Knowledgebase: Security
SECURITY UPDATE: Bugzilla 4.2.1, 4.0.6 and 3.6.9 [INFO]
Posted by on 24 April 2012 10:54 AM



ATTENTION:  All users using BugZilla 4.2.1, 4.0.6 and 3.6.9 for web development


Dear valued customers,
We received an alert from our security team that there are security issues in BugZilla versions 4.2.1, 4.0.6 and 3.6.9:

1) When abusing the X-FORWARDED-FOR header, an attacker could bypass the lockout policy allowing a possible brute-force discovery of a
 valid user password.

2) An attacker can get access to some bug information using the victim's credentials through a specially crafted HTML page.

The fixes for these issues are included in the 3.6.9, 4.0.6 and 4.2.1 releases. Upgrading to a release with the relevant fixes will protect
your installation from possible exploits of these issues.

If you are unable to upgrade but would like to patch just these individual security vulnerabilities, there are patches available for the issues in the link below.

Full release downloads, patches to upgrade Bugzilla in previous versions, and CVS/bzr upgrade instructions are available at:
Courtesy of Bugzilla team.

Thank you.

Regards, Support Team

(0 vote(s))
Not helpful

Copyright © 1998 - 2018 Shinjiru International Inc. All Rights Reserved.