Bugzilla 2.14 through 2.22.7; 3.0.x, 3.1.x, and 3.2.x before 3.2.10; 3.4.x before 3.4.10; 3.6.x before 3.6.4; and 4.0.x before 4.0rc2 does not properly generate random values for cookies and tokens, which allows remote attackers to obtain access to arbitrary accounts via unspecified vectors, related to an insufficient number of calls to the srand function.
lists.fedoraproject.org/pipermail/package-announce/2011-February/053665.html
lists.fedoraproject.org/pipermail/package-announce/2011-February/053678.html
osvdb.org/70700
secunia.com/advisories/43033
secunia.com/advisories/43165
www.bugzilla.org/security/3.2.9/
www.debian.org/security/2011/dsa-2322
www.securityfocus.com/bid/45982
www.vupen.com/english/advisories/2011/0207
www.vupen.com/english/advisories/2011/0271
bugzilla.mozilla.org/attachment.cgi?id=506031&action=diff
bugzilla.mozilla.org/show_bug.cgi?id=619594
bugzilla.mozilla.org/show_bug.cgi?id=621591
exchange.xforce.ibmcloud.com/vulnerabilities/65001