-------------------------------------
- please note devel/bugzilla3 has now 3.6.8
- Below is a Release note for 5.0.1 to 5.0.3 from:
https://www.bugzilla.org/releases/5.0.3/release-notes.html
-------------------------------------
Bugzilla 5.0.3 Release Notes
* Introduction
* Updates in this 5.0.x Release
..
(original has more sections, but omitted, see above URL for more info)
Introduction
Welcome to Bugzilla 5.0! It has been slightly over two years since we
released Bugzilla 4.4 in May of 2013. This new major release comes with many
new features and improvements to WebServices and performance.
If you're upgrading, make sure to read Notes On Upgrading From a Previous
Version. If you are upgrading from a release before 4.4, make sure to read
the release notes for all the previous versions in between your version and
this one, particularly the Upgrading section of each version's release notes.
Updates in this 5.0.x Release
5.0.3
This release fixes one security issue. See the Security Advisory for details.
This release also contains the following bug fixes:
* A regression in Bugzilla 5.0.2 caused whine.pl to be unable to send
emails due to a missing subroutine. (Bug 1235395)
* The Encode module changed the way it encodes strings, causing email
addresses in emails sent by Bugzilla to be encoded, preventing emails
from being correctly delivered to recipients. We now encode email headers
correctly. (Bug 1246228)
* Fix additional taint issues with Strawberry Perl. (Bug 987742 and bug
1089448)
* When exporting a buglist as a CSV file, fields starting with either "=",
"+", "-" or "@" are preceded by a space to not trigger formula execution
in Excel. (Bug 1259881)
* An extension which allows user-controlled data to be used as a link in
tabs could trigger XSS if the data is not correctly sanitized. Bugzilla
no longer relies on the extension to do the sanity check. A vanilla
installation is not affected as no tab is user-controlled. (Bug 1250114)
* Extensions can now easily override the favicon used for the Bugzilla
website. (Bug 1250264)
5.0.2
This release fixes two security issues. See the Security Advisory for
details.
This release also contains the following bug fixes:
* mod_perl now works correctly with mod_access_compat turned off on Apache
2.4. To regenerate the .htaccess files, you must first delete all
existing ones in subdirectories:
find . -mindepth 2 -name .htaccess -exec rm -f {} \;
You must then run checksetup.pl again to recreate them with the correct
syntax. (Bug 1223790)
* Emails sent by Bugzilla are now correctly encoded as UTF-8. (Bug 714724)
* Strawberry Perl is now fully supported on Windows. (Bug 1089448 and bug
987742)
* The XML-RPC API now works with IIS on Windows. (Bug 708252)
* Some queries should now be faster on PostgreSQL. (Bug 1184431)
5.0.1
This release fixes one security issue. See the Security Advisory for details.
This release also contains the following bug fixes:
* Users whose login name is not an email address could not log in on
installations which use LDAP to authenticate users. (Bug 1179160)
* If a mandatory custom field was hidden, it was not possible to create a
new bug or to edit existing ones. (Bug 1183398 and bug 1196969)
* A user editing his login name to point to a non-existent email address
could cause Bugzilla to stop working, causing a denial of service. (Bug
1194987)
* Emails generated during a transaction made PostgreSQL stop working. (Bug
1186700)
* Bugs containing a comment with a reference to a bug ID larger than 2^31
could not be displayed anymore using PostgreSQL. (Bug 1191937)
* The date picker in the "Time Summary" page was broken. (Bug 1181649)
* If Test::Taint or any other Perl module required to use the JSON-RPC API
was not installed or was too old, the UI to tag comments was displayed
anyway, you could tag comments, but tags were not persistent (they were
lost on page reload). Now the UI to tag comments is not displayed at all
until the missing Perl modules are installed and up-to-date. (Bug
1183227)
* Custom fields of type INTEGER now accept negative integers. (Bug 1198659)
* On Windows, the checksetup.pl installation script no longer asks for a
SMTP server. It can be set after the installation is complete. (Bug
1191255)
Issues found with existing distfiles:
distfiles/eclipse-sourceBuild-srcIncluded-3.0.1.zip
distfiles/fortran-utils-1.1.tar.gz
distfiles/ivykis-0.39.tar.gz
distfiles/enum-1.11.tar.gz
distfiles/pvs-3.2-libraries.tgz
distfiles/pvs-3.2-linux.tgz
distfiles/pvs-3.2-solaris.tgz
distfiles/pvs-3.2-system.tgz
No changes made to these distinfo files.
Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden). All existing
SHA1 digests retained for now as an audit trail.
{perl>=5.16.6,p5-ExtUtils-ParseXS>=3.15}:../../devel/p5-ExtUtils-ParseXS
since pkgsrc enforces the newest perl version anyway, so they
should always pick perl, but sometimes (pkg_add) don't due to the
design of the {,} syntax.
