ID 92CA92C1-D859-11DE-89F9-001517351C22 Type freebsd Reporter FreeBSD Modified 2009-11-18T00:00:00
Description
A Bugzilla Security Advisory reports:
When a bug is in a group, none of its information
(other than its status and resolution) should be visible
to users outside that group. It was discovered that
as of 3.3.2, Bugzilla was showing the alias of the bug
(a very short string used as a shortcut for looking up
the bug) to users outside of the group, if the protected
bug ended up in the "Depends On" or "Blocks" list of any
other bug.
{"id": "92CA92C1-D859-11DE-89F9-001517351C22", "bulletinFamily": "unix", "title": "bugzilla -- information leak", "description": "\nA Bugzilla Security Advisory reports:\n\nWhen a bug is in a group, none of its information\n\t (other than its status and resolution) should be visible\n\t to users outside that group. It was discovered that\n\t as of 3.3.2, Bugzilla was showing the alias of the bug\n\t (a very short string used as a shortcut for looking up\n\t the bug) to users outside of the group, if the protected\n\t bug ended up in the \"Depends On\" or \"Blocks\" list of any\n\t other bug.\n\n", "published": "2009-11-18T00:00:00", "modified": "2009-11-18T00:00:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "href": "https://vuxml.freebsd.org/freebsd/92ca92c1-d859-11de-89f9-001517351c22.html", "reporter": "FreeBSD", "references": ["http://www.bugzilla.org/security/3.4.3/"], "cvelist": ["CVE-2009-3386"], "type": "freebsd", "lastseen": "2019-05-29T18:34:11", "history": [{"bulletin": {"affectedPackage": [{"OS": "FreeBSD", "OSVersion": "any", "arch": "noarch", "operator": "lt", "packageFilename": "UNKNOWN", "packageName": "bugzilla", "packageVersion": "3.4.4"}], "bulletinFamily": "unix", "cvelist": ["CVE-2009-3386"], "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "description": "\nA Bugzilla Security Advisory reports:\n\nWhen a bug is in a group, none of its information\n\t (other than its status and resolution) should be visible\n\t to users outside that group. It was discovered that\n\t as of 3.3.2, Bugzilla was showing the alias of the bug\n\t (a very short string used as a shortcut for looking up\n\t the bug) to users outside of the group, if the protected\n\t bug ended up in the \"Depends On\" or \"Blocks\" list of any\n\t other bug.\n\n", "edition": 3, "enchantments": {"dependencies": {"modified": "2018-08-31T01:15:23", "references": [{"idList": ["CVE-2009-3386"], "type": "cve"}, {"idList": ["FREEBSD_PKG_92CA92C1D85911DE89F9001517351C22.NASL", "FEDORA_2009-11919.NASL"], "type": "nessus"}, {"idList": ["OPENVAS:136141256231066323", "OPENVAS:100358", "OPENVAS:66341", "OPENVAS:136141256231066341", "OPENVAS:862217", "OPENVAS:862552", "OPENVAS:1361412562310862552", "OPENVAS:1361412562310100358", "OPENVAS:66323", "OPENVAS:1361412562310862217"], "type": "openvas"}, {"idList": ["SSV:12668"], "type": "seebug"}]}, "score": {"value": 5.0, "vector": "NONE"}}, "hash": "17564a24382c20c2a71136321a64606f9c3c933df16e6e57bee85fbc4ad48fe3", "hashmap": [{"hash": "7a95d0012b04d11ec10620b0c066bf66", "key": "title"}, {"hash": "850f552184450b0c04924775ac980c5e", "key": "description"}, {"hash": "cb1de9ec2bf483332f9a0a48993b8515", "key": "cvelist"}, {"hash": "4e7db8f2517e8fdb048e6c5ca1640d49", "key": "modified"}, {"hash": "a29a986c3a7009c06f2ec5906d3c8a92", "key": "references"}, {"hash": "a3dc630729e463135f4e608954fa6e19", "key": "reporter"}, {"hash": "4e7db8f2517e8fdb048e6c5ca1640d49", "key": "published"}, {"hash": "faffe4e46d85ad54fcc128fc48014552", "key": "affectedPackage"}, {"hash": "a792e2393dff1e200b885c5245988f6f", "key": "cvss"}, {"hash": "4913a9178621eadcdf191db17915fbcb", "key": "bulletinFamily"}, {"hash": "1527e888767cdce15d200b870b39cfd0", "key": "type"}, {"hash": "b6ed8fe758a5ec9b39e1099b6eebbd6d", "key": "href"}], "history": [], "href": "https://vuxml.freebsd.org/freebsd/92ca92c1-d859-11de-89f9-001517351c22.html", "id": "92CA92C1-D859-11DE-89F9-001517351C22", "lastseen": "2018-08-31T01:15:23", "modified": "2009-11-18T00:00:00", "objectVersion": "1.3", "published": "2009-11-18T00:00:00", "references": ["http://www.bugzilla.org/security/3.4.3/"], "reporter": "FreeBSD", "title": "bugzilla -- information leak", "type": "freebsd", "viewCount": 1}, "differentElements": ["cvss"], "edition": 3, "lastseen": "2018-08-31T01:15:23"}, {"bulletin": {"affectedPackage": [{"OS": "FreeBSD", "OSVersion": "any", "arch": "noarch", "operator": "lt", "packageFilename": "UNKNOWN", "packageName": "bugzilla", "packageVersion": "3.4.4"}], "bulletinFamily": "unix", "cvelist": ["CVE-2009-3386"], "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "description": "\nA Bugzilla Security Advisory reports:\n\nWhen a bug is in a group, none of its information\n\t (other than its status and resolution) should be visible\n\t to users outside that group. It was discovered that\n\t as of 3.3.2, Bugzilla was showing the alias of the bug\n\t (a very short string used as a shortcut for looking up\n\t the bug) to users outside of the group, if the protected\n\t bug ended up in the \"Depends On\" or \"Blocks\" list of any\n\t other bug.\n\n", "edition": 1, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "hash": "17564a24382c20c2a71136321a64606f9c3c933df16e6e57bee85fbc4ad48fe3", "hashmap": [{"hash": "7a95d0012b04d11ec10620b0c066bf66", "key": "title"}, {"hash": "850f552184450b0c04924775ac980c5e", "key": "description"}, {"hash": "cb1de9ec2bf483332f9a0a48993b8515", "key": "cvelist"}, {"hash": "4e7db8f2517e8fdb048e6c5ca1640d49", "key": "modified"}, {"hash": "a29a986c3a7009c06f2ec5906d3c8a92", "key": "references"}, {"hash": "a3dc630729e463135f4e608954fa6e19", "key": "reporter"}, {"hash": "4e7db8f2517e8fdb048e6c5ca1640d49", "key": "published"}, {"hash": "faffe4e46d85ad54fcc128fc48014552", "key": "affectedPackage"}, {"hash": "a792e2393dff1e200b885c5245988f6f", "key": "cvss"}, {"hash": "4913a9178621eadcdf191db17915fbcb", "key": "bulletinFamily"}, {"hash": "1527e888767cdce15d200b870b39cfd0", "key": "type"}, {"hash": "b6ed8fe758a5ec9b39e1099b6eebbd6d", "key": "href"}], "history": [], "href": "https://vuxml.freebsd.org/freebsd/92ca92c1-d859-11de-89f9-001517351c22.html", "id": "92CA92C1-D859-11DE-89F9-001517351C22", "lastseen": "2016-09-26T17:24:50", "modified": "2009-11-18T00:00:00", "objectVersion": "1.2", "published": "2009-11-18T00:00:00", "references": ["http://www.bugzilla.org/security/3.4.3/"], "reporter": "FreeBSD", "title": "bugzilla -- information leak", "type": "freebsd", "viewCount": 1}, "differentElements": ["cvss"], "edition": 1, "lastseen": "2016-09-26T17:24:50"}, {"bulletin": {"affectedPackage": [{"OS": "FreeBSD", "OSVersion": "any", "arch": "noarch", "operator": "lt", "packageFilename": "UNKNOWN", "packageName": "bugzilla", "packageVersion": "3.4.4"}], "bulletinFamily": "unix", "cvelist": ["CVE-2009-3386"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "\nA Bugzilla Security Advisory reports:\n\nWhen a bug is in a group, none of its information\n\t (other than its status and resolution) should be visible\n\t to users outside that group. It was discovered that\n\t as of 3.3.2, Bugzilla was showing the alias of the bug\n\t (a very short string used as a shortcut for looking up\n\t the bug) to users outside of the group, if the protected\n\t bug ended up in the \"Depends On\" or \"Blocks\" list of any\n\t other bug.\n\n", "edition": 2, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "hash": "78945e7c230726e89166568af3f9fd3ee15f0f1216876ab2554b393b74169de5", "hashmap": [{"hash": "7a95d0012b04d11ec10620b0c066bf66", "key": "title"}, {"hash": "850f552184450b0c04924775ac980c5e", "key": "description"}, {"hash": "cb1de9ec2bf483332f9a0a48993b8515", "key": "cvelist"}, {"hash": "4e7db8f2517e8fdb048e6c5ca1640d49", "key": "modified"}, {"hash": "a29a986c3a7009c06f2ec5906d3c8a92", "key": "references"}, {"hash": "a3dc630729e463135f4e608954fa6e19", "key": "reporter"}, {"hash": "4e7db8f2517e8fdb048e6c5ca1640d49", "key": "published"}, {"hash": "faffe4e46d85ad54fcc128fc48014552", "key": "affectedPackage"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "4913a9178621eadcdf191db17915fbcb", "key": "bulletinFamily"}, {"hash": "1527e888767cdce15d200b870b39cfd0", "key": "type"}, {"hash": "b6ed8fe758a5ec9b39e1099b6eebbd6d", "key": "href"}], "history": [], "href": "https://vuxml.freebsd.org/freebsd/92ca92c1-d859-11de-89f9-001517351c22.html", "id": "92CA92C1-D859-11DE-89F9-001517351C22", "lastseen": "2018-08-30T19:15:28", "modified": "2009-11-18T00:00:00", "objectVersion": "1.3", "published": "2009-11-18T00:00:00", "references": ["http://www.bugzilla.org/security/3.4.3/"], "reporter": "FreeBSD", "title": "bugzilla -- information leak", "type": "freebsd", "viewCount": 1}, "differentElements": ["cvss"], "edition": 2, "lastseen": "2018-08-30T19:15:28"}], "edition": 4, "hashmap": [{"key": "affectedPackage", "hash": "faffe4e46d85ad54fcc128fc48014552"}, {"key": "bulletinFamily", "hash": "4913a9178621eadcdf191db17915fbcb"}, {"key": "cvelist", "hash": "cb1de9ec2bf483332f9a0a48993b8515"}, {"key": "cvss", "hash": "a89198c45ce87f7ec9735a085150b708"}, {"key": "description", "hash": "850f552184450b0c04924775ac980c5e"}, {"key": "href", "hash": "b6ed8fe758a5ec9b39e1099b6eebbd6d"}, {"key": "modified", "hash": "4e7db8f2517e8fdb048e6c5ca1640d49"}, {"key": "published", "hash": "4e7db8f2517e8fdb048e6c5ca1640d49"}, {"key": "references", "hash": "a29a986c3a7009c06f2ec5906d3c8a92"}, {"key": "reporter", "hash": "a3dc630729e463135f4e608954fa6e19"}, {"key": "title", "hash": "7a95d0012b04d11ec10620b0c066bf66"}, {"key": "type", "hash": "1527e888767cdce15d200b870b39cfd0"}], "hash": "b03933250436e41d4a00434b53422ac58688a5d6d9bba5665c428e445467c181", "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-3386"]}, {"type": "openvas", "idList": ["OPENVAS:100358", "OPENVAS:66341", "OPENVAS:136141256231066323", "OPENVAS:66323", "OPENVAS:136141256231066341", "OPENVAS:1361412562310100358", "OPENVAS:1361412562310862217", "OPENVAS:862217", "OPENVAS:1361412562310862552", "OPENVAS:862552"]}, {"type": "nessus", "idList": ["FREEBSD_PKG_92CA92C1D85911DE89F9001517351C22.NASL", "FEDORA_2009-11919.NASL", "FEDORA_2010-13072.NASL"]}, {"type": "seebug", "idList": ["SSV:12668"]}], "modified": "2019-05-29T18:34:11"}, "score": {"value": 5.1, "vector": "NONE", "modified": "2019-05-29T18:34:11"}, "vulnersScore": 5.1}, "objectVersion": "1.3", "affectedPackage": [{"OS": "FreeBSD", "OSVersion": "any", "arch": "noarch", "operator": "lt", "packageFilename": "UNKNOWN", "packageName": "bugzilla", "packageVersion": "3.4.4"}], "scheme": null}
{"cve": [{"lastseen": "2019-05-29T18:10:00", "bulletinFamily": "NVD", "description": "Template.pm in Bugzilla 3.3.2 through 3.4.3 and 3.5 through 3.5.1 allows remote attackers to discover the alias of a private bug by reading the (1) Depends On or (2) Blocks field of a related bug.", "modified": "2017-08-17T01:31:00", "id": "CVE-2009-3386", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3386", "published": "2009-11-20T17:30:00", "title": "CVE-2009-3386", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "openvas": [{"lastseen": "2017-07-02T21:14:09", "bulletinFamily": "scanner", "description": "Bugzilla is prone to an information-disclosure vulnerability.\n\nThe issue may allow attackers to obtain potentially sensitive\ninformation that may aid in other attacks.\n\nThe issue affects the following:\n\nBugzilla 3.3.2 through 3.4.3 Bugzilla 3.5 through 3.5.1", "modified": "2016-11-18T00:00:00", "published": "2009-11-20T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=100358", "id": "OPENVAS:100358", "title": "Bugzilla Bug Alias Information Disclosure Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: bugzilla_37062.nasl 4574 2016-11-18 13:36:58Z teissa $\n#\n# Bugzilla Bug Alias Information Disclosure Vulnerability\n#\n# Authors:\n# Michael Meyer\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_summary = \"Bugzilla is prone to an information-disclosure vulnerability.\n\nThe issue may allow attackers to obtain potentially sensitive\ninformation that may aid in other attacks.\n\nThe issue affects the following:\n\nBugzilla 3.3.2 through 3.4.3 Bugzilla 3.5 through 3.5.1\";\n\n\ntag_solution = \"Updates are available. Please see the references for details.\";\n\nif (description)\n{\n script_id(100358);\n script_version(\"$Revision: 4574 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-11-18 14:36:58 +0100 (Fri, 18 Nov 2016) $\");\n script_tag(name:\"creation_date\", value:\"2009-11-20 12:35:38 +0100 (Fri, 20 Nov 2009)\");\n script_cve_id(\"CVE-2009-3386\");\n script_bugtraq_id(37062);\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n\n script_name(\"Bugzilla Bug Alias Information Disclosure Vulnerability\");\n\n script_xref(name : \"URL\" , value : \"http://www.securityfocus.com/bid/37062\");\n script_xref(name : \"URL\" , value : \"http://www.bugzilla.org\");\n script_xref(name : \"URL\" , value : \"http://www.bugzilla.org/security/3.4.3/\");\n\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_family(\"Web application abuses\");\n script_copyright(\"This script is Copyright (C) 2009 Greenbone Networks GmbH\");\n script_dependencies(\"bugzilla_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"version_func.inc\");\n\nport = get_http_port(default:80);\nif(!get_port_state(port))exit(0);\n\nif (!can_host_php(port:port)) exit(0);\n\nif(!version = get_kb_item(string(\"www/\", port, \"/bugzilla/version\")))exit(0);\n\nif(!isnull(version) && version >!< \"unknown\") {\n\n if(version =~ \"3\\.5\") {\n if(version_is_less(version: version, test_version: \"3.5.2 \")) {\n security_message(port:port);\n exit(0);\n } \n }\n else if(version =~ \"3\\.(3|4)\") { \n if(version_in_range(version: version, test_version: \"3.3.2\", test_version2: \"3.4.3\")) {\n security_message(port:port);\n exit(0);\n } \n } \n}\n\nexit(0);\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-07-02T21:14:16", "bulletinFamily": "scanner", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2016-12-21T00:00:00", "published": "2009-12-03T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=66341", "id": "OPENVAS:66341", "title": "FreeBSD Ports: bugzilla", "type": "openvas", "sourceData": "#\n#VID 92ca92c1-d859-11de-89f9-001517351c22\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from VID 92ca92c1-d859-11de-89f9-001517351c22\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following package is affected: bugzilla\n\nCVE-2009-3386\nTemplate.pm in Bugzilla 3.3.2 through 3.4.3 and 3.5 through 3.5.1\nallows remote attackers to discover the alias of a private bug by\nreading the (1) Depends On or (2) Blocks field of a related bug.\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://www.bugzilla.org/security/3.4.3/\nhttp://www.vuxml.org/freebsd/92ca92c1-d859-11de-89f9-001517351c22.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\n\nif(description)\n{\n script_id(66341);\n script_version(\"$Revision: 4824 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-12-21 09:49:38 +0100 (Wed, 21 Dec 2016) $\");\n script_tag(name:\"creation_date\", value:\"2009-12-03 22:10:42 +0100 (Thu, 03 Dec 2009)\");\n script_cve_id(\"CVE-2009-3386\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_name(\"FreeBSD Ports: bugzilla\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"bugzilla\");\nif(!isnull(bver) && revcomp(a:bver, b:\"3.3.1\")>0 && revcomp(a:bver, b:\"3.4.4\")<0) {\n txt += 'Package bugzilla version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-04-06T11:39:10", "bulletinFamily": "scanner", "description": "The remote host is missing an update to bugzilla\nannounced via advisory FEDORA-2009-11919.", "modified": "2018-04-06T00:00:00", "published": "2009-12-03T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231066323", "id": "OPENVAS:136141256231066323", "type": "openvas", "title": "Fedora Core 12 FEDORA-2009-11919 (bugzilla)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: fcore_2009_11919.