Page MenuHomePhabricator

Evaluate upcoming Bugzilla 4.4.7 release whether relevant for WM BZ: Not needed
Closed, ResolvedPublic

Description

Upcoming 4.4.7 will contain security fixes; our instance at https://old-bugzilla.wikimedia.org/ is shut down when it comes to changing stuff but still allows login until we solve T1198.

Event Timeline

Aklapper claimed this task.
Aklapper raised the priority of this task from to Low.
Aklapper updated the task description. (Show Details)
Aklapper added a project: Wikimedia-Bugzilla.
Aklapper subscribed.

Two sec fixes in 4.4.7: https://www.bugzilla.org/security/4.0.15/

  • I don't see a need to apply the patch for CVE-2014-8630 because we are down to 8 non-disabled, trusted accounts with editcomponents permissions in old-bugzilla.wm.o.
  • And in our special case (no editing possible) I don't see any issues with the WebServices API leak either.

Hence we can stay at 4.4.6.

Aklapper renamed this task from Evaluate upcoming Bugzilla 4.4.7 release whether relevant for WM BZ to Evaluate upcoming Bugzilla 4.4.7 release whether relevant for WM BZ: Not needed.Jan 22 2015, 2:00 AM
Aklapper set Security to None.