No effective change for the above reason.
Ok joerg
Do it for all packages that
* mention perl, or
* have a directory name starting with p5-*, or
* depend on a package starting with p5-
like last time, for 5.18, where this didn't lead to complaints.
Let me know if you have any this time.
a) refer 'perl' in their Makefile, or
b) have a directory name of p5-*, or
c) have any dependency on any p5-* package
Like last time, where this caused no complaints.
+ Saving changes to parameters would sometimes fail silently. Bugzilla
will now throw an error instead of failing silently. (bug 347707)
Security fixes for: http://www.bugzilla.org/security/2.22.6/
Class: Cross-Site Scripting
Versions: 2.17.2 and higher
Description: When using the "Format for Printing" view of a bug (or
the "Long Format" of a bug list, which is the same thing),
there was a cross-site scripting hole--arbitrary text
from a particular URL parameter could be injected into the
page without filtering.
There are three types Mozilla mirrors.
(http://www.mozilla.org/mirroring.html)
* mozilla-current
contains only the current version of Firefox and Thunderbird
* mozilla-release
contains Firefox, Thunderbird, and Sunbird releases
* mozilla-all
complete archive
Define following variables for mozilla master sites:
MASTER_SITE_MOZILLA_ALL = mozilla-all
MASTER_SITE_MOZILLA = mozilla-release
and change some packages to use appropriate variable.
Update contents of MASTER_SITE_MOZILLA with master and primary mirrors
taken from http://www.mozilla.org/mirrors.html and add some sample definitions.
+ Bug lists in iCal format were cutting off bug summaries if they had
a comma in them. (bug 274408)
+ If collectstats.pl encountered an invalid series when collecting data for
New Charts, it would stop processing all series, silently. This means
that several series may not have been collecting data. On PostgreSQL,
all series were failing, thus meaning that New Charts were not working
at all on PostgreSQL. (bug 257351)
the owner of all installed files is a non-root user. This change
affects most packages that require special users or groups by making
them use the specified unprivileged user and group instead.
(1) Add two new variables PKG_GROUPS_VARS and PKG_USERS_VARS to
unprivileged.mk. These two variables are lists of other bmake
variables that define package-specific users and groups. Packages
that have user-settable variables for users and groups, e.g. apache
and APACHE_{USER,GROUP}, courier-mta and COURIER_{USER,GROUP},
etc., should list these variables in PKG_USERS_VARS and PKG_GROUPS_VARS
so that unprivileged.mk can know to set them to ${UNPRIVILEGED_USER}
and ${UNPRIVILEGED_GROUP}.
(2) Modify packages to use PKG_GROUPS_VARS and PKG_USERS_VARS.
+ Make Bugzilla compatible with Template Toolkit 2.15 (bug 357374)
+ Make Bugzilla compatible with versions of MySQL higher than 5.0.25
(bug 321645)
+ Sanity Check can now only be run by people with the "admin" privilege.
(bug 91761)
+ Security [XSS] fix
https://bugzilla.mozilla.org/show_bug.cgi?id=367674
+ When sending mail, Bugzilla could throw the error "Insecure dependency in
exec while running with -T switch" (bug 340538).
+ Using the public webdot server (for dependency graphs) should work
again (bug 351243).
+ The "I'm added to or removed from this capacity" email preference
wasn't working for new bugs (bug 349852).
+ The original release of 2.22 incorrectly said it required Template-Toolkit
version 2.08. In actual fact, Bugzilla requires version 2.10 (bug 351478).
+ votes.cgi would crash if your bug was the one confirming a bug (bug 351300).
+ checksetup.pl now correctly reports if your Template::Plugin::GD module
is missing. If missing, it could lead to charts and graphs not working
(bug 345389).
+ The "Keyword" field on buglist.cgi was not sorted alphabetically, so
it wasn't very useful for sorting (bug 342828).
+ Sendmail will no longer complain about there being a newline in the
email address, when Bugzilla sends mail (bug 331365).
+ contrib/bzdbcopy.pl would try to insert an invalid value into the
database, unnecessarily (bug 335572).
+ Deleting a bug now correctly deletes its attachments from the database
(bug 339667).
New features include:
* Complete PostgreSQL Support
* Parameters In Sections
* One Codebase, Multiple Databases
* UTF-8 for New Installations
* Admins Can Impersonate Users
* Bug Import and Moving Improvements
* Adding Individual Bugs to Saved Searches
* Attach URLs
* Optional "Strict Isolation" for Groups
* "editcomponents" Change
* "shutdownhtml" Change
* Miscellaneous Improvements
For further details see:
http://www.bugzilla.org/releases/2.22/new-features.htmlhttp://www.bugzilla.org/releases/2.22/release-notes.html
Make pkglint happer
This also fixes a number of security issues:
http://www.securityfocus.com/archive/1/425584/30/0/threaded
> Version 2.20.1
> --------------
>
> + Many PostgreSQL fixes, including fixing whine.pl on Pg 8
> (bug 301062) and fixing the --regenerate option of collectstats.pl
> for all versions of Pg (bug 316971). However, users who want full
> PostgreSQL support are encouraged to use the 2.22 series, as
> certain PostgreSQL bugs were discovered that will not be fixed
> in 2.20 (their fixes were too complex).
