ATTENTION: All users using BugZilla 4.2.1, 4.0.6 and 3.6.9 for web development
Dear valued customers,
We received an alert from our security team that there are security issues in BugZilla versions 4.2.1, 4.0.6 and 3.6.9:
1) When abusing the X-FORWARDED-FOR header, an attacker could bypass the lockout policy allowing a possible brute-force discovery of a
valid user password.
2) An attacker can get access to some bug information using the victim's credentials through a specially crafted HTML page.
The fixes for these issues are included in the 3.6.9, 4.0.6 and 4.2.1 releases. Upgrading to a release with the relevant fixes will protect
your installation from possible exploits of these issues.
If you are unable to upgrade but would like to patch just these individual security vulnerabilities, there are patches available for the issues in the link below.
Full release downloads, patches to upgrade Bugzilla in previous versions, and CVS/bzr upgrade instructions are available at:
Courtesy of Bugzilla team.
247LiveSupport.biz Support Team