bugzilla-5.0.6-4.2 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10664-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z bugzilla-5.0.6-4.2 on GA media These are all security issues fixed in the bugzilla-5.0.6-4.2 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10664 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2014-1517/ SUSE CVE CVE-2014-1517 page https://www.suse.com/security/cve/CVE-2014-1571/ SUSE CVE CVE-2014-1571 page https://www.suse.com/security/cve/CVE-2015-4499/ SUSE CVE CVE-2015-4499 page https://www.suse.com/security/cve/CVE-2015-8508/ SUSE CVE CVE-2015-8508 page https://www.suse.com/security/cve/CVE-2015-8509/ SUSE CVE CVE-2015-8509 page https://www.suse.com/security/cve/CVE-2016-2803/ SUSE CVE CVE-2016-2803 page openSUSE Tumbleweed bugzilla-5.0.6-4.2 bugzilla-apache-5.0.6-4.2 bugzilla-lang-de-5.0.6-4.2 bugzilla-5.0.6-4.2 as a component of openSUSE Tumbleweed bugzilla-apache-5.0.6-4.2 as a component of openSUSE Tumbleweed bugzilla-lang-de-5.0.6-4.2 as a component of openSUSE Tumbleweed The login form in Bugzilla 2.x, 3.x, 4.x before 4.4.3, and 4.5.x before 4.5.3 does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to obtain sensitive information by arranging for a victim to login to the attacker's account and then submit a vulnerability report, related to a "login CSRF" issue. CVE-2014-1517 openSUSE Tumbleweed:bugzilla-5.0.6-4.2 openSUSE Tumbleweed:bugzilla-apache-5.0.6-4.2 openSUSE Tumbleweed:bugzilla-lang-de-5.0.6-4.2 moderate 4 AV:N/AC:L/Au:S/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-1517.html CVE-2014-1517 Bugzilla 2.x through 4.0.x before 4.0.15, 4.1.x and 4.2.x before 4.2.11, 4.3.x and 4.4.x before 4.4.6, and 4.5.x before 4.5.6 allows remote authenticated users to obtain sensitive private-comment information by leveraging a role as a flag recipient, related to Bug.pm, Flag.pm, and a mail template. CVE-2014-1571 openSUSE Tumbleweed:bugzilla-5.0.6-4.2 openSUSE Tumbleweed:bugzilla-apache-5.0.6-4.2 openSUSE Tumbleweed:bugzilla-lang-de-5.0.6-4.2 moderate 4 AV:N/AC:L/Au:S/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-1571.html CVE-2014-1571 Util.pm in Bugzilla 2.x, 3.x, and 4.x before 4.2.15, 4.3.x and 4.4.x before 4.4.10, and 5.x before 5.0.1 mishandles long e-mail addresses during account registration, which allows remote attackers to obtain the default privileges for an arbitrary domain name by placing that name in a substring of an address, as demonstrated by truncation of an @mozilla.com.example.com address to an @mozilla.com address. CVE-2015-4499 openSUSE Tumbleweed:bugzilla-5.0.6-4.2 openSUSE Tumbleweed:bugzilla-apache-5.0.6-4.2 openSUSE Tumbleweed:bugzilla-lang-de-5.0.6-4.2 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-4499.html CVE-2015-4499 https://bugzilla.suse.com/946313 SUSE Bug 946313 Cross-site scripting (XSS) vulnerability in showdependencygraph.cgi in Bugzilla 2.x, 3.x, and 4.x before 4.2.16, 4.3.x and 4.4.x before 4.4.11, and 4.5.x and 5.0.x before 5.0.2, when a local dot configuration is used, allows remote attackers to inject arbitrary web script or HTML via a crafted bug summary. CVE-2015-8508 openSUSE Tumbleweed:bugzilla-5.0.6-4.2 openSUSE Tumbleweed:bugzilla-apache-5.0.6-4.2 openSUSE Tumbleweed:bugzilla-lang-de-5.0.6-4.2 moderate 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-8508.html CVE-2015-8508 Template.pm in Bugzilla 2.x, 3.x, and 4.x before 4.2.16, 4.3.x and 4.4.x before 4.4.11, and 4.5.x and 5.0.x before 5.0.2 does not properly construct CSV files, which allows remote attackers to obtain sensitive information by leveraging a web browser that interprets CSV data as JavaScript code. CVE-2015-8509 openSUSE Tumbleweed:bugzilla-5.0.6-4.2 openSUSE Tumbleweed:bugzilla-apache-5.0.6-4.2 openSUSE Tumbleweed:bugzilla-lang-de-5.0.6-4.2 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-8509.html CVE-2015-8509 Cross-site scripting (XSS) vulnerability in the dependency graphs in Bugzilla 2.16rc1 through 4.4.11, and 4.5.1 through 5.0.2 allows remote attackers to inject arbitrary web script or HTML. CVE-2016-2803 openSUSE Tumbleweed:bugzilla-5.0.6-4.2 openSUSE Tumbleweed:bugzilla-apache-5.0.6-4.2 openSUSE Tumbleweed:bugzilla-lang-de-5.0.6-4.2 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-2803.html CVE-2016-2803 https://bugzilla.suse.com/980271 SUSE Bug 980271