Forw: Bad Site Appeal Notification

Forw: Bad Site Appeal Notification

[Frank Ch. Eigler]

Hi -

On Mon, Feb 09, 2009 at 10:15:20AM -0800, Haute Secure Customer Support wrote:

> I've responded to a couple of mails that have originated from  
> soureware.org regarding the entry in our Online Reputation list for  
> sourceware.org. unfortunately all of them have bounced so far. So i'm  
> resending this mail in the hope that it gets to someone in  
> sourceware.org who can attend to this.

Further:

> Thanks for the mail. The reason that Sourceware.org is on our content
> reputation list is because we have found a significant amount of malicious
> material on the site. It looks like you are running a very old Bugzilla
> installation - 2.17.5 which is over 4 years old and which contains many many
> security vulnerabilities. Malicious attackers target older web based software
> and in the case of your Bugzilla installation they have been creating
> malicious entries designed to infect users browsing the site either directly or
> potentially indirectly via hidden iFrames on other sites.
> 
> Below is an example of one of the infected URLs that should help you research
> and resolve the issue.
> 
> h*p : / / sourceware [dot] org / bugzilla / attachment [dot] cgi?id=1988
> 
> You should consider upgrading to the 3.2 release of Bugzilla which has just
> been released and contains a massive number of fixes for various security
> vulnerabilities.


- FChE

Re: Fwd: Bad Site Appeal Notification

[Frank Ch. Eigler]

Hi -

Just to be clear, are you claiming that upgrading our bugzilla to 3.2
would remove and/or make impossible further spam attachments?  Did
your software find actual *malware* or only spam links to it?

- FChE

Re: Bad Site Appeal Notification

[Frank Ch. Eigler]

Hi -

> i can make no absolute guarantees about upgrading to the latest  
> version of Bugzilla, but Mozilla has made significant security  
> improvements since the Bugzilla 2.x releases and our system has not  
> found malicious content in Bugzilla 3.2 installations.

> we have found actual malicious content in your bugzilla

Can you supply some links?  The only one sent so far was spam that
appeared to link outward.  We should be able to zap them without
actual major sysadmin effort that would be required by a speculative
bugzilla upgrade.

- FChE

Re: Fwd: Bad Site Appeal Notification

[Daniel Berlin]

Humorously, there is in fact, a bug Mozilla is about to notify the
world about which shows that even 3.2 is not secure at all for
attachments.
They plan on trying to require people serve attachments from a
different hostname, in fact.

So upgrading to 3.2 will not fix our problems here.

On Mon, Feb 9, 2009 at 1:26 PM, Frank Ch. Eigler <fche@redhat.com> wrote:
> Hi -
>
> Just to be clear, are you claiming that upgrading our bugzilla to 3.2
> would remove and/or make impossible further spam attachments?  Did
> your software find actual *malware* or only spam links to it?
>
> - FChE
>