new Versions: 3.6.10, 4.0.7, 4.2.2
4.2.2
This release fixes two security issues. See the Security Advisory for details.
In addition, the following important fixes/changes have been made in this release:
o A regression introduced in Bugzilla 4.0 caused some login names to be ignored
when entered in the CC list of bugs. (Bug 756314)
o Some queries could trigger an invalid SQL query if strings entered by the user
contained leading or trailing whitespaces. (Bug 760075)
o The auto-completion form for keywords no longer automatically selects the
first keyword in the list when the field is empty. (Bug 764517)
o A regression in Bugzilla 4.2 prevented classifications from being used in
graphical and tabular reports in the "Multiple Tables" field. (Bug 753688)
o Attachments created by the email_in.pl script were associated to the wrong
comment. (Bug 762785)
o Very long dependency lists can now be viewed correctly. (Bug 762783)
o Keywords are now correctly escaped in the auto-completion form to prevent any
XSS abuse. (Bug 754561)
o A regression introduced in Bugzilla 4.0rc2 when fixing CVE-2011-0046 caused
the "Un-forget the search" link to not work correctly anymore when restoring a
deleted saved search, because this link was lacking a valid token. (Bug 768870)
o Two minor CSRF vulnerabilities have been fixed which could let an attacker
alter your default search criteria in the Advanced Search page. (Bugs 754672
and 754673)
4.0.7
This release fixes one security issue. See the Security Advisory for details.
In addition, the following bugs have been fixed in this release:
o A regression introduced in Bugzilla 4.0 caused some login names to be ignored
when entered in the CC list of bugs. (Bug 756314)
o Keywords are now correctly escaped in the auto-complete form to prevent any
XSS abuse. (Bug 754561)
o A regression introduced in Bugzilla 4.0rc2 when fixing CVE-2011-0046 caused
the "Un-forget the search" link to not work correctly anymore when restoring a
deleted saved search, because this link was lacking a valid token. (Bug 768870)
3.6.10
This release fixes one security issue. See the Security Advisory for details.
http://www.bugzilla.org/security/3.6.9/
Approved by: implicit skv@ (bugzilla / bugzilla3)
Security: CVE-2012-1968
CVE-2012-1969
https://bugzilla.mozilla.org/show_bug.cgi?id=777398https://bugzilla.mozilla.org/show_bug.cgi?id=777586
vid=58253655-d82c-11e1-907c-20cf30e32f6d
New Features and Improvements:
- Experimental SQLite Support
- Creating an Attachment by Pasting Text Into a Text Field
- HTML Bugmail (default: on can be disabled in user preference)
- Improved Searching System
- Disabling Old Components, Versions and Milestones
- Displaying a Custom Field Value Based on Multiple Values of Another Field
- Auditing of All Changes Within Bugzilla
- Accessibility Improvements
And many other Improvements, for complete list see:
http://www.bugzilla.org/releases/4.2.1/release-notes.html
Vulnerability Details
=====================
Class: Cross-Site Request Forgery
Versions: 4.0.2 to 4.0.4, 4.1.1 to 4.2rc2
Fixed In: 4.0.5, 4.2
Description: Due to a lack of validation of the enctype form
attribute when making POST requests to xmlrpc.cgi,
a possible CSRF vulnerability was discovered. If a user
visits an HTML page with some malicious HTML code in it,
an attacker could make changes to a remote Bugzilla installation
on behalf of the victim's account by using the XML-RPC API
on a site running mod_perl. Sites running under mod_cgi
are not affected. Also the user would have had to be
already logged in to the target site for the vulnerability
to work.
References: https://bugzilla.mozilla.org/show_bug.cgi?id=725663
CVE Number: CVE-2012-0453
Approved by: skv (implicit)
- CVE-2011-3657
- CVE-2011-3667
Summary
=======
The following security issues have been discovered in Bugzilla:
* When viewing tabular or graphical reports as well as new charts,
an XSS vulnerability is possible in debug mode.
* The User.offer_account_by_email WebService method lets you create
a new user account even if the active authentication method forbids
users to create an account.
* A CSRF vulnerability in post_bug.cgi and in attachment.cgi could
lead to the creation of unwanted bug reports and attachments.
All affected installations are encouraged to upgrade as soon as possible.
Full Release Notes:
http://www.bugzilla.org/security/3.4.12/
Approved by: skv@ (explicit)
- use DIST_SUBDIR for bugzilla and all translations
- sort pkg-plist (genplist)
OK from bugzilla maintainers per PM.
PR: ports/158766
Submitted by: ohauer
- order pkg-plist so it match autmated tools like genplist
- add missing empty directories (used by checksetup.pl) [1]
commit with hat apache@
PR: [1] ports/154295
Submitted by: me
- Use WWWDIR instead of some other custom locations [2]
- Add Makefile.common which Makefiles in devel/bugzilla, russian/bugzilla-ru
and japanese/bugzilla include to use WWWDIR in common [2]
Changes: http://www.bugzilla.org/releases/3.6.3/release-notes.html [1]
Security: http://www.bugzilla.org/security/3.2.8/ [1]
PR: ports/151912 [1], [2]
Submitted by: ohauer [1], tota (myself) [2]
Approved by: skv
- Remove ja-bugzilla-2.* from CONFLICT entries of devel/bugzilla,
devel/bugzilla2 and russian/bugzilla-ru [2]
- Change MAINTAINER address from tota@rtfm.jp to tota@FreeBSD.org
[1] This port has been updated from the bugzilla Japanized patch to
bugzilla Japanese language pack installation, both of which are
maintained differently.
* Japanized patch is not actively maintained anymore.
* More sophisticated language pack framework has been introduced since
Bugzilla 3.0.
[2] This port no longer conflicts with those ports due to the new language
pack framework.
Approved by: maho (mentor)
- Remove mail/p5-Email-MIME-Modifier, it has been folded into mail/p5-Email-MIME
- Remove mail/p5-Email-Simple-Creator, it has been folded into mail/p5-Email-Simple
- Adjust dependencies
Reported by: pointyhat
With hat: portmgr
