Release notes.

author: matty%chariot.net.au <> 2002-09-29 14:25:36 +0200
committer: matty%chariot.net.au <> 2002-09-29 14:25:36 +0200
commit: 0e7527da330feb7c13374ba134728ff4f9872fb1 (patch)
tree: 96d5ee9940d8ceeff0fd94fb95b388f16b367dd7 /docs
parent: 07d344f9d303f654d05dd1b7b8c3b9aa4bd17922 (diff)
download: bugzilla-0e7527da330feb7c13374ba134728ff4f9872fb1.tar.gz
bugzilla-0e7527da330feb7c13374ba134728ff4f9872fb1.tar.xz
1 files changed, 99 insertions, 3 deletions
diff --git a/docs/rel_notes.txt b/docs/rel_notes.txt
index 366673f97..4c93c9ec1 100644
--- a/docs/rel_notes.txt
+++ b/docs/rel_notes.txt
@@ -125,20 +125,90 @@ fix the problem on your installation.
   option "The bug is resolved or verified" to achieve part of this.
   (bug 130821)
 
+***********************************************
+*** USERS UPGRADING FROM 2.16.1 OR EARLIER  ***
+***********************************************
+
+*** SECURITY ISSUES RESOLVED ***
+
+*** IMPORTANT CHANGES ***
+
+*** Other changes of note ***
+
+*** Bug fixes of note ***
+
 *********************************************
 *** USERS UPGRADING FROM 2.16 OR EARLIER  ***
 *********************************************
 
 *** SECURITY ISSUES RESOLVED ***
 
-*** IMPORTANT CHANGES ***
+- Apostrophes were not properly handled in email addresses.  This was a
+  regression introduced in 2.16.  It is not known whether this was
+  exploitable.
+  (bug 165221)
 
-*** Other changes of note ***
+See also next major section.
 
 *** Bug fixes of note ***
 
+- The VERSION cookie which allowed the previously entered version of a product
+  to be remembered was not correctly set.  It was only set as a session
+  cookie, and under some circumstances could interfere with other cookies
+  (such as the login information) send at the same time.
+  (bug 160227)
+
+- importxml.pl would fail if the versioncache needed to be updated.
+  (bug 164464)
+
+- Bug changes going through intermediate pages would munge fields with
+  multiple fields, such as CCs.
+  (bug 161203)
+
+- On failure in template->new, Bugzilla will now die rather than futilely
+  attempt to use an error template.
+  (bug 166023)
+
+- Fixed a problem where checksetup had problems converting old installations
+  that didn't have a duplicates table.
+  (bug 151619)
+
+- Fixed a problem that caused taint errors when viewing or editing user
+  preferences with Perl 5.005 and Template 2.08.
+  (bug 160710)
+
+See also next section.
+
+******************************************************
+*** USERS UPGRADING FROM 2.14.3 OR EARLIER, 2.16.0 ***
+******************************************************
+
+*** SECURITY ISSUES RESOLVED ***
+
+- When a new product is added to an installation with 47 groups or more and
+  "usebuggroups" is enabled, the new group will be assigned a groupset bit
+  using Perl math that is not exact beyond 2^48.  This results in the new
+  group being defined with a "bit" that has several bits set.  As users are
+  given access to the new group, those users will also gain access to
+  spurious lower group privileges.  Also, group bits were not always reused
+  when groups were deleted.
+  (bug 167485)
+
+- The email interface had another insecure single parameter system call.  This
+  could potentially allow arbitrary shell commands to be run.  This file is
+  not supported at this time, but as long as we knew about the problem, we
+  couldn't overlook it.
+  (bug 163024)
+
+*** Bug fixes of note ***
+
+- The email interface was broken.  This was a 2.14.3 regression.  This file
+  is not supported at this time, but as long as we knew about the problem, we
+  couldn't overlook it.
+  (bug 160631)
+
 ***********************************************
-*** USERS UPGRADING FROM 2.14.2 OR EARLIER  ***
+*** USERS UPGRADING FROM 2.14.4 OR EARLIER  ***
 ***********************************************
 
 *** SECURITY ISSUES RESOLVED ***
@@ -355,6 +425,32 @@ fix the problem on your installation.
   (bug 143091)
 
 ***********************************************
+*** USERS UPGRADING FROM 2.14.3 OR EARLIER  ***
+***********************************************
+
+See section above about users upgrading from 2.16.0 or earlier.
+
+***********************************************
+*** USERS UPGRADING FROM 2.14.2 OR EARLIER  ***
+***********************************************
+
+*** SECURITY ISSUES RESOLVED ***
+
+- Basic maintenance on contrib/bug_email.pl and
+  contrib/bugzilla_email_append.pl which also fixes a
+  possible security hole with a misuse of a system() call.
+  These files are not supported at this time, but as long
+  as we knew about the problem, we couldn't overlook it.
+  (bug 154008)
+
+*** Bug fixes of note ***
+
+- The fix for bug 130821 in 2.14.2 broke being able to sort
+  bug lists on more than one field.  buglist.cgi now allows
+  you to sort on more than one field again.
+  (bug 152138)
+
+***********************************************
 *** USERS UPGRADING FROM 2.14.1 OR EARLIER  ***
 ***********************************************
author	matty%chariot.net.au <>	2002-09-29 14:25:36 +0200
committer	matty%chariot.net.au <>	2002-09-29 14:25:36 +0200
commit	0e7527da330feb7c13374ba134728ff4f9872fb1 (patch)
tree	96d5ee9940d8ceeff0fd94fb95b388f16b367dd7 /docs
parent	07d344f9d303f654d05dd1b7b8c3b9aa4bd17922 (diff)
download	bugzilla-0e7527da330feb7c13374ba134728ff4f9872fb1.tar.gz bugzilla-0e7527da330feb7c13374ba134728ff4f9872fb1.tar.xz