MGASA-2016-0006

Source
https://advisories.mageia.org/MGASA-2016-0006.html
Import Source
https://advisories.mageia.org/MGASA-2016-0006.json
JSON Data
https://api.osv.dev/v1/vulns/MGASA-2016-0006
Upstream
  • CVE-2015-4499
  • CVE-2015-8508
  • CVE-2015-8509
Published
2016-01-12T09:13:53Z
Modified
2026-04-16T06:24:42.559364606Z
Summary
Updated bugzilla packages fix security vulnerability
Details

Login names (usually an email address) longer than 127 characters are silently truncated in MySQL which could cause the domain name of the email address to be corrupted. An attacker could use this vulnerability to create an account with an email address different from the one originally requested. The login name could then be automatically added to groups based on the group's regular expression setting (CVE-2015-4499).

During the generation of a dependency graph, the code for the HTML image map is generated locally if a local dot installation is used. With escaped HTML characters in a bug summary, it is possible to inject unfiltered HTML code in the map file which the CreateImagemap function generates. This could be used for a cross-site scripting attack (CVE-2015-8508).

If an external HTML page contains a "script" tag with its src attribute pointing to a buglist in CSV format, some web browsers incorrectly try to parse the CSV file as valid JavaScript code. As the buglist is generated based on the privileges of the user logged into Bugzilla, the external page could collect confidential data contained in the CSV file (CVE-2015-8509).

The bugzilla package has been updated to version 4.4.11, fixing these issues and a few other bugs.

References
Credits

Affected packages

Mageia:5 / bugzilla

Package

Name
bugzilla
Purl
pkg:rpm/mageia/bugzilla?arch=source&distro=mageia-5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.4.11-1.mga5

Ecosystem specific

{
    "section": "core"
}

Database specific

source
"https://advisories.mageia.org/MGASA-2016-0006.json"