Class: Unauthorized Bug Change
Versions: 2.9 through 2.18rc2 and 2.19
Description: It is possible to send a carefully crafted HTTP POST
message to process_bug.cgi which will remove keywords from
a bug even if you don't have permissions to edit all bug
fields (the "editbugs" permission). Such changes are
reported in "bug changed" email notifications, so they are
easily detected and reversed if someone abuses it.
Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=252638
- Correct SQL command in pkg-message
PR: ports/71161, ports/73166
Submitted by: Dmitry A Grigorovich <odip@bionet.nsc.ru>
installation to ${PREFIX}/www/data.default. "data.default" was an artifact
of a long obsolete version of the Apache port. Put installation directory
under control of a variable $BUGZILLADIR instead. Carry through to
pkg-plist via a pragma.
- Bump $PORTREVISION.
* learn default distribution about some default FreeBSD settings
* add new option to setup XML modules used to export/import bugs to share
them between different Bugzilla instances
* use ${INSTALL_SCRIPT} rather than ${INSTALL}. Inspired by petef's letter.
This also caused me to think "when such complex system as FreeBSD ports
should do such simple things like prepearing of cap of coffee?"
* use ${INSTALL} directly instead of ${INSTALL_DATA} to preserve
exec permissions for scripts
* add post-install target to display pkg-message
* rewrite pkg-message to give minimal quick setup instructions
