+ Saving changes to parameters would sometimes fail silently. Bugzilla
will now throw an error instead of failing silently. (bug 347707)
Security fixes for: http://www.bugzilla.org/security/2.22.6/
Class: Cross-Site Scripting
Versions: 2.17.2 and higher
Description: When using the "Format for Printing" view of a bug (or
the "Long Format" of a bug list, which is the same thing),
there was a cross-site scripting hole--arbitrary text
from a particular URL parameter could be injected into the
page without filtering.
There are three types Mozilla mirrors.
(http://www.mozilla.org/mirroring.html)
* mozilla-current
contains only the current version of Firefox and Thunderbird
* mozilla-release
contains Firefox, Thunderbird, and Sunbird releases
* mozilla-all
complete archive
Define following variables for mozilla master sites:
MASTER_SITE_MOZILLA_ALL = mozilla-all
MASTER_SITE_MOZILLA = mozilla-release
and change some packages to use appropriate variable.
Update contents of MASTER_SITE_MOZILLA with master and primary mirrors
taken from http://www.mozilla.org/mirrors.html and add some sample definitions.
+ Bug lists in iCal format were cutting off bug summaries if they had
a comma in them. (bug 274408)
+ If collectstats.pl encountered an invalid series when collecting data for
New Charts, it would stop processing all series, silently. This means
that several series may not have been collecting data. On PostgreSQL,
all series were failing, thus meaning that New Charts were not working
at all on PostgreSQL. (bug 257351)
the owner of all installed files is a non-root user. This change
affects most packages that require special users or groups by making
them use the specified unprivileged user and group instead.
(1) Add two new variables PKG_GROUPS_VARS and PKG_USERS_VARS to
unprivileged.mk. These two variables are lists of other bmake
variables that define package-specific users and groups. Packages
that have user-settable variables for users and groups, e.g. apache
and APACHE_{USER,GROUP}, courier-mta and COURIER_{USER,GROUP},
etc., should list these variables in PKG_USERS_VARS and PKG_GROUPS_VARS
so that unprivileged.mk can know to set them to ${UNPRIVILEGED_USER}
and ${UNPRIVILEGED_GROUP}.
(2) Modify packages to use PKG_GROUPS_VARS and PKG_USERS_VARS.
+ Make Bugzilla compatible with Template Toolkit 2.15 (bug 357374)
+ Make Bugzilla compatible with versions of MySQL higher than 5.0.25
(bug 321645)
+ Sanity Check can now only be run by people with the "admin" privilege.
(bug 91761)
+ Security [XSS] fix
https://bugzilla.mozilla.org/show_bug.cgi?id=367674
+ When sending mail, Bugzilla could throw the error "Insecure dependency in
exec while running with -T switch" (bug 340538).
+ Using the public webdot server (for dependency graphs) should work
again (bug 351243).
+ The "I'm added to or removed from this capacity" email preference
wasn't working for new bugs (bug 349852).
+ The original release of 2.22 incorrectly said it required Template-Toolkit
version 2.08. In actual fact, Bugzilla requires version 2.10 (bug 351478).
+ votes.cgi would crash if your bug was the one confirming a bug (bug 351300).
+ checksetup.pl now correctly reports if your Template::Plugin::GD module
is missing. If missing, it could lead to charts and graphs not working
(bug 345389).
+ The "Keyword" field on buglist.cgi was not sorted alphabetically, so
it wasn't very useful for sorting (bug 342828).
+ Sendmail will no longer complain about there being a newline in the
email address, when Bugzilla sends mail (bug 331365).
+ contrib/bzdbcopy.pl would try to insert an invalid value into the
database, unnecessarily (bug 335572).
+ Deleting a bug now correctly deletes its attachments from the database
(bug 339667).
New features include:
* Complete PostgreSQL Support
* Parameters In Sections
* One Codebase, Multiple Databases
* UTF-8 for New Installations
* Admins Can Impersonate Users
* Bug Import and Moving Improvements
* Adding Individual Bugs to Saved Searches
* Attach URLs
* Optional "Strict Isolation" for Groups
* "editcomponents" Change
* "shutdownhtml" Change
* Miscellaneous Improvements
For further details see:
http://www.bugzilla.org/releases/2.22/new-features.htmlhttp://www.bugzilla.org/releases/2.22/release-notes.html
Make pkglint happer
This also fixes a number of security issues:
http://www.securityfocus.com/archive/1/425584/30/0/threaded
> Version 2.20.1
> --------------
>
> + Many PostgreSQL fixes, including fixing whine.pl on Pg 8
> (bug 301062) and fixing the --regenerate option of collectstats.pl
> for all versions of Pg (bug 316971). However, users who want full
> PostgreSQL support are encouraged to use the 2.22 series, as
> certain PostgreSQL bugs were discovered that will not be fixed
> in 2.20 (their fixes were too complex).
