diff options
Diffstat (limited to 'docs/en/historical_rel_notes.txt')
| -rw-r--r-- | docs/en/historical_rel_notes.txt | 3028 |
1 files changed, 3028 insertions, 0 deletions
diff --git a/docs/en/historical_rel_notes.txt b/docs/en/historical_rel_notes.txt new file mode 100644 index 000000000..4014951f0 --- /dev/null +++ b/docs/en/historical_rel_notes.txt @@ -0,0 +1,3028 @@ +Release Notes for Bugzilla version 3.0 and higher are available in HTML +format, either on the bugzilla.org website, or in your current installation, +linked from the index page. + +bugzilla.org links for release notes +------------------------------------ +3.0.2: http://www.bugzilla.org/releases/3.0.2/release-notes.html + +*************************************** +*** The Bugzilla 2.22 Release Notes *** +*************************************** + +Table of Contents +***************** + +- Introduction +- Important Updates In This Point Release +- Minimum Requirements + * Perl + * For MySQL Users + * For PostgreSQL Users + * Required Perl Modules + * Optional Perl Modules +- What's New? + * Complete PostgreSQL Support + * Parameters In Sections + * One Codebase, Multiple Databases + * UTF-8 for New Installations + * Admins Can Impersonate Users + * Bug Import and Moving Improvements + * Adding Individual Bugs to Saved Searches + * Attach URLs + * Optional "Strict Isolation" for Groups + * "editcomponents" Change + * "shutdownhtml" Change + * Miscellaneous Improvements + * All Changes +- Deprecated Features +- Outstanding Issues (<======================== IMPORTANT, PLEASE READ) +- How to Upgrade From An Older Bugzilla + * Steps for Upgrading +- Code Changes Which May Affect Customizations + * CGI.pl is Gone + * Other Changes +- Security Fixes In 2.22 Releases +- Release Notes for Previous Versions + +Introduction +************ +Bugzilla 2.22 is one of our most polished releases. We did a lot of +small cleanups to make Bugzilla easier to use and more useful in +many, many small ways, in addition to adding some major new features. + +This document contains the release notes for Bugzilla 2.22. +In this document, recently added, changed, and removed features +of Bugzilla are described. If you are upgrading from an older version, +you will definitely want to read these release notes in detail, so that +you have an idea of what has changed. + +If you are upgrading from a version before 2.20, also read the 2.20 +release notes (lower in this file) and any previous release notes. + +If you are installing a new Bugzilla, you will still want to look over +the release notes to see if there is any particularly important +information that affects your installation. + +If you would like to contribute code to Bugzilla, read our +Contributor's Guide at: + +http://www.bugzilla.org/docs/contributor.html + + +Important Updates In This Point Release +*************************************** + +This section describes bugs fixed in releases after the original 2.22 +release. + +Version 2.22.2 +-------------- + ++ Make Bugzilla compatible with Template Toolkit 2.15 (bug 357374) + ++ Make Bugzilla compatible with versions of MySQL higher than 5.0.25 + (bug 321645) + ++ Sanity Check can now only be run by people with the "admin" privilege. + (bug 91761) + +Version 2.22.1 +-------------- + ++ When sending mail, Bugzilla could throw the error "Insecure dependency in + exec while running with -T switch" (bug 340538). + ++ Using the public webdot server (for dependency graphs) should work + again (bug 351243). + ++ The "I'm added to or removed from this capacity" email preference + wasn't working for new bugs (bug 349852). + ++ The original release of 2.22 incorrectly said it required Template-Toolkit + version 2.08. In actual fact, Bugzilla requires version 2.10 (bug 351478). + ++ votes.cgi would crash if your bug was the one confirming a bug (bug 351300). + ++ checksetup.pl now correctly reports if your Template::Plugin::GD module + is missing. If missing, it could lead to charts and graphs not working + (bug 345389). + ++ The "Keyword" field on buglist.cgi was not sorted alphabetically, so + it wasn't very useful for sorting (bug 342828). + ++ Sendmail will no longer complain about there being a newline in the + email address, when Bugzilla sends mail (bug 331365). + ++ contrib/bzdbcopy.pl would try to insert an invalid value into the + database, unnecessarily (bug 335572). + ++ Deleting a bug now correctly deletes its attachments from the database + (bug 339667). + + +Minimum Requirements +******************** + +Perl +---- + + Perl v5.6.1 (Non-Windows platforms) + ActiveState Perl v5.8.1 (Windows only) + + Note that this is the last release of Bugzilla to support perl 5.6.x-- + future versions will require perl 5.8. + +For MySQL Users +--------------- + + MySQL v4.0.14 (changed from 2.20) + perl module: DBD::mysql v2.9003 (changed from 2.18) + +For PostgreSQL Users +-------------------- + + PostgreSQL 7.3.x + perl module: DBD::Pg 1.31 (1.41 required for PostgreSQL 8+) + + WARNING: DBD::Pg 1.43 has a bug which causes checksetup.pl to fail + and corrupt the database. If you are using DBD::Pg 1.43, either downgrade + to 1.41 or upgrade to 1.45 (1.42 and 1.44 seem broken somehow too). + + Note that this is the last release of Bugzilla to support PostgreSQL 7.x. + Future versions will require PostgreSQL 8.0 and DBD::Pg 1.45. + +Required Perl Modules +--------------------- + + AppConfig v1.52 + CGI v2.93 + Data::Dumper (any) + Date::Format v2.21 + DBI v1.38 + File::Spec v0.84 + File::Temp (any) + Template Toolkit v2.10 (changed from 2.20) + Text::Wrap v2001.0131 + Mail::Mailer v1.67 (changed from 2.20) + MIME::Base64 v3.01 (new in 2.22) + MIME::Parser v5.406 (new in 2.22) + Storable (any) + + Note: The SMTP support in Mail::Mailer 1.73 (the most recent version) + is broken. The last known working version is 1.67. + +Optional Perl Modules +--------------------- + + Chart::Base v1.0 + GD v1.20 + GD::Graph (any) + GD::Text::Align (any) + Net::LDAP (any) + PatchReader v0.9.4 + XML::Twig (any) (new in 2.22) + Image::Magick (new in 2.22) + + +What's New? +*********** + +Complete PostgreSQL Support +--------------------------- +Bugzilla 2.20 contained experimental support for PostgreSQL. +In Bugzilla 2.22, PostgreSQL support is fully complete and stable. Using +PostgreSQL with Bugzilla should be as stable as using MySQL, and if +you experience any problems they will be taken as seriously as if you +were running MySQL. + +There are no known remaining major problems with Bugzilla on PostgreSQL. +All features of Bugzilla have been tested and work. + + +Parameters In Sections +---------------------- +Long-time users of Bugzilla know that over time the parameter list has +grown quite large. It has now been split into sections to make it easier +to use. + + +One Codebase, Multiple Databases +-------------------------------- +There is now limited support for having multiple projects use the +same Bugzilla codebase, but all have separate databases. + +The different projects can have their own templates and their own +bug database, but all use the same set of Bugzilla code in the same +directory. + +To enable this, set an environment variable called PROJECT when +calling the Bugzilla CGIs. Then for each project, you can have +a localconfig.PROJECT (where "PROJECT" is the value of the PROJECT +environment variable) file for the database parameters, and a +template/en/PROJECT directory (where "PROJECT" is the value of the +PROJECT environment variable) + +This feature isn't documented yet, but we hope to have documentation for +it soon. + + +UTF-8 For New Installations +--------------------------- +If this is the first time you're installing Bugzilla, it will now use +UTF-8 encoding for all pages, automatically. It will also send emails +in UTF-8. This eliminates most of the internationalization problems +users have experienced, as one Bugzilla page may now contain any number +of languages simultaneously. + +If you are upgrading and you want to use UTF-8, just turn on the "utf8" +Parameter. However, realize that if you have non-UTF-8 data in your +Bugzilla, it will appear unreadable. (If you just have ASCII in your +database, you're safe to turn on the "utf8" parameter, definitely.) + + +Admins Can Impersonate Users +---------------------------- +User impersonation (think of the su/sudo command on Unix) allows you +to view pages and perform actions as if you are logged in as someone else, +without having to know their password. + +A user in the new "bz_sudoers" group has the option of "becoming" +any user in Bugzilla. Once they "become" that user, they *are* that user +for the rest of the session, until they decide to switch back to being +themselves. + +However, they cannot "become" any user in the "bz_sudo_protect" group. +This group includes everybody in the "admin" and "bz_sudoers" groups by +default. + +Any time a user is impersonated, they will get an email notifying them +who has impersonated