A quarterly vulnerability scan by our PCI Approved Scanning Vendor curiously discovered this vulnerability:
Description: Vulnerable Bugzilla version: 2 Severity: Critical Problem Impact: Multiple vulnerabilities could allow remote account hijacking, viewing of restricted data, unauthorized bug editing, SQL injection, cross-site scripting, security-bypass, or command execution. Background: Bugzilla is an open source bug tracking system written in Perl. Resolution [http://www.bugzilla.org/download/] Upgrade to Bugzilla 3.2.7, Bugzilla 3.4.7, Bugzilla 3.6.1, Bugzilla 3.7.2 or higher, or install the latest [http://www.bugzilla.org/download/#cvs] CVS snapshot. Vulnerability Details: Service: https Received: Distributed under version 2 of the GNU GPL.
I say “curious” because Bugzilla has never been installed on this machine. It is a single-purpose httpd server running RT and nothing else.
After some unhelpful back-and-forth with our ASV’s support e-mail alias, I looked closely at the text of the “Vulnerability Details,” which was just the statement of the GNU license under which RT (and Bugzilla, apparently) is distributed. Taking a close look at the RT login page, I saw:
I logged into the RT server, made a backup of and then edited /opt/rt3/share/html/Elements/Footer, and removed the line:
<&|/l&>Distributed under version 2 <a href="http://www.gnu.org/copyleft/gpl.html"> of the GNU GPL.</a></&><br />
A re-scan of the site show it is now 100% Bugzilla free. So there you go, a GPL statement is a Class 5 Vulnerability on the PCI scale, apparently.