PublicDate: 2008-05-07 20:20:00 UTC
Candidate: CVE-2008-2105
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2105
Description:
 email_in.pl in Bugzilla 2.23.4, 3.0.x before 3.0.4, and 3.1.x before 3.1.4
 allows remote authenticated users to more easily spoof the changer of a bug
 via a @reporter command in the body of an e-mail message, which overrides
 the e-mail address as normally obtained from the From e-mail header.  NOTE:
 since From headers are easily spoofed, this only crosses privilege
 boundaries in environments that provide additional verification of e-mail
 addresses.
Ubuntu-Description:
Notes:
 kees> this really should be for bugzilla3 but it's not in intrepid yet
 wgrant> our 2.x releases are too old, and 3.0.4 is too new.
Bugs:
Priority: untriaged
Discovered-by:
Assigned-to:
CVSS: 

Patches_bugzilla:
upstream_bugzilla: released (3.0.3)
dapper_bugzilla: not-affected
feisty_bugzilla: not-affected
gutsy_bugzilla: not-affected
hardy_bugzilla: not-affected
devel_bugzilla: not-affected