- bugzilla security updates to version(s)

  3.6.11, 4.0.8, 4.2.4

Summary
=======

The following security issues have been discovered in Bugzilla:

* Confidential product and component names can be disclosed to
  unauthorized users if they are used to control the visibility of
  a custom field.

* When calling the 'User.get' WebService method with a 'groups'
  argument, it is possible to check if the given group names exist
  or not.

* Due to incorrectly filtered field values in tabular reports, it is
  possible to inject code which can lead to XSS.

* When trying to mark an attachment in a bug you cannot see as
  obsolete, the description of the attachment is disclosed in the
  error message.

* A vulnerability in swfstore.swf from YUI2 can lead to XSS.

Feature safe: yes

Security:	CVE-2012-4199
		https://bugzilla.mozilla.org/show_bug.cgi?id=731178

		CVE-2012-4198
		https://bugzilla.mozilla.org/show_bug.cgi?id=781850

		CVE-2012-4189
		https://bugzilla.mozilla.org/show_bug.cgi?id=790296

		CVE-2012-4197
		https://bugzilla.mozilla.org/show_bug.cgi?id=802204

		CVE-2012-5475
		https://bugzilla.mozilla.org/show_bug.cgi?id=808845
		http://yuilibrary.com/support/20121030-vulnerability/

devel/bugzilla/Makefile

@@ -1,7 +1,7 @@
 # $FreeBSD$
 
 PORTNAME=	bugzilla
-PORTVERSION=	4.0.8
+PORTVERSION=	4.0.9
 CATEGORIES=	devel
 MASTER_SITES=	${MASTER_SITE_MOZILLA}
 MASTER_SITE_SUBDIR=	webtools webtools/archived

devel/bugzilla/distinfo

@@ -1,2 +1,2 @@
-SHA256 (bugzilla/bugzilla-4.0.8.tar.gz) = 0d44ab29863ffe6ef7637f078c31e52805f1b2ff0ff4f5c39a0d7daebe326b0c
-SIZE (bugzilla/bugzilla-4.0.8.tar.gz) = 2801982
+SHA256 (bugzilla/bugzilla-4.0.9.tar.gz) = af79b2f2b39f428e19122707d1334db5e447742ca6098f74803c35277117e394
+SIZE (bugzilla/bugzilla-4.0.9.tar.gz) = 2803607

devel/bugzilla3/Makefile

@@ -1,7 +1,7 @@
 # $FreeBSD$
 
 PORTNAME=	bugzilla
-PORTVERSION=	3.6.11
+PORTVERSION=	3.6.12
 CATEGORIES=	devel
 MASTER_SITES=	${MASTER_SITE_MOZILLA}
 MASTER_SITE_SUBDIR=	webtools webtools/archived

devel/bugzilla3/distinfo

@@ -1,2 +1,2 @@
-SHA256 (bugzilla/bugzilla-3.6.11.tar.gz) = 01b99ec5b1e6efc9d0a0352ebe2ea6e8b8c7471a3f4dd80c3b99b5be575c4585
-SIZE (bugzilla/bugzilla-3.6.11.tar.gz) = 2509551
+SHA256 (bugzilla/bugzilla-3.6.12.tar.gz) = 1b3ebd08545b0093cd64a6f2e6c1310c7e85e691c83bd79c10960329f1bdca77
+SIZE (bugzilla/bugzilla-3.6.12.tar.gz) = 2509580

devel/bugzilla42/Makefile

@@ -1,7 +1,7 @@
 # $FreeBSD$
 
 PORTNAME=	bugzilla
-PORTVERSION=	4.2.3
+PORTVERSION=	4.2.4
 CATEGORIES=	devel
 MASTER_SITES=	${MASTER_SITE_MOZILLA}
 MASTER_SITE_SUBDIR=	webtools webtools/archived

devel/bugzilla42/distinfo

@@ -1,2 +1,2 @@
-SHA256 (bugzilla/bugzilla-4.2.3.tar.gz) = 712d645c5b2b081e42b2a364c26edf8a8a0048f463a426ac38cc482d31b11fb3
-SIZE (bugzilla/bugzilla-4.2.3.tar.gz) = 2977764
+SHA256 (bugzilla/bugzilla-4.2.4.tar.gz) = bede0cf893ad8ac99715614af0cf4624bc0e8552852f51290f546006105ce695
+SIZE (bugzilla/bugzilla-4.2.4.tar.gz) = 2976363

security/vuxml/vuln.xml

@@ -51,6 +51,63 @@ Note:  Please add new entries to the beginning of this file.
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="2b841f88-2e8d-11e2-ad21-20cf30e32f6d">
+    <topic>bugzilla -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>bugzilla</name>
+	<range><ge>3.6.0</ge><lt>3.6.12</lt></range>
+	<range><ge>4.0.0</ge><lt>4.0.9</lt></range>
+	<range><ge>4.2.0</ge><lt>4.2.4</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<h1>A Bugzilla Security Advisory reports:</h1>
+	<blockquote cite="http://www.bugzilla.org/security/3.6.11/">
+	  <p>The following security issues have been discovered in
+	     Bugzilla:</p>
+	  <h1>Information Leak</h1>
+	  <p>If the visibility of a custom field is controlled by a product
+	    or a component of a product you cannot see, their names are
+	    disclosed in the JavaScript code generated for this custom field
+	    despite they should remain confidential.</p>
+	  <p>Calling the User.get method with a 'groups' argument leaks the
+	    existence of the groups depending on whether an error is thrown
+	    or not. This method now also throws an error if the user calling
+	    this method does not belong to these groups (independently of
+	    whether the groups exist or not).</p>
+	  <p>Trying to mark an attachment in a bug you cannot see as obsolete
+	    discloses its description in the error message. The description
+	    of the attachment is now removed from the error message.</p>
+	  <h1>Cross-Site Scripting</h1>
+	  <p>Due to incorrectly filtered field values in tabular reports,
+	    it is possible to inject code leading to XSS.</p>
+	  <p>A vulnerability in swfstore.swf from YUI2 allows JavaScript
+	    injection exploits to be created against domains that host this
+	    affected YUI .swf file.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2012-4199</cvename>
+      <url>https://bugzilla.mozilla.org/show_bug.cgi?id=731178</url>
+      <cvename>CVE-2012-4198</cvename>
+      <url>https://bugzilla.mozilla.org/show_bug.cgi?id=781850</url>
+      <cvename>CVE-2012-4197</cvename>
+      <url>https://bugzilla.mozilla.org/show_bug.cgi?id=802204</url>
+      <cvename>CVE-2012-4189</cvename>
+      <url>https://bugzilla.mozilla.org/show_bug.cgi?id=790296</url>
+      <cvename>CVE-2012-5475</cvename>
+      <url>https://bugzilla.mozilla.org/show_bug.cgi?id=808845</url>
+      <url>http://yuilibrary.com/support/20121030-vulnerability/</url>
+    </references>
+    <dates>
+      <discovery>2012-11-13</discovery>
+      <entry>2012-11-14</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="79818ef9-2d10-11e2-9160-00262d5ed8ee">
     <topic>typo3 -- Multiple vulnerabilities in TYPO3 Core</topic>
     <affects>