them. + + +Bug Import and Moving Improvements +---------------------------------- +The XML Import script, importxml.pl, has been completely re-written. + +It now: + + * Correctly imports the "priority" field + * Understands when the "Reporter" or "CC List" security boxes + are unchecked on the bug. + * Places bugs in the appropriate groups + * Allows attachments to be imported + * Is much more forgiving about small problems in the XML + + +Adding Individual Bugs to Saved Searches (Tagging) +-------------------------------------------------- +Users now have the option of adding an individual bug to any +particular Saved Search. Individual users that disagree with the site +default can add or remove this feature (which appears as an entry box +visible in the footer) by changing the General Preferences setting +called "Enable tags for bugs". + + +Attach URLs +----------- +Instead of attaching a file, you can now also attach a URL to a bug. +This will show up just like an attachment on show_bug.cgi, but when +you click on it, it will take you to the URL. + +To enable this, turn on the "allow_attach_url" parameter. + + +Optional "Strict Isolation" for Groups +-------------------------------------- +If you turn on the "strict_isolation" parameter in Bugzilla, you +will *not* be able to add any user to the CC field (or set them +as an Assignee or QA Contact) unless that user could normally see +the bug. That is, you will no longer be able to "accidentally" +(or intentionally) give somebody access to a bug that they +otherwise couldn't see. + + +"editcomponents" Change +----------------------- +Previously, all users who had "editcomponents" could see every Product, +using the editcomponents.cgi script. Now, users with "editcomponents" +can only see Products that they normally have access to. + +This restriction also affects editversions.cgi, editmilestones.cgi and +editproducts.cgi. + + +"shutdownhtml" Change +--------------------- +All of Bugzilla is now affected by the "shutdownhtml" parameter, +including command-line scripts. checksetup.pl is exempt. Many scripts +(such as collectstats.pl and whine.pl) will just exit silently when +"shutdownhtml" is turned on. + + +Miscellaneous Improvements +-------------------------- + +- Added a frequently-requested user preference for whether or not to go + to the next bug in your list after submitting changes to a bug. + +- The ability to do relative date searches (like "1d" for "1 day" or "1w" + for "1 week") by hour now, in addition to days and other units of time. + +- "Alias" added to the New Bug form, for users with editbugs. + +- Users can now actually see the descriptions of flags that you enter + in editflagtypes.cgi. The description will appear as a tooltip + when a user places their mouse over the flag name on show_bug.cgi. + +- Bugzilla will optionally convert BMP attachments into PNGs for you. + See the "convert_uncompressed_images" in the "Attachments" section + of the Parameters. + +- You can now edit the Status Whiteboard when you are changing multiple + bugs at once. + +- The way that groups work in the database has changed, and large-scale + Bugzilla use with many concurrent users should be much faster, as a + result. (Technical Details: The need for Bugzilla to "derive groups" + has gone away pretty much entirely.) + +- Performance improvements on searching attachment information that's not + the actual content of the attachment (such as searching the Attachment + Description or the Attachment MIME Type) + +- You can now specify multiple email addresses, comma-separated, when + setting the requestee of a flag, and it will set the flag once for each + of those email addresses + +- "Bug Creation Time" is now searchable in the Boolean Charts. + +- When you mark a comment on a bug as private, the background color + of the comment will change immediately. However, in order for + Bugzilla to register that the comment is now private, you still + have to "submit" the changes. + +- Emails sent from Bugzilla now have "X-Bugzilla-Keywords" and + "X-Bugzilla-Severity" by default, containing the information + from the related Bugzilla fields. + +- You can now change the assignee and QA contact on multiple bugs at + once even when those bugs are in different products. + +- contrib/merge-users.pl allows you to merge two user accounts. This is + particulary useful when a user opened several accounts and only one should + be kept. It also lets you merge a deleted account with an existing one. + +All Changes +----------- + +If you'd like to see all the changes between Bugzilla 2.20 and Bugzilla +2.22, see: + +http://tinyurl.com/9p2tm + + +Deprecated Features +******************* + +- This is the last release of Bugzilla to support perl 5.6.x. All future + versions of Bugzilla will require at least perl 5.8. + + This is the last release of Bugzilla to support PostgreSQL 7.x. Future + releases using PostgreSQL will require PostgreSQL 8.0 and DBD::Pg 1.45. + +Outstanding Issues +****************** + +- bug 305836: PostgreSQL users: do not use DBD::Pg version 1.43 with + Bugzilla. It has a bug which can corrupt the database. Version 1.41 + is fine. Version 1.45 or higher is fine too. + +- (No Bug Number) VERY IMPORTANT: If you have customized the values in + your Status/Resolution field, you must edit checksetup.pl BEFORE YOU + RUN IT. Find the line that starts like this: + + bug_status => ["UNCONFIRMED", + + That's where you set the values for the Status field. + + resolution => ["","FIXED", + + And that's where you set values for the Resolution field. + + Those are both near line 1826 in checksetup.pl. + + If you forget to do this, you will have to manually edit the "bug_status" + and "resolution" tables in the database to contain the correct values. + +- bug 276230: The support for restricting access to particular Categories of + New Charts is not complete. You should treat the 'chartgroup' Param as the + only access mechanism available. However, additionally, charts migrated from + Old Charts will be restricted to the groups that are marked MANDATORY for + the corresponding Product. There is currently no way to change this + restriction, and the groupings will not be updated if the group configuration + for the Product changes. + +- bug 37765: If you use the "sendmail" support of Bugzilla, + and you use an MTA which is *not* Sendmail (such as Postfix, Exim, etc.) + make sure the "sendmailnow" parameter is ON or Bugzilla will not send + e-mail correctly. + +- bug 69621: If you rename or remove a keyword that is in use on bugs, you will + need to rebuild the "keyword cache" by running sanitycheck.cgi and choosing + the option to rebuild the cache when it asks. Otherwise keywords may not show + up properly in search results. + +- (No Bug Number) If you have a lot of non-ASCII data in your Bugzilla (for + example, if you use a translation of Bugzilla), don't enable the XS::Stash + option when you install the Template Toolkit, or your Bugzilla installation + may become slow. This problem is fixed in a not-yet-released version of the + Template Toolkit (after 2.14). + +- Bug 99215: Flags are not protected by "mid-air collision" detection. + Nor are any attachment changes. + +- Bug 89822: When changing multiple bugs at the same time, there is no + "mid-air collision" protection. + +- bug 322955: The email interface (bug_mail.pl) in the contrib/ directory + has not been maintained (as it has no maintainer), and does not work + properly. We hope to have this fixed in our next major release of + Bugzilla; however, any help or contributions in this area are very + welcome. + + +How to Upgrade From An Older Bugzilla +************************************* + +NOTE: Upgrading from a large installation (over 10,000 bugs) running 2.18 + or before may take a significant amount of time. checksetup will + try to let you know how long it will take, but expect downtime + of an hour or more if you have many bugs, many attachments, + or many users. + +Steps for Upgrading +------------------- + +1) Read these entire Release Notes, particularly the "Outstanding Issues" + and "Security Fixes" sections. + +2) View the Sanity Check (sanitycheck.cgi) page on your installation before + upgrading. Attempt to fix all warnings that the page produces before + you go any further, or you may experience problems during your upgrade. + +3) Make a backup of the Bugzilla database before you upgrade, perhaps + by using mysqldump. THIS IS VERY IMPORTANT. If anything goes wrong + during the upgrade, your installation can be corrupted beyond + recovery. Having a backup keeps you safe. + + Example: + + mysqldump -u root -p bugs > bugs-db.sql + +4) Replace the files in your installation with the new version of Bugzilla, + or you can try to use CVS to upgrade. The bugzilla.org website has + instructions on how to do the actual installation. + + You can also use a brand-new Bugzilla directory, as long as you + copy over the old data/ directory and the "localconfig" file to the + new installation. + +5) Run checksetup.pl after you install the new version. + +7) View the Sanity Check page again after you run checksetup.pl. + +8) It is recommended that, if possible, you fix any problems you find + immediately. Failure to do this may mean that Bugzilla will not work + correctly. Be aware that if the sanity check page contains more errors after + an upgrade, it doesn't necessarily mean there are more errors in your + database, as additional tests are added to the sanity check over time, and + it is possible that those errors weren't being checked for in the old + version. + +9) This version of Bugzilla contains improvements to the email that + Bugzilla sends when a bug is changed. The template for that email + is contained in the "newchangedmail" parameter. If you would like + to take advantage of the email enhancements in this version of + Bugzilla, reset that parameter to its default. (You can customize + it after that again, if you want.) + + +Code Changes Which May Affect Customizations +******************************************** + +CGI.pl is Gone +-------------- +The CGI.pl file, which used to contain many global functions, and which +also contained initialization code for every CGI, is gone. The functions +have been moved to various places and sometimes renamed. + +The initialization code that used to happen inside CGI.pl is now inside +of Bugzilla.pm. All CGIs must "use Bugzilla" in one way or another. (Some +CGIs "use Bugzilla" by doing "require globals.pl".) + + +Deriving Groups No Longer Happens +--------------------------------- +Bugzilla no longer needs to "derive groups" in advance. That is, previously +Bugzilla used to flatten the group heirarchy into the user_group_map +table. (That is, show that a user was in every group they were in, +even if they were only in that group because they belonged to *another* +group.) Now the table only contains groups that the user is in directly, +and groups that they are in because of a regexp. + +Instead, The Bugzilla::User->group function determines the groups a user +is in when called. + +We did this because the group derivation was causing a lot of complexity +in the code, and also deriving the groups was a slow process that +frequently had to happen inside of a database lock while sending mail +or viewing a bug list. + +See https://bugzilla.mozilla.org/show_bug.cgi?id=304583 for details. + + +Other Changes +------------- + +- The move.pl script's functionality has been merged into process_bug.cgi. + +- $::template and $::vars are gone from globals.pl. Instead of $::template, + use Bugzilla->template. Every script creates the $vars variable by itself + instead of using a global $::vars variable. + +- $::userid is gone. Instead use Bugzilla->user->id. + +- QuickSearch is now in perl instead of in JavaScript. The code is in + Bugzilla/Search/QuickSearch.pm. This makes it much easier to customize, + and it also fixes some long-standing issues that QuickSearch had. + +- Attachment data is now in the attach_data table. Other information + about attachments is still in the "attachments" table. + +- Much like the 2.20 release, many functions have been removed from + globals.pl and CGI.pl. They were moved elsewhere and renamed. + Search RESOLVED bugs in bugzilla.mozilla.org for the old + version of the function name, and that will usually show you + the bug where we moved the function, allowing you to find out + what the new name and location is. + +- This is the last release that contains the deprecated + SendSQL, SqlQuote, FetchSqlData, MoreSqlData, and FetchOneColumn + functions. Instead, you should use DBI functions. For a very brief + example, see: + + http://www.bugzilla.org/docs/developer.html#sql-sendreceive + + +Security Fixes in 2.22 Releases +******************************* + +A long-standing, well-known security issue is finally resolved in Bugzilla +2.22: Previously, the "Session ID" of each user could be easily guessed, +given enough time. This could have allowed an attacker to take over a +user's account, in certain circumstances. Now, the "Session ID" is totally +random, resolving this issue. See bug 119524 in bugzilla.mozilla.org for +details. + +If you are very concerned about the security of your Bugzilla installation, +it would be a very good idea to run the following command on your +database immediately after upgrading: + +TRUNCATE TABLE logincookies; + +This is actually safe to do at any time--it just forces a logout of +every single user, even those with saved sessions. (It invalidates +every login cookie Bugzilla has ever given out.) + +Version 2.22.2 +-------------- + +A Cross-Site Scripting vulnerability is fixed in Bugzilla 2.22.2. You can +read the details of the fix at: + +http://www.bugzilla.org/security/2.20.3/ + +Version 2.22.1 +-------------- + +The Bugzilla team fixed two Information Leaks and three Cross-Site +Scripting vulnerabilities that existed in versions of Bugzilla +prior to 2.22.1. We strongly recommend that you update any 2.22 +installation to 2.22.1, to be protected from these vulnerabilities. + +In addition, we have made an enhancement to security in this version +of Bugzilla. In previous versions, it was possible for malicious +users to exploit administrators in certain ways. Although this has +never happened (to our knowledge) in the real world, we thought it +was important that we protect administrators from this sort of attack. + +You can see details on all the vulnerabilities and enhancements at: + +http://www.bugzilla.org/security/2.18.5/ + + +Release Notes For Previous Versions +************************************ + +*************************************** +*** The Bugzilla 2.20 Release Notes *** +*************************************** + +Table of Contents +***************** + +- Introduction +- Important Updates in this Point Release + * Version 2.20.1 + * Version 2.20.2 +- Minimum Requirements + * Perl + * For MySQL Users + * For PostgreSQL Users + * Required Perl Modules + * Optional Perl Modules +- What's New? + * Experimental PostgreSQL Support + * New User-Interface Color/Style + * Higher-Level Categorization of Bugs (above "Product") + * Regular Reports by Email of Complex Queries ("Whining") + * "Environment Variable" Authentication Method + * User-List Drop-Down Menus + * Server-Side Comment Wrapping + * UI for Editing Priority, OS, Platform, and Severity + * Bugzilla Queries as RSS + * Choice of E-Mail Sending Methods + * "User Preferences" + * "Large Attachment" Storage + * "User Visibility" Controls + * Miscellaneous Improvements + * All Changes +- Deprecated Features +- Outstanding Issues (<======================== IMPORTANT, PLEASE READ) +- How to Upgrade From An Older Bugzilla + * Steps for Upgrading +- Code Changes Which May Affect Customizations + * The New Database-Compatibility Layer + * If You Customize Your Database... + * Many Functions Renamed + * User Preferences + * Other Changes +- Security Fixes In 2.20 Releases +- Release Notes for Previous Versions + + +Introduction +************ + +This document contains the release notes for Bugzilla 2.20. +In this document, recently added, changed, and removed features +of Bugzilla are described. If you are upgrading from an older version, +you will definitely want to read these release notes in detail, so that +you have an idea of what has changed. + +If you are upgrading from a version before 2.18, also read the 2.18 release +notes (lower in this file) and any previous release notes. + +If you are installing a new Bugzilla, you will still want to look over +the release notes to see if there is any particularly important information +that affects your installation. + +The 2.20 release has had about nine months of development since 2.18, but +they were nearly the most active nine months in Bugzilla's history. We hope +that users will appreciate our many external changes, and that Bugzilla +administators will find that our internal changes make their lives easier. + +If you would like to contribute code to Bugzilla, read our +Contributor's Guide at: + +http://www.bugzilla.org/docs/contributor.html + + +Important Updates In This Point Release +*************************************** + +Version 2.20.1 +-------------- + ++ Many PostgreSQL fixes, including fixing whine.pl on Pg 8 + (bug 301062) and fixing the --regenerate option of collectstats.pl + for all versions of Pg (bug 316971). However, users who want full + PostgreSQL support are encouraged to use the 2.22 series, as + certain PostgreSQL bugs were discovered that will not be fixed + in 2.20 (their fixes were too complex). + ++ In Bugzilla 2.20, the "administrator" user created by checksetup.pl + would not ever be sent email, because their email preferences were + left blank. This has been fixed for 2.20.1. However, if you created + this administrative user with Bugzilla 2.20, make sure to go back + and enable their Email Preferences. (bug 