Release notes update.

1 files changed, 175 insertions, 16 deletions

diff --git a/docs/rel_notes.txt b/docs/rel_notes.txt
index 374ee0e04..705cd8f97 100644
--- a/docs/rel_notes.txt
+++ b/docs/rel_notes.txt
@@ -50,14 +50,17 @@ XML::Parser (any)
 
 *** Deprecated Features ***
 
-- This is the last stable release of bugzilla which will support mysql version
-  3.22. Future releases will require at least version 3.23.x. The exact minimum
-  version number required has not yet been decided (bug 87958)
-- The use of bugzilla to maintain the shadowdb will be removed before the
-  next stable release. The replacement (using mysql's built in replication) is
-  not supported in 2.16, but we expect that very few sites use this feature.
-  If this would cause a problem for you, please comment in bug 124589
-- ??? Anything else?
+- This is possibly the last stable release that will work with
+  MySQL version 3.22.  Soon Bugzilla will require at least
+  version 3.23.x.  The exact minimum version number required
+  has not yet been decided.
+  (bug 87958)
+- This is possibly the last stable release to support the
+  shadow database. The replacement (using MySQL's built in
+  replication) is not present in 2.16, but we expect that
+  very few sites use this feature.  If this would cause a
+  problem for you, please comment on the below bug.
+  (bug 124589)
 
 *** Outstanding Issues Of Note ***
 
@@ -75,32 +78,188 @@ XML::Parser (any)
   program.  To fix this, you can turn on the "sendmailnow"
   parameter on the Edit Parameters page (editparams.cgi).
   (bug 50159)
-???
+- Users behind rotating transparent proxies or otherwise having
+  a dynamic IP will find they need to log in regularly.
+  (bug 20122)
+- If you search on any CC or added comments, as well as at least
+  one other of CC, added comments, assignee, reporter, etc, then
+  the search can be very slow.  This is because of limitations of
+  the MySQL optimiser.
+  (bug 96101)
 
 ************************************************************
 *** USERS UPGRADING FROM 2.14.1 OR EARLIER - 2.16 ISSUES ***
 ************************************************************
 
+*** SECURITY ISSUES RESOLVED ***
+
+- The bug reporter could set the priority even when
+  'letsubmitterchoosepriority' was off.
+  (bug 63018)
+- It was possible for random confidential information to be
+  divulged, if the shadow database was in use and became
+  corrupted.
+  (bug 92263)
+- Mass change would set the groupset of every bug to be the
+  groupset of the first bug.
+  (bug 107718)
+- Most CGIs now run in taint mode.  This helps to prevent
+  failure to validate errors.
+  (bug 108982)
+- queryhelp.cgi no longer shows confidential products to
+  people it shouldn't.
+  (bug 126801)
+- The bug list sort order could take arbitrary SQL.  There
+  are no known exploits for this problem.
+  (bug 130821)
+- It was possible for a user to bypass the IP check by
+  setting up a fake reverse DNS, if the Bugzilla web server
+  was configured to do reverse DNS lookups.  Apache is not
+  configured as such by default.  This is not a complete
+  exploit, as the user's login cookie would also need to
+  be divulged for this to be a problem.
+  (bug 129466)
+
 *** IMPORTANT CHANGES ***
 
-???
+- 2.16 introduces "templatisation", a new feature that allows
+  administrators to easily customise the HTML output of Bugzilla
+  without altering Perl code.  Bugzilla uses the "Template Toolkit"
+  for this.  ??? See the Bugzilla Guide?
+
+  Administrators who ran the 2.15 development version and customised
+  templates should check the templates are still valid, as file names
+  and file paths have changed.
+
+  Most output is now templatised.  This process will be complete next
+  milestone.
+  (bug 86168)
+- index.html is now configurable, as is now index.cgi. ??? Web server setup ???
+  (bug 80183)
+- Administrators can now configure maximum attachment sizes.  These
+  should remain below the maximum size for MySQL
+  (bug 91664)
+- Perl 5.004 is no longer supported because the Template Toolkit
+  requires 5.005.
+  (bug 97721)
+- It is now strongly recommended that administrators run
+  "processmail rescanall" after upgrading to 2.16 or beyond.
+
+  This will send out notification emails for changes that were
+  made but not emailed, due to Bugzilla bugs.  All known
+  causes of this have been fixed (bug 104589 and 99519).
+
+  It is also recommended that this be run nightly to avoid
+  lengthy delays in future if this reoccurs.
+  (bug 106377)
 