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Auto-generated from advisory FEDORA-2009-11919 (bugzilla)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Update Information:\n\nBugzilla 3.4.4 fixes security issues that were found in previous\nversions of the software where private information would be leaked\nto other users.\n\nCVE Number: CVE-2009-3386\n\nSee upstream security advisory for additional details:\nhttp://www.bugzilla.org/security/3.4.3/\n\nChangeLog:\n\n* Thu Nov 19 2009 Emmanuel Seyman - 3.4.4-1\n- Update to 3.4.4 (CVE-2009-3386)\";\ntag_solution = \"Apply the appropriate updates.\n\nThis update can be installed with the yum update program. Use \nsu -c 'yum update bugzilla' at the command line.\nFor more information, refer to Managing Software with yum,\navailable at http://docs.fedoraproject.org/yum/.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=FEDORA-2009-11919\";\ntag_summary = \"The remote host is missing an update to bugzilla\nannounced via advisory FEDORA-2009-11919.\";\n\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.66323\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-12-03 22:10:42 +0100 (Thu, 03 Dec 2009)\");\n script_cve_id(\"CVE-2009-3386\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_name(\"Fedora Core 12 FEDORA-2009-11919 (bugzilla)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"https://bugzilla.redhat.com/show_bug.cgi?id=539598\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"bugzilla\", rpm:\"bugzilla~3.4.4~1.fc12\", rls:\"FC12\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"bugzilla-contrib\", rpm:\"bugzilla-contrib~3.4.4~1.fc12\", rls:\"FC12\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"bugzilla-doc\", rpm:\"bugzilla-doc~3.4.4~1.fc12\", rls:\"FC12\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"bugzilla-doc-build\", rpm:\"bugzilla-doc-build~3.4.4~1.fc12\", rls:\"FC12\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-07-25T10:56:43", "bulletinFamily": "scanner", "description": "The remote host is missing an update to bugzilla\nannounced via advisory FEDORA-2009-11919.", "modified": "2017-07-10T00:00:00", "published": "2009-12-03T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=66323", "id": "OPENVAS:66323", "title": "Fedora Core 12 FEDORA-2009-11919 (bugzilla)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: fcore_2009_11919.nasl 6624 2017-07-10 06:11:55Z cfischer $\n# Description: Auto-generated from advisory FEDORA-2009-11919 (bugzilla)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Update Information:\n\nBugzilla 3.4.4 fixes security issues that were found in previous\nversions of the software where private information would be leaked\nto other users.\n\nCVE Number: CVE-2009-3386\n\nSee upstream security advisory for additional details:\nhttp://www.bugzilla.org/security/3.4.3/\n\nChangeLog:\n\n* Thu Nov 19 2009 Emmanuel Seyman - 3.4.4-1\n- Update to 3.4.4 (CVE-2009-3386)\";\ntag_solution = \"Apply the appropriate updates.\n\nThis update can be installed with the yum update program. Use \nsu -c 'yum update bugzilla' at the command line.\nFor more information, refer to Managing Software with yum,\navailable at http://docs.fedoraproject.org/yum/.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=FEDORA-2009-11919\";\ntag_summary = \"The remote host is missing an update to bugzilla\nannounced via advisory FEDORA-2009-11919.\";\n\n\n\nif(description)\n{\n script_id(66323);\n script_version(\"$Revision: 6624 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:11:55 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-12-03 22:10:42 +0100 (Thu, 03 Dec 2009)\");\n script_cve_id(\"CVE-2009-3386\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_name(\"Fedora Core 12 FEDORA-2009-11919 (bugzilla)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"https://bugzilla.redhat.com/show_bug.cgi?id=539598\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"bugzilla\", rpm:\"bugzilla~3.4.4~1.fc12\", rls:\"FC12\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"bugzilla-contrib\", rpm:\"bugzilla-contrib~3.4.4~1.fc12\", rls:\"FC12\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"bugzilla-doc\", rpm:\"bugzilla-doc~3.4.4~1.fc12\", rls:\"FC12\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"bugzilla-doc-build\", rpm:\"bugzilla-doc-build~3.4.4~1.fc12\", rls:\"FC12\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-04-06T11:40:17", "bulletinFamily": "scanner", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2018-04-06T00:00:00", "published": "2009-12-03T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231066341", "id": "OPENVAS:136141256231066341", "type": "openvas", "title": "FreeBSD Ports: bugzilla", "sourceData": "#\n#VID 92ca92c1-d859-11de-89f9-001517351c22\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from VID 92ca92c1-d859-11de-89f9-001517351c22\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following package is affected: bugzilla\n\nCVE-2009-3386\nTemplate.pm in Bugzilla 3.3.2 through 3.4.3 and 3.5 through 3.5.1\nallows remote attackers to discover the alias of a private bug by\nreading the (1) Depends On or (2) Blocks field of a related bug.\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://www.bugzilla.org/security/3.4.3/\nhttp://www.vuxml.org/freebsd/92ca92c1-d859-11de-89f9-001517351c22.