317489) + ++ The bzdbcopy.pl script mentioned in these release notes + has now actually been checked-in to the 2.20 branch, and so + it's included in this release. (bug 291776) + ++ When there's only one Classification, you now won't be required + to pick a Classification on bug entry. (bug 311489) + ++ You can no longer add dependencies on bugs you can't see. + (bug 141593) + ++ The CC list is included in "New" bug emails, again. (bug 313661) + ++ In the original 2.20, certain scripts were not correctly using + the "shadow database," if it was specified. This has been fixed + in 2.20.1. (bug 313695) + ++ "Saved Searches" that were saved before Bugzilla 2.20, would throw + an error if they contained "Days Since Bug Changed." as part of their + criteria. This has been fixed in Bugzilla 2.20.1. (bug 302599) + ++ You can now successfully delete a product even when Target Milestones + are turned off. (bug 317025) + ++ checksetup.pl now correctly pre-compiles templates for languages other + than English. (bug 304417) + ++ The "All Closed" chart that is created by default in New Charts + now actually represents all closed bugs, and not all bugs in the + product. (bug 300473) + ++ CSV bug lists with more than 1000 dates now work properly. (bug 257813) + ++ Various bugs with upgrading from previous versions of Bugzilla + have been fixed. (bug 307662, bug 311047, bug 310108) + ++ Many, many other bug fixes. See http://www.bugzilla.org/status/changes.html + for details on what was fixed between 2.20 and 2.20.1. + + +Version 2.20.2 +-------------- + ++ Adding a new attachment and taking the bug at the same time does not + create a referential integrity problem anymore if the bug was marked as + a duplicate (bug 332705). + ++ Some additional admin links have been added to the sidebar (bug 282613). + ++ A new test has been added to our test suite, named 012throwables.t. + It will now make sure that all tags used in ThrowUserError() and + ThrowCodeError() are defined, and that there are no unused tags (bug 312042). + ++ whine.pl now works correctly on MySQL 4.0. MySQL 4.1 is not affected + (bug 327348). + ++ contrib/merge-users.pl allows you to merge two user accounts. This is + especially useful when a user opened several accounts and only one + should be kept (bug 188264). + ++ The login form on index.cgi again works correctly on a fresh installation + (bug 328108). + ++ Email preferences are now set correctly when creating a new user account + using the ENV method (bug 327355). + + +Minimum Requirements +******************** + +Perl +---- + + Perl v5.6.1 (changed from 2.18) (Non-Windows platforms) + ActiveState Perl v5.8.1 (Windows only) + +For MySQL Users +--------------- + + MySQL v3.23.41 (Note: 2.22 will require MySQL 4.x) + perl module: DBD::mysql v2.9003 (changed from 2.18) + +For PostgreSQL Users (new in 2.20) +-------------------- + + PostgreSQL 7.3.x (8.x has received less testing) + perl module: DBD::Pg 1.31 (1.41 required for PostgreSQL 8+) + +Required Perl Modules +--------------------- + + AppConfig v1.52 + CGI v2.93 + Data::Dumper (any) + Date::Format v2.21 + DBI v1.38 (changed from 2.18) + File::Spec v0.84 (changed from 2.18) + File::Temp (any) + Template Toolkit v2.08 + Text::Wrap v2001.0131 + Mail::Mailer 1.65 (new in 2.20) + Storable (any) (new in 2.20) + +Optional Perl Modules +--------------------- + + Chart::Base v1.0 + GD v1.20 + GD::Graph (any) + GD::Text::Align (any) + Net::LDAP (any) + PatchReader v0.9.4 + XML::Parser (any) + + +What's New? +*********** + +Experimental PostgreSQL Support +------------------------------- + +In addition to MySQL, Bugzilla now also supports PostgreSQL. PostgreSQL +support is still somewhat experimental. Although most major features of +Bugzilla work on PostgreSQL in 2.20, there are probably still a few bugs +that need to be worked out. + +PostgreSQL support in 2.20 is acceptable for smaller production +environments that don't mind running into a bug or two now and then. + + +New User-Interface Color/Style +------------------------------ + +You'll notice that Bugzilla looks a bit nicer, now! We've made a few +color and style changes to update the overall "feel" of Bugzilla's +User Inteface. We plan to do even more work on the UI for 2.22. + + +Higher-Level Categorization of Bugs (above "Product") +----------------------------------------------------- + +Previous Bugzillas had "Products" that you could file bugs in, +and "Components" for those products. Now, "Products" can be grouped +into "Classifications." + +To enable this, a Bugzilla administrator can turn on the +"useclassification" parameter, using editparams.cgi. + + +Regular Reports by Email of Complex Queries ("Whining") +------------------------------------------------------- + +You can now tell Bugzilla to do a specific query (or set of queries) +every X minutes/hours/days, and send you the results by email. This is +great for keeping track on a daily basis of what's going on in +your Bugzilla. + + +"Environment Variable" Authentication Method +-------------------------------------------- + +You can now tell Bugzilla to accept a certain value passed in from +Apache as authentication for Bugzilla users. This means that Bugzilla +now "supports" any type of authentication that Apache supports. + +To use this, set the "user_info_class" parameter to "ENV" and, at a +minimum, set the "auth_env_email" parameter to the name of the +Environment variable that passes the authenticated user (usually +"REMOTE_USER"). If your webserver knows users' real names as well, also +set the "auth_env_realname" parameter. If you are using a true +single-signon system that assigns an identifier uniquely to an +individual, even across changes of email address, then set +"auth_env_id" to the name of that variable. + + +User-List Drop-Down Menus +------------------------- + +Now, anywhere in Bugzilla where you previously had to type in an +email address by hand, you have the choice of having Bugzilla instead +display a drop-down menu of users to pick from. + +This feature is best for small installations with few users, because +on large installations the list grows too large to be useful. + +To enable the feature, turn on the "usemenuforusers" parameter in +editparams.cgi. + + +Server-Side Comment Wrapping +---------------------------- + +In older Bugzillas, comments were wrapped to 80 characters by the +user's web browser, and then stored in the database that way. This caused +problems because some browsers did not wrap comments properly. + +Now, Bugzilla stores comments unwrapped and wraps them at display time, so +all new comments should be properly wrapped. Also, when you upgrade, Bugzilla +will look for old "mis-wrapped" comments and attempt to wrap them properly. + +Lines beginning with the ">" character are assumed to be quotes, and are +*not* wrapped. + + +UI for Editing Priority, OS, Platform, and Severity +--------------------------------------------------- + +Bugzilla now has a User Interface for adding and removing values +from the OS, Platform, Priority, and Severity fields. You can also +rename values. Any user in the "editcomponents" group can click +on the "Field Values" link in their page footer to edit these fields. + +Also, the default list of choices for OS and Platform for new +installations is now much smaller. Old installations will keep +the same list they have now. + + +Bugzilla Queries as RSS +----------------------- + +You can now view a Bugzilla query as valid RSS 1.0. This means that you +could add a particular query to your RSS aggregator, if you wanted, to +keep track of changes in Bugzilla. + +To see a query as RSS, just click on the "RSS" link on the bottom of +your query results. Your query must return at least 1 result in order +for you to see the link. + + +Choice of E-Mail Sending Methods +-------------------------------- + +Bugzilla now uses perl's Mail::Mailer to send e-mail. This means that +you have several choices of how Bugzilla can send email. By default, it +still uses sendmail, but it can also use SMTP, qmail, or send all email +to a file instead of out to users. + +A Bugzilla administrator can change which method is used by setting the +"mail_delivery_method" parameter in editparams.cgi. + + +"User Preferences" +------------------ + +Bugzilla users will now notice a section in their Preferences called +"General Preferences." Administrators will notice a new link called +"User Preferences." + +The Preferences system allows Bugzilla developers to specify arbitrary +"user preferences" that change the behavior of certain parts of Bugzilla. +Administrators can control whether or not users are allowed to use these +preferences, and what the default settings are for a user who is not +logged in. + +The first two preferences that we have implemented are: + + "Show a quip at the top of each bug list" + + "When viewing a bug, show comments in this order..." + +We plan to implement more preferences