 *** Other changes of note ***
 
-???
+- The query page has been redesigned for better user friendliness.
+  (bug 98707)
+- Users can now change their email account.
+  (bug 23067)
+- "Dependent Bug Changed" notification emails now contain the
+  dependent bug's summary.
+  (bug 28736)
+- Bugs with severity "critical", "blocker", and "enhancement" are
+  visually differentiated on bug lists for recent browsers.
+  (bug 28884)
+- Bugzilla now has a sidebar for the Mozilla browser.
+  (bug 37339)
+- A link to just created attachments now appears in notification
+  email.
+  (bug 66651)
+- Comments now have numbers and can be referenced with
+  autohyperlinkifying similar to bugs.
+  (bug 71840)
+- The attachment system has been rewritten, supporting new
+  "attachment statuses" (like keywords, but for attachments),
+  the ability to obsolete attachments, and the ability to
+  edit attachment metadata.
+  (bugs 84338, 75176)
+- syncshadowdb now supports a configurable temp file location,
+  and properly shuts down Bugzilla.
+  (bug 75840)
+- Dependency tree now lets you exclude resolve bugs and bugs
+  below a specific depth.
+  (bugs 83058)
+- The "strictvaluechecks" parameter has gone away.  These checks
+  are now always done.
+  (bug 119715)
+- The midair collision page now shows all changes since the bug
+  page was loaded, not just the last one.
+  (bug 108312)
+- Added support for making dependency graphs with 'dot', which
+  is better at creating complex graphs than 'webdot'.
+  (bug 120537)
 
 *** Bug fixes of note ***
 
+- Bugzilla scripts are now usually not terminated when the browser
+  window they are running in is closed.  This caused hard to
+  reproduce bugs.
+  (bug 104589)
+- On browsers that "reflow" the page, large component / milestone /
+  version fields were extremely slow to reflow when you altered
+  the product field.
+  (bug 96534)
+- The selection in the component / milestone / version fields is
+  no longer lost when you change the selection in the product
+  field or use the back/forward buttons in your browser to return
+  to the page.
+  (bug 97966)
+- You could not reverse dependencies in one step.
+  (bug 82143)
+- Mass reassignment of non-open bugs will no longer reopen them.
+  (bug 30731)
+- Attempting to bulk change no bugs will now give a user-friendly
+  error message.
+  (bug 90333)
+- If you make a change to a bug where you only add yourself to CC,
+  email notifications are now properly sent out for MySQL 3.23.
+  (bug 99519)
+- Bug entry now properly validates the data it has been sent.
+  (bug 107743)
+- Midair collision checks will now properly work in all situations
+  where dependencies have changed.
+  (bug 73502)
+- Some browsers were able to corrupt the params file with the wrong
+  end-of-line markers.
+  (bug 92500)
+- The MySQL port defined in localconfig is now properly honoured.
+  (bug 98368)
+- Apostrophes in component/milestone/version names no longer cause
+  a problem on the query page.
+  (bug 30689/42810)
+- File attachment comments will now wrap.
+  (bug 52060)
+- Saved queries are no longer mangled if you need to log in again,
+  for example if you had cookies of.
+  (bug 38835)
 - Bug counts (on reports.cgi) were very slow if you had to
   count a lot of bugs.
   (bug 63249)
-- The new options to let people see a bug when their name
+- 2.14 introduced options to let people see a bug when their name
   is on it but who aren't in the groups the bug is restricted
-  to only allow people to view bugs if they know the bug number.
-  It still will not show up in these people's buglists and
-  they will not receive email about changes to the bugs.
+  to.  These only allowed the people to view the bugs directly,
+  and not see them on buglists and receive email about them.
   (bugs 95024, 97469)
-???
+- A new 'cookiepath' parameter on editparams.cgi allows multiple
+  Bugzilla installations to exist on one host without problems.
+  (bug 19910)
+- whineatnews.pl now respects the 'sendmailnow' parameter.
+  (bug 52782)
+- The query page came up even when Bugzilla was shut down.
+  (bug 121747)
+- Quicksearch gave a weird error message when Bugzilla was
+  shut down.
+  (bug 121741)
+- Querying on CC took too long on big databases, it is quicker
+  now.
+  (bug 127200)
+
+??? 109357
 
 ************************************************************
 *** USERS UPGRADING FROM 2.14 OR EARLIER - 2.14.1 ISSUES ***