You can still use the limit parameter to get up to 1000 bugs. The account default can be set as high as 200. You can also set your account’s default limit in user preferences. These give the total number of bugs qualified for the query and the number of results in the response. You can get default 1000 bugs by sending 0 as a limit parameter.Īdditionally, they have introduced “total_matches”, “limit”, and “offset” values in the response. If you need results that are more than 1000, you can use the offset parameter. The value of limit can be up to 1000 bugs. The default Bug search API(REST/XMLRPC/JSONRPC) result in 20 bugs by default and users can change this by specifying the limit. Changes to Bugzilla list API response Authenticated users Users can perform bulk actions on the list by selecting the rows from the list. As users navigate through pages, results will be lazy-loaded. Pagination for Bugzilla Data Tablesīugzilla now supports Pagination for data tables, improving performance by not loading all results at one time. The default is now 20 but can be adjusted to 1000 by using the limit/offset parameters. There is also a change to the default number of results with the bug search API to support this feature. In August, Mozilla revealed that the email addresses and encrypted passwords of 97,000 users who had created test installations on were inadvertently dumped on a public Web server.On 13 September 2021, Red Hat’s Bugzilla team released updates to Bugzilla that included new functionality for pagination. This isn’t the only security incident affecting Bugzilla in the past months. OpenSSH, Red Hat, Wikimedia and Apache also announced patching their installations.
BUGZILLA THEME UPDATE
On Monday, Bugzilla released a software update that addresses the unauthorized account creation issue, along with three other security vulnerabilities. However, Mozilla says there is no evidence that the vulnerability has been exploited by malicious actors. The vulnerability affects all Bugzilla versions after 2.23.3, which was released in 2006. Roughly 150 organizations and projects run public Bugzilla installations, including Mozilla, Gnome, KDE, the Apache Project, LibreOffice, Open Office, OpenSSH, the Linux Kernel and various Linux distributions. However, the Mozilla security group, which has access to unfixed vulnerabilities, is not affected by this issue because its members are added individually. For example, in the case of Mozilla, employees are added to a particular group based on their email addresses, but this only gives them access to certain bugs, such as the ones affecting human resources. The vulnerability can be dangerous on Bugzilla installations where users are added to a certain group based on their email address domain.īugzilla lead developer Gervase Markham clarified in a blog post that not all unfixed vulnerabilities reported through Bugzilla were exposed by the vulnerability.
BUGZILLA THEME SERIES
Rubin created a series of test accounts, such as and, to demonstrate his findings. This breaks the email validation process, and allows an attacker to create accounts which match the groups regex policies, effectively becoming a privileged user,” explained Netanel Rubin, the Check Point researcher who uncovered the vulnerability.
“The successful exploitation of the vulnerability allows the manipulation of any DB field at the user creation procedure, including the ‘login_name’ field. In some cases, this could expose sensitive information on undisclosed flaws. The issue appears to be caused by a security flaw that’s specific to the Perl programming language.Īn attacker can exploit the vulnerability to create an account on the Bugzilla platform for an email address they don’t own. The vulnerability, which has been assigned CVE-2014-1572, was reported to Bugzilla on September 30 by researchers at Check Point Software Technologies. The development team behind the Bugzilla bug-tracking software has released an update that addresses several security issues, including a critical flaw that could lead to privilege escalation.
0 kommentar(er)