in the future. + + +"Large Attachment" Storage +-------------------------- + +Bugzilla can now store very large attachments on disk instead of in the +database. These attachments can't be searched with Boolean Charts, but +they also don't take up database space, and they can be deleted individually +by the admin. + +When uploading an attachment, a user chooses if it's a "Big File." If so, +it's stored on the disk instead of in the database. + +To enable this feature, set the "maxlocalattachmentsize" parameter to +a non-zero value, in editparams.cgi. + + +"User Visibility" Controls +-------------------------- + +It is now possible to prevent users from encountering all other users when +using user-matching or drop-down userlists. To enable this restriction, +enable the "usevisibilitygroups" parameter. Once this is enabled, each +group's permissions will include a new column for "visible." The members +of any group for which the group being edited is visible will be +able to user-match this groups's users or see them in dropdown lists. + +This does not control who a user can CC on a bug, only who they can +see in the user-matching lists or drop-downs. + +Miscellaneous Improvements +-------------------------- + +- Marking an attachment as obsolete will now cancel all pending flag + requests for that attachment. That is, any flag that was set to "?" + on that attachment will be cleared. + +- You can now see which users are "watching" you, on the email + preferences page. + +- You can tell Bugzilla to mark certain comments in a different + color by adding "&mark=1,2,3,5-7" to the end of the show_bug.cgi URL, + where "1,2,3,5-7" means "highlight comment 1, comment 2, comment 3, and + comments 5 through 7." + +- "QA Contact" now also appears on the New Bug page, if QA Contacts are + enabled on your installation. + +- Bugzilla email now has the "In-Reply-To" header added to it, so if + you use an email client that supports threads, you can view your + Bugzilla email in threads. If you are upgrading to a new version of + Bugzilla, and you want this support, please see the instructions at: + https://bugzilla.mozilla.org/attachment.cgi?id=172267 + +- The email preferences system has been slightly updated. You will notice + the changes on your Email Preferences page. + +- You can now negate individual "boolean charts" (in the + "Advanced Searching" section at the bottom of the "Advanced + Search" page). That is, you can add "NOT" to the front of them. + +- You can add the words %assignee%, %reporter%, %user% (yourself), or + %qacontact% on the right-hand side of a Boolean Chart. For example, you + could make a Boolean Chart which said "Reporter" "does not equal" + "%assignee%". That would give you all bugs where the Reporter was not + the same as the Assignee. + +- You can now search Boolean Charts by "commenter." + +- If you have a group with no name, it will be re-named to "group_#" where + "#" is the numeric Bugzilla Group ID for that group. + +- If you are using time-tracking, you can now see a report of time spent + on bugs using summarize_time.cgi. + +- If you are using time-tracking, bugzilla will now set "hours remaining" + to "0" automatically if you RESOLVE a bug, whether you are in the + time-tracking group or not. + + +Deprecated Features +******************* + +- Bugzilla 2.20 is the last Bugzilla version to support MySQL 3.23.x. + Starting with Bugzilla 2.22, Bugzilla will require MySQL 4.0.x. This will + allow Bugzilla to take advantage of the advanced features of MySQL 4. + + +Outstanding Issues +****************** + +- (No Bug Number) VERY IMPORTANT: If you have customized the values in + your Status/Resolution field, you must edit checksetup.pl BEFORE YOU + RUN IT. Find the line that starts like this: + + bug_status => ["UNCONFIRMED", + + That's where you set the values for the Status field. + + resolution => ["","FIXED", + + And that's where you set values for the Resolution field. + + Those are both near line 1826 in checksetup.pl. + + If you forget to do this, you will have to manually edit the "bug_status" + and "resolution" tables in the database to contain the correct values. + +- bug 37765: VERY IMPORTANT: If you use the "sendmail" support of Bugzilla, + and you use an MTA which is *not* Sendmail (such as Postfix, Exim, etc.) + you MUST turn on the "sendmailnow" parameter or Bugzilla will not send + e-mail correctly. + +- (No Bug Number) If you close your web browser while the process_bug.cgi + or post_bug.cgi screen is running, not all emails will be sent, and + the next time that that bug is updated, there will be two updates. This + is because of a behavior of Apache that is beyond our control. + +- bug 276230: The support for restricting access to particular Categories of + New Charts is not complete. You should treat the 'chartgroup' Param as the + only access mechanism available. However, additionally, charts migrated from + Old Charts will be restricted to the groups that are marked MANDATORY for + the corresponding Product. There is currently no way to change this + restriction, and the groupings will not be updated if the group configuration + for the Product changes. This will not be fixed in the 2.20 branch. + +- bug 69621: If you rename or remove a keyword that is in use on bugs, you will + need to rebuild the "keyword cache" by running sanitycheck.cgi and choosing + the option to rebuild the cache when it asks. Otherwise keywords may not show + up properly in search results. + +- (No Bug Number) If you have a lot of non-ASCII data in your Bugzilla (for + example, if you use a translation of Bugzilla), don't enable the XS::Stash + option when you install the Template Toolkit, or your Bugzilla installation + may become slow. This problem is fixed in a not-yet-released version of the + Template Toolkit (after 2.14). + +- If at any time you upgraded from a version of Bugzilla between 2.17.4 - + 2.17.7 to either 2.18rc3 or 2.19.1, you must manually fix your New Charts in + order for them to work. See the following link for instructions on how to do + this: https://bugzilla.mozilla.org/show_bug.cgi?id=276237#c18 + If you are using 2.18rc3, but did not upgrade from version 2.17.4 or newer, + then you don't need to do this. + +- (No Bug Number) If your DBI is really, really old, Bugzilla might fail + with a strange error message when you try to run checksetup.pl. Try + upgrading your DBI using: perl -MCPAN -e'install DBI' + +- Bug 126266: Bugzilla does not use UTF-8 to display pages. This means + that if you enter non-ASCII characters into Bugzilla, they may + display strangely, or Bugzilla may have other problems. For a workaround, + see: http://www.bugzilla.org/docs/tip/html/security-bugzilla.html + This has been fixed in the 2.22 series. + +- Bug 99215: Flags are not protected by "mid-air collision" detection. + Nor are any attachment changes. + +- Bug 89822: When changing multiple bugs at the same time, there is no + "mid-air collision" protection. + +- Bug 285614: importxml.pl may be broken in many different ways. + It has been fixed and completely re-written in the 2.22 series. + +- (No Bug Number) Note that the email interface (bug_mail.pl) in the + contrib/ directory has not been maintained (as it has no maintainer), + and so may not be working properly. Contributions are welcome, if + anybody would like to work on it. + + +Upgrading From An Older Bugzilla +************************************ + +NOTE: Running checksetup.pl to upgrade a large installation (over 10,000 bugs) + may take a significant amount of time. checksetup will try to let + you know how long it will take, but expect downtime of an hour or + more if you have many bugs, many attachments, or many users. + +Steps for Upgrading +------------------- + +1) View the Sanity Check (sanitycheck.cgi) page on your installation before + upgrading. Attempt to fix all warnings that the page produces before + you go any further, or you may experience problems during your upgrade. + +2) Make a backup of the Bugzilla database before you upgrade, perhaps + by using mysqldump. + + Example: + + mysqldump -u root -p --databases bugs > bugs.db.backup + +3) Replace the files in your installation with the new version of Bugzilla, + or you can try to use CVS to upgrade. The Bugzilla.org website has + instructions on how to do the actual installation. + +4) Make sure that you run checksetup.pl after you install the new version. + +5) View the Sanity Check page again after you run checksetup.pl. + +6) It is recommended that, if possible, you fix any problems you find + immediately. Failure to do this may mean that Bugzilla will not work + correctly. Be aware that if the sanity check page contains more errors after + an upgrade, it doesn't necessarily mean there are more errors in your + database, as additional tests are added to the sanity check over time, and + it is possible that those errors weren't being checked for in the old + version. + +7) If you want threading support on your Bugzilla email (see the + "Miscellaneous Improvements" section above for a description), + you need to follow the instructions at: + https://bugzilla.mozilla.org/attachment.cgi?id=172267 + + +Code Changes Which May Affect Customizations +******************************************** + +The New Database-Compatibility Layer +------------------------------------ + +For most customizations, this should have no effect. However, you should +be aware that Bugzilla->dbh is now an instance of "Bugzilla::DB" instead +of being a DBI object directly. In fact, it's actually a +Bugzilla::DB::Mysql for MySQL users, and a Bugzilla::DB::Pg for +PostgreSQL users. + +Anything called from $dbh (like $dbh->bz_last_key) that starts with +"bz_" or "sql_" is a custom Bugzilla function. Anything *not* starting +with those two prefixes is a normal DBI function. + +Methods whose names start with "sql_" generate a piece of a SQL statement. +They generate the correct version of the statement for whichever database +you are using. + +Methods whose names start with "bz_" do something directly. + +You can see more documentation about this at: + +http://www.bugzilla.org/docs/2.20/pod/Bugzilla/DB.pm + + +If You Customize Your Database... +--------------------------------- + +In order to support multiple databases, we had to do something sort of +tricky. Bugzilla now stores what it *thinks* the current database schema +is, in a table called bz_schema. + +This means that when checksetup changes the database, it updates the +bz_schema table. When *you* update the database, without using +checksetup to do it, the bz_schema table is *not* updated. + +So, if you're going to add/remove a new column/table to Bugzilla, or if you're +going to change the definition of a column, try to do it by adding code to +checksetup in the correct place. (It's one of the places where you find +the word "--TABLE--".) + +You can see the documentation on the $dbh functions used to do this at: + +http://www.bugzilla.org/docs/2.20/pod/Bugzilla/DB.pm#schema_modification_methods + + +Many Functions Renamed +---------------------- + +We are reorganizing the Bugzilla code so that it can support mod_perl. As +part of this, we are moving all functions out of globals.pl and CGI.pl, and +into modules in the Bugzilla/ directory. + +Sometimes when we moved them, we also renamed them. The new Bugzilla standard +is to have functions_named_like_this, instead of FunctionsNamedLikeThis. + +So if you were using a FunctionNamedLikeThis that no longer works, try just +using it as function_named_like_this. If that doesn't work, you may have to +search for where we put it, and what we renamed it to. Most of the functions +moved to logical places. + +If you really can't find it, search bugzilla.mozilla.org using the name +of the old function. We usually moved one function per bug, so the new +name will be somewhere in a bug report. + + +User Preferences +---------------- + +Bugzilla now has a "User Preferences" system! These preferences are stored +in the database, and specified by a Bugzilla developer. The Bugzilla +developers actually call these "settings," but we called them "User +Preferences" in the UI to make things clearer. + +You access a user's settings differently depending on if you are in a +.cgi file or in a template file: + +CGI: Bugzilla->user->settings->{'setting_name'}->value +Template: Bugzilla.user.settings.setting_name.value + +Where "setting_name" is the name of the setting. You can see the current +setting names in the "setting" table in the database. + +Remember that sometimes you may want to check a user's settings when +making a customization. + +To see how to add new settings, search for "add_setting" in checksetup.pl. +Also see the template: template/en/default/global/setting-descs.none.tmpl. + +Other Changes +------------- + +- The $::unconfirmedstate variable has been replaced by the actual string + "UNCONFIRMED" everywhere in Bugzilla code. + +- The %::FORM and %::MFORM variables are no longer used to access form + data. Instead, use $cgi->param(). There are many examples of how to do + this, all over the Bugzilla code. + +- SendSQL() and related calls are deprecated, and the various $dbh methods + should be used instead, such as $dbh->prepare() and $dbh->execute(). + Bugzilla->dbh is the $dbh handle to use. For more information on how + to use the $dbh methods, see: http://search.cpan.org/dist/DBI/DBI.pm + +- The $::userid variable will be going away. Use Bugzilla->user->id instead. + +- All global variables (any that start with $::, @::, or %::) will + be entirely gone by Bugzilla 2.24. + + +Security Fixes in 2.20 Releases +******************************* + +2.20.1 +------ + +There were three security issues discovered after the release of +Bugzilla 2.20 that we resolved for Bugzilla 2.20.1. One SQL Injection +(from an administrator only), one Cross-Site Scripting vulnerability +(that mostly affects only the user who can exploit it), and one minor, +extremely specific information leak. + +To see details on the vulnerabilities that were fixed, see the +Security Advisory at: + +http://www.bugzilla.org/security/2.16.10/ + + +Release Notes for Previous Versions +*********************************** + +***************************************** +*** The Bugzilla 2.18.x Release Notes *** +***************************************** + +Table of Contents +***************** + +- Introduction +- Important Updates In This Point Release + * Version 2.18.1 + * Version 2.18.2 +- Requirements + * Dependency Requirements +- What's New? + * Generic Reporting + * Generic Charting + * Request System + * Enterprise Group Support + * User Wildcard Matching + * Support for "Insiders" + * Time Tracking + * Authentication module/LDAP improvements + * Improved localization support + * Patch Viewer + * Comment Reply Links + * Full-Text Search + * Email Address Munging + * Simple Search + * Miscellaneous Improvements + * All Changes +- What's Changed? + * Flag Names + * New Saved Search User Interface + * Rules for changing fields +- Removed Features +- Code Changes Which May Affect Customizations +- Recommended Practice for the Upgrade + * Note About Upgrading From MySQL With ISAM Tables + * Steps for Upgrading +- Outstanding Issues (<======================== IMPORTANT, PLEASE READ) +- Security Fixes In 2.18 Releases +- Detailed Version-To-Version Release Notes + + +Introduction +************ + +This document contains the release notes for Bugzilla 2.18 and +the bugfix releases after 2.18. In this document, recently added, +changed, and removed features of Bugzilla are described. + +The 2.18 release is our current stable series, containing the results +of over two years of hard and dedicated work by volunteers all over +the world under the lead of Dave Miller. + + +Important Updates In This Point Release +*************************************** + +There are usually many other bug fixes than those listed below, +but the below fixes are the ones that we thought System Administrators +would like to specifically know about. + +To see a listing of all changes in this release, you can use the +table available at: + +http://www.bugzilla.org/status/changes.html + +Version 2.18.1 +-------------- + ++ You can now enter a negative time for "Hours Worked" + in the time-tracking area. (Bug 271276) + ++ The BugMail.pm customization required for Windows (as + described in the Bugzilla Guide) now actually works. (Bug 280911) + ++ Users who were using Bugzilla 2.8 can now successfully upgrade + to 2.18.1 (they couldn't upgrade to 2.18). (Bug 283403) + ++ Dependency mails are now properly sent during a mass-change of bugs. + (Bug 178157) + + +Version 2.18.2 +-------------- + ++ You can now create accounts with createaccount.cgi even + when the "requirelogin" parameter is turned on. (Bug 294778) + ++ Bugs that are in disabled groups may not show a padlock + on the bug list, or may otherwise behave strangely. You + can now fix this using sanitycheck.cgi. (Bug 277454) + ++ If sendmail dies while you are marking a bug + as a duplicate, the duplicates table will no longer become + corrupted. (Bug 225042) + + +Requirements +************ + +Dependency Requirements +----------------------- + +Minimum software requirements: + + MySQL v3.23.41 (changed from 2.16) + Perl v5.6.0 (changed from 2.16) (Non-Windows platforms) + ActiveState Perl v5.8.1 (Windows only) + +Required Perl modules: + + AppConfig v1.52 + CGI v2.93 (new since 2.16) (changed from 2.17.7) + Data::Dumper (any) + Date::Format v2.21 (changed from 2.16) + DBI v1.36 (changed from 2.16) (changed from 2.17.7) + DBD::mysql v2.1010 (changed from 2.16) + File::Spec v0.82 + File::Temp (any) + Template Toolkit v2.08 (changed from 2.16) + Text::Wrap v2001.0131 + +Optional Perl modules: + + Chart::Base v1.0 (changed from 2.16) (changed from 2.17.7) + GD v1.20 (changed from 2.16) + GD::Graph (any) (new since 2.16) + GD::Text::Align (any) (new since 2.16) + Net::LDAP (any) (new since 2.16) + PatchReader v0.9.4 (new since 2.16) (changed from 2.17.7) + XML::Parser (any) + + +What's New? +*********** + +Generic Reporting +----------------- + +Bugzilla has a new mechanism for generating reports of the current state of +the bug database. It has two related parts: a table-based view, and several +graphical views. + +The table-based view allows you to specify an x, y and z (multiple tables of +data) axis to plot, and then restrict the bugs plotted using the standard +query form. You can view the resulting data as an HTML or CSV export (e.g.: +for importing into a spreadsheet). + +There are also bar, line and pie charts, which are defined in a very similar +way. These views may be more appropriate for particular data types, and are +suitable for saving and then putting into presentations or web pages. + + +Generic Charting +---------------- + +Bugzilla has a new mechanism for generating charts (graphs over time) of any +arbitrary search. This is known as "New Charts." Legacy data from the previous +charting mechanism ("Old Charts") is migrated into the "New Charts" when you +upgrade. The Old Charts mechanism remains, but is deprecated and will be +removed in a future version of Bugzilla. + +Individual users can see/create charts as long as they are a member of the +group specified in the Param 'chartgroup'. Data can be collected for +personal charts every seven days (or a longer period, as set by the user). +Charts created by an administrator can be made public (visible to all). Data +is collected for administrator charts every day (or a longer period, as set +by the admin). + +The data is collected by the collectstats.pl script, which an administrator +will need to arrange to be run once every day (see the manual). Chart data can +be plotted in a number of different ways, and different data sets can be +plotted on the same graph for comparison. + +Please see the Known Bugs section for some important limitations relating to +access controls on charts. + + +Request System +--------------- + +The Request System (RS) is a set of enhancements that adds powerful flag +(superset of the old attachment status) features to the bugs. + +RS allows for four states: off, granted, denied, and (optionally) requested, +where "granted" is the equivalent of "on". These additions mean it is no +longer necessary to define a status to negate another status (e.g. +"needs-work" to negate "has-review") because negation is built into each +status via the status' "denied" state. Bug statuses: Previously only +attachments could have these kinds of statuses. RS enables them for bugs as +well. This feature can be used to request and grant/deny certain properties +for a bug, such as inclusion for a specific milestone or approval for checkin. +This way, Bugzilla supports the natural decision-making process in your +organization. + +- Requests: Flags can now optionally be made requestable, which means users + can ask other users to set them. When a user requests a flag, Bugzilla + emails the requestee and adds the request to a browsable queue so both the + requester and the requestee can keep track of its status. Once the + requestee fulfills the request by setting the flag to either granted or + denied, Bugzilla emails the requestee and removes the request from the + queue. This feature supports workflow like the mozilla.org code review + and milestone approval processes, whereby code is peer reviewed before + being committed and patches get approved by product release managers for + inclusion in specific product releases. + +- Product/component specificity: Previously flags were product-specific, and + if you wanted the same flag for multiple products you had to define + multiple flags with the same name. Flags are now + product/component-specific, and a single flag can be enabled or disabled + for multiple product/component combinations via inclusions and exclusions + lists. Flags are enabled for all combinations on their inclusions list + except those that appear on their exclusions list. + + +Enterprise Group Support +------------------------ + +Bugzilla is no longer limited to 55 access control groups. Administrators can +define an arbitrary number of access groups composed of individual users or +other groups. The groups can be configured via the web interface to achieve a +wide variety of access control policies. See the documentation section on +'Groups And Group Controls' for details. + + +User Wildcard Matching +---------------------- + +Sites can now enable the use of wildcards and substrings in bug entry and +editing forms. If the user enters an incomplete username, he'll get a list of +users that matched the given username. + + +Support for "Insiders" +---------------------- + +If the 'insidergroup' parameter is defined, a specific group of users can be +designated insiders who can designate comments and attachments as private to +other insiders. These comments and attachments will be invisible to other +users who are not members of the insiders group even if the bugs to which they +apply are visible. Other insiders will see the comments and attachments with a +visual tinting indicating that they are private. + + +Time Tracking +------------- + +Controls for tracking time spent fixing bugs are included in the bug form for +members of the group specified by the 'timetrackinggroup' parameter. Any time +comments are added to the bug, members of the time tracking group can add an +amount of time they spent, and it's figured into the total and displayed at +the top of the bug. Shown in the bug are your original estimate, the amount of +time spent so far, the revised estimate of how much time is remaining, and +your gain/loss on the original estimate. + + +Authentication module/LDAP improvements +--------------------------------------- + +Bugzilla's authentication mechanisms have been modularized, making pluggable +authentication schemes for Bugzilla a reality. Both the existing database and +LDAP systems were ported as part of modularization process. Additionally, the +CGI portion of the backend was redesigned to allow for authentication from +other sources, including (theoretically) email, which will help Bug 94850. + +As part of this conversion, LDAP logins now use Perl's standard Net::LDAP +module, which has no external library dependencies. + + +Improved localization support +----------------------------- + +Bugzilla administrators can now configure which languages are supported by +their installations and automatically serve correct, localized content to +users based on the HTTP 'Accept-Language' header sent from users' browsers. + +There are currently localized templates available for: Arabic, Belarusian, +Chinese, French, German, Italian, Korean, Portuguese (Brazil) Spanish (Spain +or Mexico) and Russian. These localized template packs are third-party +contributions, may only be available for specific versions, and may not be +supported in the future. (http://www.bugzilla.org/download/#localizations) + + +Patch Viewer +------------ + +Viewing and reviewing patches in Bugzilla is often difficult due to lack of +context, improper format and the inherent readability issues that raw patches +present. Patch Viewer is an enhancement to Bugzilla designed to fix that by +offering increased context, linking to sections, and integrating with Bonsai, +LXR and CVS. + + +Comment Reply Links +------------------- + +In Edit Bug, each bug comment now includes a convenient (reply) link that +quotes the comment text into the textarea. This feature is only enabled in +Javascript-capable browsers, but causes no inconvenience to other user agents. + + +Full-Text Search +---------------- + +It is now possible to query the Bugzilla database using full-text searching, +which spans comments and summaries, and which searches for substrings and stem +variations of the search term. Basically, it's like using Google. + + +Email Address Munging +--------------------- + +The fact that raw email addresses are displayed in Bugzilla makes it trivial +for bots that spamharvest to spider through Bugzilla, in particular, through +Bugzilla's buglists. This change adds HTML obfuscation of email addresses as +they appear in the Bugzilla web pages. + + +Google-like Bug Search +---------------------- + +Bugzilla now includes a very simple, Google-like "Find a Specific Bug" page, +in addition to its advanced search page. + + +Miscellaneous Improvements +-------------------------- + +- The "Assigned To" field on the new bug page is now prefilled with the default + component owner. + +- A bug alias column is now available in the buglist page. + +- Lists of bugs containing errors in the sanity check page now have a "view as + buglist" link in addition to the individual bug links. + +- Autolinkification Page - It's now possible to apply Bugzilla's comment + hyperlinking algorithm to any text you like. This should be useful