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.66341\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-12-03 22:10:42 +0100 (Thu, 03 Dec 2009)\");\n script_cve_id(\"CVE-2009-3386\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_name(\"FreeBSD Ports: bugzilla\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"bugzilla\");\nif(!isnull(bver) && revcomp(a:bver, b:\"3.3.1\")>0 && revcomp(a:bver, b:\"3.4.4\")<0) {\n txt += 'Package bugzilla version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2019-07-25T12:24:14", "bulletinFamily": "scanner", "description": "Bugzilla is prone to an information-disclosure vulnerability.", "modified": "2019-07-24T00:00:00", "published": "2009-11-20T00:00:00", "id": "OPENVAS:1361412562310100358", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310100358", "title": "Bugzilla Bug Alias Information Disclosure Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Bugzilla Bug Alias Information Disclosure Vulnerability\n#\n# Authors:\n# Michael Meyer\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:mozilla:bugzilla\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.100358\");\n script_version(\"2019-07-24T11:36:46+0000\");\n script_tag(name:\"last_modification\", value:\"2019-07-24 11:36:46 +0000 (Wed, 24 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2009-11-20 12:35:38 +0100 (Fri, 20 Nov 2009)\");\n script_cve_id(\"CVE-2009-3386\");\n script_bugtraq_id(37062);\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n\n script_name(\"Bugzilla Bug Alias Information Disclosure Vulnerability\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/37062\");\n script_xref(name:\"URL\", value:\"http://www.bugzilla.org/security/3.4.3/\");\n\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_family(\"Web application abuses\");\n script_copyright(\"This script is Copyright (C) 2009 Greenbone Networks GmbH\");\n script_dependencies(\"bugzilla_detect.nasl\");\n script_mandatory_keys(\"bugzilla/installed\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"solution\", value:\"Updates are available. Please see the references for details.\");\n\n script_tag(name:\"summary\", value:\"Bugzilla is prone to an information-disclosure vulnerability.\");\n\n script_tag(name:\"impact\", value:\"The issue may allow attackers to obtain potentially sensitive\n information that may aid in other attacks.\");\n\n script_tag(name:\"affected\", value:\"Bugzilla 3.3.2 through 3.4.3 Bugzilla 3.5 through 3.5.1\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!version = get_app_version(cpe: CPE, port: port))\n exit(0);\n\nif (version =~ \"^3\\.5\") {\n if (version_is_less(version: version, test_version: \"3.5.2\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"3.5.2\");\n security_message(port: port, data: report);\n exit(0);\n }\n}\nelse if (version =~ \"^3\\.[34]\") {\n if (version_in_range(version: version, test_version: \"3.3.2\", test_version2: \"3.4.3\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"3.4.4\");\n security_message(port: port, data: report);\n exit(0);\n }\n}\n\nexit(0);", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2018-01-18T11:05:04", "bulletinFamily": "scanner", "description": "Check for the Version of bugzilla", "modified": "2018-01-17T00:00:00", "published": "2010-07-06T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310862217", "id": "OPENVAS:1361412562310862217", "title": "Fedora Update for bugzilla FEDORA-2010-10398", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for bugzilla FEDORA-2010-10398\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"bugzilla on Fedora 12\";\ntag_insight = \"Bugzilla is a popular bug tracking system used by multiple open source projects\n It requires a database engine installed - either MySQL, PostgreSQL or Oracle.\n Without one of these database engines (local or remote), Bugzilla will not work\n - see the Release Notes for details.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2010-July/043716.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.862217\");\n script_version(\"$Revision: 8440 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-17 08:58:46 +0100 (Wed, 17 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2010-07-06 10:05:18 +0200 (Tue, 06 Jul 2010)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_xref(name: \"FEDORA\", value: \"2010-10398\");\n script_cve_id(\"CVE-2010-1204\", \"CVE-2009-3989\", \"CVE-2009-3387\", \"CVE-2009-3386\");\n script_name(\"Fedora Update for bugzilla FEDORA-2010-10398\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of bugzilla\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC12\")\n{\n\n if ((res = isrpmvuln(pkg:\"bugzilla\", rpm:\"bugzilla~3.4.7~1.fc12\", rls:\"FC12\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-12-20T13:18:24", "bulletinFamily": "scanner", "description": "Check for the Version of bugzilla", "modified": "2017-12-19T00:00:00", "published": "2010-07-06T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=862217", "id": "OPENVAS:862217", "title": "Fedora Update for bugzilla FEDORA-2010-10398", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for bugzilla FEDORA-2010-10398\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"bugzilla on Fedora 12\";\ntag_insight = \"Bugzilla is a popular bug tracking system used by multiple open source projects\n It requires a database engine installed - either MySQL, PostgreSQL or Oracle.\n Without one of these database engines (local or remote), Bugzilla will not work\n - see the Release Notes for details.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2010-July/043716.html\");\n script_id(862217);\n script_version(\"$Revision: 8164 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-19 07:30:41 +0100 (Tue, 19 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-07-06 10:05:18 +0200 (Tue, 06 Jul 2010)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_xref(name: \"FEDORA\", value: \"2010-10398\");\n script_cve_id(\"CVE-2010-1204\", \"CVE-2009-3989\", \"CVE-2009-3387\", \"CVE-2009-3386\");\n script_name(\"Fedora Update for bugzilla FEDORA-2010-10398\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of bugzilla\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC12\")\n{\n\n if ((res = isrpmvuln(pkg:\"bugzilla\", rpm:\"bugzilla~3.4.7~1.fc12\", rls:\"FC12\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-01-25T10:55:17", "bulletinFamily": "scanner", "description": "Check for the Version of bugzilla", "modified": "2018-01-24T00:00:00", "published": "2010-11-16T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310862552", "id": "OPENVAS:1361412562310862552", "type": "openvas", "title": "Fedora Update for bugzilla FEDORA-2010-17235", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for bugzilla FEDORA-2010-17235\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"bugzilla on Fedora 12\";\ntag_insight = \"Bugzilla is a popular bug tracking system used by multiple open source projects\n It requires a database engine installed - either MySQL, PostgreSQL or Oracle.\n Without one of these database engines (local or remote), Bugzilla will not work\n - see the Release Notes for details.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050830.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.862552\");\n script_version(\"$Revision: 8510 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-24 08:57:42 +0100 (Wed, 24 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2010-11-16 14:49:48 +0100 (Tue, 16 Nov 2010)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_xref(name: \"FEDORA\", value: \"2010-17235\");\n script_cve_id(\"CVE-2010-3764\", \"CVE-2010-1204\", \"CVE-2009-3989\", \"CVE-2009-3387\", \"CVE-2009-3386\", \"CVE-2010-3172\");\n script_name(\"Fedora Update for bugzilla FEDORA-2010-17235\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of bugzilla\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC12\")\n{\n\n if ((res = isrpmvuln(pkg:\"bugzilla\", rpm:\"bugzilla~3.4.9~1.fc12\", rls:\"FC12\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-01-02T10:54:37", "bulletinFamily": "scanner", "description": "Check for the Version of bugzilla", "modified": "2017-12-25T00:00:00", "published": "2010-11-16T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=862552", "id": "OPENVAS:862552", "title": "Fedora Update for bugzilla FEDORA-2010-17235", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for bugzilla FEDORA-2010-17235\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"bugzilla on Fedora 12\";\ntag_insight = \"Bugzilla is a popular bug tracking system used by multiple open source projects\n It requires a database engine installed - either MySQL, PostgreSQL or Oracle.\n Without one of these database engines (local or remote), Bugzilla will not work\n - see the Release Notes for details.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050830.html\");\n script_id(862552);\n script_version(\"$Revision: 8243 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-25 07:30:04 +0100 (Mon, 25 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-11-16 14:49:48 +0100 (Tue, 16 Nov 2010)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_xref(name: \"FEDORA\", value: \"2010-17235\");\n script_cve_id(\"CVE-2010-3764\", \"CVE-2010-1204\", \"CVE-2009-3989\", \"CVE-2009-3387\", \"CVE-2009-3386\", \"CVE-2010-3172\");\n script_name(\"Fedora Update for bugzilla FEDORA-2010-17235\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of bugzilla\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC12\")\n{\n\n if ((res = isrpmvuln(pkg:\"bugzilla\", rpm:\"bugzilla~3.4.9~1.fc12\", rls:\"FC12\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "seebug": [{"lastseen": "2017-11-19T18:29:37", "bulletinFamily": "exploit", "description": "Bugraq ID: 37062\r\nCVE ID\uff1aCVE-2009-3386\r\n\r\nMozilla Bugzilla\u662f\u4e00\u6b3e\u57fa\u4e8eWeb\u7684BUG\u8ddf\u8e2a\u7cfb\u7edf\u3002\r\nMozilla Bugzilla\u663e\u793a"Depends On"\u6216"Blocks"\u5217\u8868\u4e2d\u7684\u53d7\u9650\u5236bugs\u7684\u522b\u540d\u65f6\u5b58\u5728\u9519\u8bef\uff0c\u53ef\u5bfc\u81f4\u6cc4\u6f0f\u654f\u611f\u4fe1\u606f\u3002\r\n\u5f53\u67d0\u4e2abug\u5c5e\u4e8e\u67d0\u4e2a\u7ec4\u65f6\uff0c\u672c\u6765\u5b83\u6240\u6709\u4fe1\u606f\u5bf9\u6b64\u7ec4\u4e4b\u5916\u7684\u7528\u6237\u662f\u4e0d\u53ef\u89c1\u7684\u3002\u4f46\u662f\u5b58\u5728\u6f0f\u6d1e\u53ef\u663e\u793a(\u975e\u5e38\u77ed\u7684\u5b57\u7b26\u4e32\u4f5c\u4e3a\u5feb\u6377\u65b9\u5f0f\u7528\u4e8e\u67e5\u8be2bug)"Depends On"\u6216"Blocks"\u5217\u8868\u4e2d\u7684\u53d7\u9650\u5236bugs\u7684\u522b\u540d\u7ed9\u6b64\u7ec4\u4ee5\u5916\u7684\u5176\u4ed6\u7528\u6237\uff0c\u5bfc\u81f4\u654f\u611f\u4fe1\u606f\u3002\n\nMozilla Bugzilla 3.5.1 \r\nMozilla Bugzilla 3.4.3 \r\nMozilla Bugzilla 3.4.2 \r\nMozilla Bugzilla 3.4.1 \r\nMozilla Bugzilla 3.3.4 \r\nMozilla Bugzilla 3.3.3 \r\nMozilla Bugzilla 3.3.3 \r\nMozilla Bugzilla 3.3.2 \r\nMozilla Bugzilla 3.5\r\nMozilla Bugzilla 3.4 rc1\r\nMozilla Bugzilla 3.4\n\u5382\u5546\u89e3\u51b3\u65b9\u6848\r\n\u7528\u6237\u53ef\u8054\u7cfb\u4f9b\u5e94\u5546\u5347\u7ea7\u5230\u5982\u4e0b\u7248\u672c\uff1a\r\nMozilla Bugzilla 3.4 rc1\r\nMozilla bugzilla-3.4.4.tar.gz\r\nhttp://ftp.mozilla.org/pub/mozilla.org/webtools/bugzilla-3.4.4.tar.gz\r\nMozilla Bugzilla 3.5\r\nMozilla bugzilla-3.5.2.tar.gz\r\nhttp://ftp.mozilla.org/pub/mozilla.org/webtools/bugzilla-3.5.2.tar.gz\r\nMozilla Bugzilla 3.4\r\nMozilla bugzilla-3.4.4.tar.gz\r\nhttp://ftp.mozilla.org/pub/mozilla.org/webtools/bugzilla-3.4.4.tar.gz\r\nMozilla Bugzilla 3.3.2 \r\nMozilla bugzilla-3.4.4.tar.gz\r\nhttp://ftp.mozilla.org/pub/mozilla.org/webtools/bugzilla-3.4.4.tar.gz\r\nMozilla Bugzilla 3.3.3 \r\nMozilla bugzilla-3.4.4.tar.gz\r\nhttp://ftp.mozilla.org/pub/mozilla.org/webtools/bugzilla-3.4.4.tar.gz\r\nMozilla Bugzilla 3.3.3 \r\nMozilla bugzilla-3.4.4.tar.gz\r\nhttp://ftp.mozilla.org/pub/mozilla.org/webtools/bugzilla-3.4.4.tar.gz\r\nMozilla Bugzilla 3.3.4 \r\nMozilla bugzilla-3.4.4.tar.gz\r\nhttp://ftp.mozilla.org/pub/mozilla.org/webtools/bugzilla-3.4.4.tar.gz\r\nMozilla Bugzilla 3.4.1 \r\nMozilla bugzilla-3.4.4.tar.gz\r\nhttp://ftp.mozilla.org/pub/mozilla.org/webtools/bugzilla-3.4.4.tar.gz\r\nMozilla Bugzilla 3.4.2 \r\nMozilla bugzilla-3.4.4.tar.gz\r\nhttp://ftp.mozilla.org/pub/mozilla.org/webtools/bugzilla-3.4.4.tar.gz\r\nMozilla Bugzilla 3.4.3 \r\nMozilla bugzilla-3.4.4.tar.gz\r\nhttp://ftp.mozilla.org/pub/mozilla.org/webtools/bugzilla-3.4.4.tar.gz\r\nMozilla Bugzilla 3.5.1 \r\nMozilla bugzilla-3.5.2.tar.gz\r\nhttp://ftp.mozilla.org/pub/mozilla.org/webtools/bugzilla-3.5.2.tar.gz", "modified": "2009-11-20T00:00:00", "published": "2009-11-20T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-12668", "id": "SSV:12668", "type": "seebug", "title": "Mozilla Bugzilla bug\u522b\u540d\u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e", "sourceData": "", "sourceHref": "", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "nessus": [{"lastseen": "2019-11-01T02:26:40", "bulletinFamily": "scanner", "description": "Bugzilla 3.4.4 fixes security issues that were found in previous\nversions of the software where private information would be leaked to\nother users. CVE Number: CVE-2009-3386 See upstream security advisory\nfor additional details: http://www.bugzilla.org/security/3.4.3/\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2019-11-02T00:00:00", "id": "FEDORA_2009-11919.NASL", "href": "https://www.tenable.com/plugins/nessus/42885", "published": "2009-11-25T00:00:00", "title": "Fedora 12 : bugzilla-3.4.4-1.fc12 (2009-11919)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2009-11919.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(42885);\n script_version(\"1.14\");\n script_cvs_date(\"Date: 2019/08/02 13:32:29\");\n\n script_cve_id(\"CVE-2009-3386\");\n script_bugtraq_id(37062);\n script_xref(name:\"FEDORA\", value:\"2009-11919\");\n\n script_name(english:\"Fedora 12 : bugzilla-3.4.4-1.fc12 (2009-11919)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Bugzilla 3.4.4 fixes security issues that were found in previous\nversions of the software where private information would be leaked to\nother users. CVE Number: CVE-2009-3386 See upstream security advisory\nfor additional details: http://www.bugzilla.org/security/3.4.3/\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # http://www.bugzilla.org/security/3.4.3/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.bugzilla.org/security/3.4.3/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=539598\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2009-November/031318.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?e59e778f\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected bugzilla package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(200);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:bugzilla\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:12\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/11/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/11/25\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^12([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 12.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC12\", reference:\"bugzilla-3.4.4-1.fc12\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bugzilla\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-11-01T02:39:03", "bulletinFamily": "scanner", "description": "A Bugzilla Security Advisory reports :\n\nWhen a bug is in a group, none of its information (other than its\nstatus and resolution) should be visible to users outside that group.\nIt was discovered that as of 3.3.2, Bugzilla was showing the alias of\nthe bug (a very short string used as a shortcut for looking up the\nbug) to users outside of the group, if the protected bug ended up in\nthe ", "modified": "2019-11-02T00:00:00", "id": "FREEBSD_PKG_92CA92C1D85911DE89F9001517351C22.NASL", "href": "https://www.tenable.com/plugins/nessus/42875", "published": "2009-11-24T00:00:00", "title": "FreeBSD : bugzilla -- information leak (92ca92c1-d859-11de-89f9-001517351c22)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(42875);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2019/08/02 13:32:40\");\n\n script_cve_id(\"CVE-2009-3386\");\n\n script_name(english:\"FreeBSD : bugzilla -- information leak (92ca92c1-d859-11de-89f9-001517351c22)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A Bugzilla Security Advisory reports :\n\nWhen a bug is in a group, none of its information (other than its\nstatus and resolution) should be visible to users outside that group.\nIt was discovered that as of 3.3.2, Bugzilla was showing the alias of\nthe bug (a very short string used as a shortcut for looking up the\nbug) to users outside of the group, if the protected bug ended up in\nthe 'Depends On' or 'Blocks' list of any other bug.\"\n );\n # http://www.bugzilla.org/security/3.4.3/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.bugzilla.org/security/3.4.3/\"\n );\n # https://vuxml.freebsd.org/freebsd/92ca92c1-d859-11de-89f9-001517351c22.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?bf0e0ee1\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_cwe_id(200);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:bugzilla\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/11/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/11/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/11/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"bugzilla>3.3.1<3.4.4\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-11-01T02:26:45", "bulletinFamily": "scanner", "description": " - Thu Aug 19 2010 Emmanuel Seyman <emmanuel.seyman at\n club-internet.fr> - 3.4.8-1\n\n - Update to 3.4.8 (#623426, #615331)\n\n - Only run checksetup if /etc/bugzilla/localconfig does\n not exist (#610210)\n\n - Add bugzilla-contrib to Requires (#610198)\n\n - Remove mod_perl from the requirements (#600924)\n\n - Fri Jun 25 2010 Emmanuel Seyman <emmanuel.seyman at\n club-internet.fr> - 3.4.7-1\n\n - Update to 3.4.7 (CVE-2010-1204)\n\n - Mon Feb 1 2010 Emmanuel Seyman <emmanuel.seyman at\n club-internet.fr> - 3.4.5-1\n\n - Update to 3.4.5 (CVE-2009-3989, CVE-2009-3387)\n\n - Remove bugzilla-EL5-perl-versions.patch which is\n EPEL-specific\n\n - Thu Nov 19 2009 Emmanuel Seyman <emmanuel.seyman at\n club-internet.fr> - 3.4.4-1\n\n - Update to 3.4.4 (CVE-2009-3386)\n\n - Wed Nov 11 2009 Emmanuel Seyman <emmanuel.seyman at\n club-internet.fr> - 3.4.3-1\n\n - Update to 3.4.3 (fixes memory leak issues)\n\n - Add perl(Digest::SHA) in the Requires\n\n - Specify Perl module versions in the Requires (fixes\n #524309)\n\n - Add an alias to make $webdotdir a working path (fixes\n #458848)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2019-11-02T00:00:00", "id": "FEDORA_2010-13072.NASL", "href": "https://www.tenable.com/plugins/nessus/48913", "published": "2010-08-29T00:00:00", "title": "Fedora 12 : bugzilla-3.4.8-1.fc12 (2010-13072)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2010-13072.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(48913);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2019/08/02 13:32:31\");\n\n script_cve_id(\"CVE-2010-2756\", \"CVE-2010-2757\", \"CVE-2010-2758\", \"CVE-2010-2759\");\n script_bugtraq_id(42275);\n script_xref(name:\"FEDORA\", value:\"2010-13072\");\n\n script_name(english:\"Fedora 12 : bugzilla-3.4.8-1.fc12 (2010-13072)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - Thu Aug 19 2010 Emmanuel Seyman <emmanuel.seyman at\n club-internet.fr> - 3.4.8-1\n\n - Update to 3.4.8 (#623426, #615331)\n\n - Only run checksetup if /etc/bugzilla/localconfig does\n not exist (#610210)\n\n - Add bugzilla-contrib to Requires (#610198)\n\n - Remove mod_perl from the requirements (#600924)\n\n - Fri Jun 25 2010 Emmanuel Seyman <emmanuel.seyman at\n club-internet.fr> - 3.4.7-1\n\n - Update to 3.4.7 (CVE-2010-1204)\n\n - Mon Feb 1 2010 Emmanuel Seyman <emmanuel.seyman at\n club-internet.fr> - 3.4.5-1\n\n - Update to 3.4.5 (CVE-2009-3989, CVE-2009-3387)\n\n - Remove bugzilla-EL5-perl-versions.patch which is\n EPEL-specific\n\n - Thu Nov 19 2009 Emmanuel Seyman <emmanuel.seyman at\n club-internet.fr> - 3.4.4-1\n\n - Update to 3.4.4 (CVE-2009-3386)\n\n - Wed Nov 11 2009 Emmanuel Seyman <emmanuel.seyman at\n club-internet.fr> - 3.4.3-1\n\n - Update to 3.4.3 (fixes memory leak issues)\n\n - Add perl(Digest::SHA) in the Requires\n\n - Specify Perl module versions in the Requires (fixes\n #524309)\n\n - Add an alias to make $webdotdir a working path (fixes\n #458848)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=623423\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2010-August/046534.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?48035cf2\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected bugzilla package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:bugzilla\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:12\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/08/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/08/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^12([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 12.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC12\", reference:\"bugzilla-3.4.8-1.fc12\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bugzilla\");\n}\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}]}