>
> + In Bugzilla 2.20, the "administrator" user created by checksetup.pl
> would not ever be sent email, because their email preferences were
> left blank. This has been fixed for 2.20.1. However, if you created
> this administrative user with Bugzilla 2.20, make sure to go back
> and enable their Email Preferences. (bug 317489)
>
> + The bzdbcopy.pl script mentioned in these release notes
> has now actually been checked-in to the 2.20 branch, and so
> it's included in this release. (bug 291776)
>
> + When there's only one Classification, you now won't be required
> to pick a Classification on bug entry. (bug 311489)
>
> + You can no longer add dependencies on bugs you can't see.
> (bug 141593)
>
> + The CC list is included in "New" bug emails, again. (bug 313661)
>
> + In the original 2.20, certain scripts were not correctly using
> the "shadow database," if it was specified. This has been fixed
> in 2.20.1. (bug 313695)
>
> + "Saved Searches" that were saved before Bugzilla 2.20, would throw
> an error if they contained "Days Since Bug Changed." as part of their
> criteria. This has been fixed in Bugzilla 2.20.1. (bug 302599)
>
> + You can now successfully delete a product even when Target Milestones
> are turned off. (bug 317025)
>
> + checksetup.pl now correctly pre-compiles templates for languages other
> than English. (bug 304417)
>
> + The "All Closed" chart that is created by default in New Charts
> now actually represents all closed bugs, and not all bugs in the
> product. (bug 300473)
>
> + CSV bug lists with more than 1000 dates now work properly. (bug 257813)
>
> + Various bugs with upgrading from previous versions of Bugzilla
> have been fixed. (bug 307662, bug 311047, bug 310108)
>
> + Many, many other bug fixes. See http://www.bugzilla.org/status/changes.html
> for details on what was fixed between 2.20 and 2.20.1.
From the release-notes.html:
What's New?
New User-Interface Color/Style
Higher-Level Categorization of Bugs (above "Product")
Regular Reports by Email of Complex Queries ("Whining")
"Environment Variable" Authentication Method
User-List Drop-Down Menus
Server-Side Comment Wrapping
UI for Editing Priority, OS, Platform, and Severity
Bugzilla Queries as RSS
Choice of E-Mail Sending Methods
"Large Attachment" Storage
and lots of Miscellaneous Improvements
See http://www.bugzilla.org/releases/2.20/release-notes.html for
all the details.
"Two security issues have been reported in Bugzilla, which can be
exploited by malicious people to disclose system and potentially
sensitive information."
See http://www.bugzilla.org/security/2.18.4/ for more details.
- Update addresses two security issues
- From the ChangeLog:
> Version 2.18.2
> --------------
>
> + You can now create accounts with createaccount.cgi even
> when the "requirelogin" parameter is turned on. (Bug 294778)
>
> + Bugs that are in disabled groups may not show a padlock
> on the bug list, or may otherwise behave strangely. You
> can now fix this using sanitycheck.cgi. (Bug 277454)
>
> + If sendmail dies while you are marking a bug
> as a duplicate, the duplicates table will no longer become
> corrupted. (Bug 225042)
>
> + Any user can change a flag on any bug. This also allows the
> attacker to expose the summary of any bug, even a hidden bug.
>
> + Summaries of private bugs are sometimes exposed under a very rare
> condition if you use MySQL replication.
>
> Version 2.18.3
> --------------
>
> + The query.cgi page was broken in 2.18.2 by bug 300138.
> That is now fixed.
by taken care of by pkgsrc infrastructure anyway.
- The problem is that checkconfig.pl thinks File::Spec v0.90 is v0.9
and complains that the version installed is too old.
- Problem reported by Brandon Adams <brandon.adams@omron.com> on tech-pkg@
- Two "Information Disclosure" security bugs fixed
- From the ChangeLog:
> + You can now enter a negative time for "Hours Worked"
> in the time-tracking area. (Bug 271276)
>
> + The BugMail.pm customization required for Windows (as
> described in the Bugzilla Guide) now actually works. (Bug 280911)
>
> + Users who were using Bugzilla 2.8 can now successfully upgrade
> to 2.18.1 (they couldn't upgrade to 2.18). (Bug 283403)
>
> + Dependency mails are now properly sent during a mass-change of bugs.
> (Bug 178157)
