-
Committer:
Bazaar Package Importer
-
Author(s):
Christian Bjälevik
-
Date:
2005-06-14 11:06:00 UTC
-
Revision ID:
james.westby@ubuntu.com-20050614110600-6ym7hbsq21bnzt3f
Tags: 2.16.5-2ubuntu0.2
* SECURITY UPDATE: multiple vulnerabilities
* CGI.pl, template/en/default/global/code-error.html.tmpl:
- Substitute <, > and & with their HTML alternatives to prevent XSS.
- CAN-2004-1061
* editgroups.cgi, editusers.cgi:
- Rewrite of the SQL querys for grouphandling to prevent SQL injection.
- CAN-2004-0707
* editgroups.cgi, editusers.cgi, editcomponents.cgi, editmilestones,
editproducts.cgi, editversions.cgi:
- Removed un-needed form value display code to fix an XSS vulnerability.
- CAN-2004-0705
* buglist.cgi, duplicates.cgi:
- Added a check to see if the user is priviledged to see a hidden product.
This prevents an information leak that showed the user all products by
visiting duplicates.cgi. Also the check was needed for buglist.cgi.
- CAN-2004-0704
* References:
http://www.bugzilla.org/security/2.16.5/