From odip@bionet.nsc.ru  Tue Oct 26 15:52:14 2004
Return-Path: <odip@bionet.nsc.ru>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 4118C16A4CE; Tue, 26 Oct 2004 15:52:14 +0000 (GMT)
Received: from hydra.bionet.nsc.ru (hydra.bionet.nsc.ru [193.125.179.226])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id A927743D2D; Tue, 26 Oct 2004 15:52:12 +0000 (GMT)
	(envelope-from odip@bionet.nsc.ru)
Received: by hydra.bionet.nsc.ru (Postfix, from userid 1001)
	id 9C3AE54B8; Tue, 26 Oct 2004 22:52:10 +0700 (NOVST)
Message-Id: <20041026155210.9C3AE54B8@hydra.bionet.nsc.ru>
Date: Tue, 26 Oct 2004 22:52:10 +0700 (NOVST)
From: Dmitry A Grigorovich <odip@bionet.nsc.ru>
To: FreeBSD-gnats-submit@freebsd.org
Cc: ports@FreeBSD.org
Subject: [PATCH] security fixed version - bugzill 2.16.7
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         73166
>Category:       ports
>Synopsis:       [PATCH] security fixed version - bugzill 2.16.7
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Tue Oct 26 16:00:45 GMT 2004
>Closed-Date:    Wed Oct 27 19:24:08 GMT 2004
>Last-Modified:  Wed Oct 27 19:24:08 GMT 2004
>Originator:     Dmitry A Grigorovich
>Release:        FreeBSD 4.8-RELEASE-p4 i386
>Organization:
ICiG
>Environment:
System: FreeBSD hydra.bionet.nsc.ru 4.8-RELEASE-p4 FreeBSD 4.8-RELEASE-p4 #4: Sat Oct 4 02:33:02 NOVST 2003 root@hydra.bionet.nsc.ru:/usr/obj/usr/src/sys/ODIP i386
>Description:

See http://www.bugzilla.org/security/2.16.6/

Class:       Unauthorized Bug Change
Versions:    2.9 through 2.18rc2 and 2.19
Description: It is possible to send a carefully crafted HTTP POST
             message to process_bug.cgi which will remove keywords from
             a bug even if you don't have permissions to edit all bug
             fields (the "editbugs" permission).  Such changes are
             reported in "bug changed" email notifications, so they are
             easily detected and reversed if someone abuses it.
Reference:   https://bugzilla.mozilla.org/show_bug.cgi?id=252638

>How-To-Repeat:

See http://www.bugzilla.org/security/2.16.6/

>Fix:

Apply patch
Reinstall bugzilla

diff -ur bugzilla.old/Makefile bugzilla/Makefile
--- bugzilla.old/Makefile       Fri Jul 23 13:41:02 2004
+++ bugzilla/Makefile   Tue Oct 26 22:37:48 2004
@@ -6,7 +6,7 @@
 #

 PORTNAME?=     bugzilla
-PORTVERSION?=  2.16.6
+PORTVERSION?=  2.16.7
 CATEGORIES?=   devel
 MASTER_SITES=  ${MASTER_SITE_MOZILLA}
 MASTER_SITE_SUBDIR=    webtools webtools/archived
diff -ur bugzilla.old/distinfo bugzilla/distinfo
--- bugzilla.old/distinfo       Fri Jul 23 13:41:02 2004
+++ bugzilla/distinfo   Tue Oct 26 22:37:56 2004
@@ -1,2 +1,2 @@
-MD5 (bugzilla-2.16.6.tar.gz) = 5b694df8739be175f0358507f844b71d
-SIZE (bugzilla-2.16.6.tar.gz) = 1365080
+MD5 (bugzilla-2.16.7.tar.gz) = ee4c92bfd940521cc68ea91917f9f0dd
+SIZE (bugzilla-2.16.7.tar.gz) = 1368799

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: pav 
State-Changed-When: Wed Oct 27 19:24:00 GMT 2004 
State-Changed-Why:  
Committed, thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=73166 
>Unformatted:
