One or more security fixes exists for Bugzilla 4.5.5, 4.4.5, 4.2.10, and 4.0.14 and will need a security advisory.

Comment on attachment 8460843 [details] sec_adv_4.0.13.txt >Credits >======= > >The Bugzilla team wish to thank the following people/organizations for >their assistance in locating, advising us of, and assisting us in fixing >these issues: > >Mario Gomes We usually also credit the patch author and reviewer.

Comment on attachment 8460843 [details] sec_adv_4.0.13.txt > We usually also credit the patch author and reviewer. thanks lpsolit -- please add reed, sgreen, and myself. otherwise it looks good.

Comment on attachment 8460843 [details] sec_adv_4.0.13.txt >Versions: 3.7 to 4.0.13, 4.1.1 to 4.2.11, 4.3.1 to 4.4.5, 4.5.1 to 4.5.5 Err wait, these versions are wrong. It must be: Versions: 3.7.1 to 4.0.13, 4.1.1 to 4.2.9, 4.3.1 to 4.4.4, 4.5.1 to 4.5.4 This is the list of *affected* releases, and so 3.7 doesn't exist (the first release with this bug was 3.7.1, see bug 550727), nor does 4.2.11 (where does this version come from?), and 4.5.5 and 4.4.5 are fixed, not affected. >Description: Adobe does not properly restrict the SWF file format, which allows > remote attackers to conduct cross-site request forgery (CSRF) attacks > against Bugzilla's JSONP endpoint, possibly obtaining sensitive > bug information, via a crafted OBJECT element with SWF content satisfying > the character-set requirements of a callback API. These lines are longer than the 72 characters we usually use as hard limit to prevent wrapping in some email clients. >The fixes for these issues are included in the 4.0.14, 4.2.10, and 4.4.5 >releases. You forgot to mention 4.5.5, which is also fixed. Also, you forgot to credit some people, see the previous comments. I know I'm no longer a reviewer, but r- anyway.

Fixed all comments. Moving forward r+.

Sec advisory sent.