 is sufficiently different so that the modifications are
not necessary. I.e. when creating attachments (e.g. in post_bug), we
apparently cannot provide a URL, so this cannot be an attack vector.
However, I don't really understand how the actual attachments (i.e. the
file contents of an upload) are created. So I am not able to assess
whether we are vulnerable here.

The buglist.pm hunks didn't apply for new Bugzilla::Product. We do not
use the CGI input directly, so I guess we are doing fine.

As far as I can see, the GroupCheck in editgroups.pm works as intended,
so we do not need to patch.

6728. By Christian Kirbach

Fix for upstream Bug 745397 - (CVE-2012-0466) [SECURITY] The JS template for buglists permits attackers to access all bugs that the victim can see

6727. By Christian Kirbach

Fix for Bug 785470 - (CVE-2012-3981) [SECURITY] Missing escaping of the username can lead to LDAP injection

6726. By Christian Kirbach

Apply upstream Bug 842038 - (CVE-2013-0785) [SECURITY] XSS in show_bug.cgi when using an invalid page format

6725. By Muelli

Config/Query.pm: Make My Bugs direct to the describeuser page. Fixes bgo#601250

We have the entire "My Bugs" story handled by the "describeuser" page.

6724. By Muelli

Make My Bugs search for NEEDINFO bugs, too. Fixes bgo#601250

From a quick grep through the code, this seems to be the necessary change to fix

6723. By Olav Vitters

merge upstream changes

6722. By Olav Vitters

merge upstream changes

6721. By Olav Vitters

merge upstream changes

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
This branch contains Public information 
Everyone can see this information.