>
> + In Bugzilla 2.20, the "administrator" user created by checksetup.pl
> would not ever be sent email, because their email preferences were
> left blank. This has been fixed for 2.20.1. However, if you created
> this administrative user with Bugzilla 2.20, make sure to go back
> and enable their Email Preferences. (bug 317489)
>
> + The bzdbcopy.pl script mentioned in these release notes
> has now actually been checked-in to the 2.20 branch, and so
> it's included in this release. (bug 291776)
>
> + When there's only one Classification, you now won't be required
> to pick a Classification on bug entry. (bug 311489)
>
> + You can no longer add dependencies on bugs you can't see.
> (bug 141593)
>
> + The CC list is included in "New" bug emails, again. (bug 313661)
>
> + In the original 2.20, certain scripts were not correctly using
> the "shadow database," if it was specified. This has been fixed
> in 2.20.1. (bug 313695)
>
> + "Saved Searches" that were saved before Bugzilla 2.20, would throw
> an error if they contained "Days Since Bug Changed." as part of their
> criteria. This has been fixed in Bugzilla 2.20.1. (bug 302599)
>
> + You can now successfully delete a product even when Target Milestones
> are turned off. (bug 317025)
>
> + checksetup.pl now correctly pre-compiles templates for languages other
> than English. (bug 304417)
>
> + The "All Closed" chart that is created by default in New Charts
> now actually represents all closed bugs, and not all bugs in the
> product. (bug 300473)
>
> + CSV bug lists with more than 1000 dates now work properly. (bug 257813)
>
> + Various bugs with upgrading from previous versions of Bugzilla
> have been fixed. (bug 307662, bug 311047, bug 310108)
>
> + Many, many other bug fixes. See http://www.bugzilla.org/status/changes.html
> for details on what was fixed between 2.20 and 2.20.1.
From the release-notes.html:
What's New?
New User-Interface Color/Style
Higher-Level Categorization of Bugs (above "Product")
Regular Reports by Email of Complex Queries ("Whining")
"Environment Variable" Authentication Method
User-List Drop-Down Menus
Server-Side Comment Wrapping
UI for Editing Priority, OS, Platform, and Severity
Bugzilla Queries as RSS
Choice of E-Mail Sending Methods
"Large Attachment" Storage
and lots of Miscellaneous Improvements
See http://www.bugzilla.org/releases/2.20/release-notes.html for
all the details.
"Two security issues have been reported in Bugzilla, which can be
exploited by malicious people to disclose system and potentially
sensitive information."
See http://www.bugzilla.org/security/2.18.4/ for more details.
- Update addresses two security issues
- From the ChangeLog:
> Version 2.18.2
> --------------
>
> + You can now create accounts with createaccount.cgi even
> when the "requirelogin" parameter is turned on. (Bug 294778)
>
> + Bugs that are in disabled groups may not show a padlock
> on the bug list, or may otherwise behave strangely. You
> can now fix this using sanitycheck.cgi. (Bug 277454)
>
> + If sendmail dies while you are marking a bug
> as a duplicate, the duplicates table will no longer become
> corrupted. (Bug 225042)
>
> + Any user can change a flag on any bug. This also allows the
> attacker to expose the summary of any bug, even a hidden bug.
>
> + Summaries of private bugs are sometimes exposed under a very rare
> condition if you use MySQL replication.
>
> Version 2.18.3
> --------------
>
> + The query.cgi page was broken in 2.18.2 by bug 300138.
> That is now fixed.
by taken care of by pkgsrc infrastructure anyway.
- The problem is that checkconfig.pl thinks File::Spec v0.90 is v0.9
and complains that the version installed is too old.
- Problem reported by Brandon Adams <brandon.adams@omron.com> on tech-pkg@
- Two "Information Disclosure" security bugs fixed
- From the ChangeLog:
> + You can now enter a negative time for "Hours Worked"
> in the time-tracking area. (Bug 271276)
>
> + The BugMail.pm customization required for Windows (as
> described in the Bugzilla Guide) now actually works. (Bug 280911)
>
> + Users who were using Bugzilla 2.8 can now successfully upgrade
> to 2.18.1 (they couldn't upgrade to 2.18). (Bug 283403)
>
> + Dependency mails are now properly sent during a mass-change of bugs.
> (Bug 178157)
Tracking Systems allow individual or groups of developers to keep track of
outstanding bugs in their product effectively. Most commercial defect-tracking
software vendors charge enormous licensing fees. Despite being "free", Bugzilla
has many features its expensive counterparts lack. Consequently, Bugzilla has
quickly become a favorite of hundreds of organizations across the globe.
What Does Bugzilla Do?
- Track bugs and code changes
- Communicate with teammates
- Submit and review patches
- Manage quality assurance (QA)
Bugzilla can help you get a handle on the software development process.
Successful projects often are the result of successful organization and
communication. Bugzilla is a powerful tool that will help your team get
organized and communicate effectively.
