* SECURITY UPDATE: Directory traversal vulnerability in importxml.pl in
Bugzilla before 2.22.5, and 3.x before 3.0.5, when --attach_path
is enabled, allows remote attackers to read arbitrary files via an
XML file with a .. (dot dot) in the data element.(LP: #281915)
- debian/patches/CVE-2008-4437.dpatch: upstream patch with regex
to remove any leading path data from the filename.
- CVE-2008-4437
-- Stefan Lesicnik <email address hidden> Sat, 11 Oct 2008 21:56:21 +0200
This bug was fixed in the package bugzilla - 2.22.1- 2.2ubuntu1. 8.04.1
--------------- 2.2ubuntu1. 8.04.1) hardy-security; urgency=low
bugzilla (2.22.1-
* SECURITY UPDATE: Directory traversal vulnerability in importxml.pl in patches/ CVE-2008- 4437.dpatch: upstream patch with regex
Bugzilla before 2.22.5, and 3.x before 3.0.5, when --attach_path
is enabled, allows remote attackers to read arbitrary files via an
XML file with a .. (dot dot) in the data element.(LP: #281915)
- debian/
to remove any leading path data from the filename.
- CVE-2008-4437
-- Stefan Lesicnik <email address hidden> Sat, 11 Oct 2008 21:56:21 +0200