This is not an issue with WebKit, but with WebKit Bugzilla. I see that we are currently running Bugzilla 4.2.11, which was released in October 2014 and superseded by Bugzilla 4.2.12 in January 2015. Six security issues have been disclosed since that time. They are documented at https://www.bugzilla.org/security. Updating to version 4.2.16 would resolve five of the following issues. Updating to version 4.4.12 (which is currently used by GNOME Bugzilla) would resolve all of them. Class: Command Injection Versions: All versions before 4.0.16, 4.1.1 to 4.2.11, 4.3.1 to 4.4.6, 4.5.1 to 4.5.6 Fixed In: 4.0.16, 4.2.12, 4.4.7, 5.0rc1 Description: Some code in Bugzilla does not properly utilize 3 arguments form for open() and it is possible for an account with editcomponents permissions to inject commands into product names and other attributes. References: https://bugzilla.mozilla.org/show_bug.cgi?id=1079065 CVE Number: CVE-2014-8630 Class: Information Leak Versions: 2.23.3 to 4.0.15, 4.1.1 to 4.2.11, 4.3.1 to 4.4.6, 4.5.1 to 4.5.6 Fixed In: 4.0.16, 4.2.12, 4.4.7, 5.0rc1 Description: Using the WebServices API, a user can possibly execute imported functions from other non-WebService modules. A whitelist has now been added that lists explicit methods that can be executed via the API. References: https://bugzilla.mozilla.org/show_bug.cgi?id=1090275 Class: Unauthorized Account Creation Versions: Bugzilla 2.0 to 4.2.14, 4.3.1 to 4.4.9, 4.5.1 to 5.0 Fixed In: 4.2.15, 4.4.10, 5.0.1 Description: Login names (usually an email address) longer than 127 characters are silently truncated in MySQL which could cause the domain name of the email address to be corrupted. An attacker could use this vulnerability to create an account with an email address different from the one originally requested. The login name could then be automatically added to groups based on the group's regular expression setting. References: https://bugzilla.mozilla.org/show_bug.cgi?id=1202447 CVE Number: CVE-2015-4499 Class: Cross-Site Scripting Versions: Bugzilla 2.6 to 4.2.15, 4.3.1 to 4.4.10, 4.5.1 to 5.0.1 Fixed In: 4.2.16, 4.4.11, 5.0.2 Description: During the generation of a dependency graph, the code for the HTML image map is generated locally if a local dot installation is used. With escaped HTML characters in a bug summary, it is possible to inject unfiltered HTML code in the map file which the CreateImagemap function generates. This could be used for a cross-site scripting attack. References: https://bugzilla.mozilla.org/show_bug.cgi?id=1221518 CVE Number: CVE-2015-8508 Class: Information Leak Versions: Bugzilla 2.17.1 to 4.2.15, 4.3.1 to 4.4.10, 4.5.1 to 5.0.1 Fixed In: 4.2.16, 4.4.11, 5.0.2 Description: If an external HTML page contains a <script> element with its src attribute pointing to a buglist in CSV format, some web browsers incorrectly try to parse the CSV file as valid JavaScript code. As the buglist is generated based on the privileges of the user logged into Bugzilla, the external page could collect confidential data contained in the CSV file. References: https://bugzilla.mozilla.org/show_bug.cgi?id=1232785 CVE Number: CVE-2015-8509 Class: Cross-Site Scripting Versions: Bugzilla 2.16rc1 to 4.4.11, 4.5.1 to 5.0.2 Fixed In: 4.4.12, 5.0.3 Description: Due to an incorrect parsing of the image map generated by the dot script, a specially crafted bug summary could trigger XSS in dependency graphs. References: https://bugzilla.mozilla.org/show_bug.cgi?id=1253263 CVE Number: CVE-2016-2803
<rdar://problem/30027752>
Who has the privileges to do this work?
(In reply to comment #2) > Who has the privileges to do this work? David Kilzer is allocated to assist Alexey's team do this work. I believe they are planning on doing this soon, but there were some server updates they wanted to perform at the same time.
We will be updating to Bugzilla 5.0.3 (tentatively) starting at 9 AM PDT on Monday, March 13, 2017.
<rdar://problem/22524280>
(In reply to comment #4) > We will be updating to Bugzilla 5.0.3 (tentatively) starting at 9 AM PDT on > Monday, March 13, 2017. An email announcement will go out to webkit-dev soon.
This is now fixed, thanks! It would be prudent for our Bugzilla administrators to subscribe to Bugzilla release announcements [1] to avoid this situation recurring in the future. It looks like there are generally only a couple security updates per year. [1] https://lists.bugzilla.org/cgi-bin/mj_wwwusr?func=lists-long-full&extra=announce
*** This bug has been marked as a duplicate of bug 55882 ***