for status + updates and other web pages which give lists of bugs. The bug links created + include the subject, status and resolution of the bug as a tooltip. + +- There are more <link> tags on the links toolbar for navigating quickly between + different areas. + +- Buglists are now available as comma-separated value files (CSV) and JavaScript + (JS) as well as HTML and RDF. + +- Keywords and dependencies can now be entered during initial bug entry. + +- A CSS id signature unique to each Bugzilla installation is now added to the + <body> tag on Bugzilla pages to allow custom end-user CSS to explicitly affect + Bugzilla. + +- Perl's path has been changed to a normal /usr/bin/perl from the original + legacy "bonsaitools" path specifier. + +- A new "always-require-login" parameter allows administrators to require a + login before being able to view any page, except the front page. + +- A developer may add an attachment, and also reassign a bug to himself as part + of that single action. + +- Bugzilla is now able to use the replication facilities provided by the + MySQL database to handle updates from the main database to the secondaries. + +- Mail handling is now between 125% to 175% faster. + +- Guided Bug Entry: You can see a sample enter_bug.cgi template at + enter_bug.cgi?format=guided that "guides" users through the process of + filing a "good" bug. It needs to be modified before use in your organization. + +- There is now a "Give me some help" link on the Advanced Search page that will + enable pop-up help for every field on the page. + +- The Bugzilla administrator can now forbid users from marking bugs RESOLVED + when there are unresolved dependencies. + + +All Changes +----------- + +To see a list of EVERY bug that was fixed between 2.16 and 2.18 (over 1000), +see: http://tinyurl.com/6m3e4 + + +What's Changed? +*************** + + +Flag names +---------- + +Prerelease versions of Bugzilla 2.17 and 2.18 inadvertantly allowed +commas and spaces in the names of flags, which due to the way they're +processed, caused lots of internal havoc if you named flags to have +any commas or spaces in them. Having commas or spaces in the names +can cause errors in the notification emails and in the bug activity +log. The ability to create new flags with these characters has been +removed. If you have any existing flags that you named that way, +running checksetup will attempt to automatically rename them by +replacing commas and spaces with underscores. + + +New Saved Search User Interface +------------------------------- + +In previous Bugzilla versions, you could specify on the search page that you +wanted to save a search and store it as a link in your footer. This option has +now moved to the search results page (buglist.cgi), where you will see a +"Remember search" button with a box next to it to enter the name of the search. + +You can manage your saved searches on the Preferences page. + + +Rules for changing fields +------------------------- + +There have been some changes to the rules governing who can change which fields +of a bug report. The rules for Bugzilla version 2.16 and 2.18, along with +differences between them, are listed below. Bear in mind that there are other +restrictions on bug manipulation besides the ones listed below. In particular, +the groups system enforces restrictions on who can create, edit, or even see +any given bug. + +Bugzilla 2.16 rules: + +- anyone can make a null change; +- anyone can add a comment; +- anyone in the editbugs group can make any change; +- the reporter can make any change to the status; +- anyone in the canconfirm group can change the status + to any opened state (NEW, REOPENED, ASSIGNED). +- anyone can change the status to any opened state + if the everconfirmed flag is set; +- the owner, QA contact, or reporter can make any change + *except* changing the status to an opened state; +- No other changes are permitted. + +[Note that these rules combine to allow the reporter to make any change +to the bug.] + +Bugzilla 2.18 rules: + +- anyone can make a null change; +- anyone can add a comment; +- anyone in the editbugs group can make any change; +- anyone in the canconfirm group can change the status + from UNCONFIRMED to any opened state; +- the owner or QA contact can make any change; +- the reporter can make any change *except*: + - changing the status from UNCONFIRMED to any opened state; or + - changing the target milestone; or + - changing the priority (unless the letsubmitterchoosepriority + parameter is set). +- No other changes are permitted. + +The effective differences in the rules: + +- In 2.16, the reporter could always change anything about a bug. + + In 2.18, the reporter can't: + + - confirm the bug unless he is in the canconfirm group; + - change the target milestone; + - change the priority (unless the 'letsubmitterchoosepriority' + parameter is set; + + (unless he is also the owner, the QA contact, or in the editbugs + group, in which case he can do all these things). + +- In 2.16, the owner or QA contact (if the 'useqacontact' parameter + is set) can't change the bug status to an opened status unless they + are also the reporter, or have editbugs or canconfirm, or the + everconfirmed flag is set on the bug). + + In 2.18 the owner or QA contact can make any change to a bug. + +- In 2.16, a member of the canconfirm group can set the status + to any opened status. + + In 2.18 this is only possible if the status was previously + the unconfirmed status. + +- In 2.16, the status can be set to anything by anybody + if the 'everconfirmed' flag is set. + + In 2.18, this authorization code does not pay any attention + to the 'everconfirmed' flag. + + +Removed Features +**************** + +- Please note that Bugzilla no longer supports MySQL 3.22. The minimum required + version is now 3.23.41. + +- The "shadow database" mechanism is no longer used. Instead, use MySQL's + built-in replication feature. + +- If you have placed any comments in the localconfig file, they may be removed + by checksetup.pl. + + +Code Changes Which May Affect Customizations +******************************************** + +- A mechanism (called "Template Hooks") for third party extensions to plug into + existing templates without having to patch or replace distributed templates + has been added. More information on this can be found in the documentation. + +- Header output now uses CGI.pm, in a step towards enabling mod_perl + compatibility. This change will affect users that had customized charsets in + their CGI files: previously the charset had to be added everywhere that + printed the Content-Type header; now it only needs changing in one spot, in + Bugzilla/CGI.pm. + +- $::FORM{} and $::COOKIE{} are deprecated. Use the $cgi methods to access + them. + +- $::userid is gone in favor of Bugzilla->user->id + +- ConnectToDatabase() is gone (it's done automatically when you initialize the + Bugzilla object) + +- quietly_check_login() and confirm_login() are gone, use Bugzilla->login() + with parameters for whether the login is required or not. + +- Use Bugzilla->user->login in place of $::COOKIE{Bugzilla_login} + +- You can tell if there's a user logged in or not by using + Bugzilla->user rather than looking for $::userid==0. + In new 2.18 code, use defined(Bugzilla->user) && (Bugzilla->user->id) + In 2.20, this will become just (Bugzilla->user->id) + In templates, always test [% IF user.id %] rather than [% IF user %] + +- SendSQL() and related calls are deprecated, and the various $dbh methods + should be used instead, such as $dbh->prepare() and $dbh->execute(). + Bugzilla->dbh is the $dbh handle to use. + + +Recommended Practice for the Upgrade +************************************ + +Note About Upgrading From MySQL With ISAM Tables +------------------------------------------------ +As previously noted in the Dependency Requirements MySQL is now required +to be at least version 3.23.41. This implies that all tables of type ISAM will +be converted by the checksetup.pl script to MyISAM. + + +Steps for Upgrading +------------------- + +1) View the Sanity Check (sanitycheck.cgi) page on your installation before + upgrading. + +2) As with any upgrade it is recommended that you make a backup of the + Bugzilla database before you upgrade, perhaps by using mysqldump. + + Example: + + mysqldump -u root -p --databases bugs > bugs.db.backup + +3) Replace the files in your installation, or you can try to use CVS to upgrade. + The Bugzilla.org website has instructions on how to do the actual + installation. + +4) Make sure that you run checksetup.pl after you install the new version. + +5) View the Sanity Check page again after you run checksetup.pl. + +6) It is recommended that, if possible, you fix any problems you find + immediately. Failure to do this may mean that Bugzilla will not work + correctly. Be aware that if the sanity check page contains more errors after + an upgrade, it doesn't necessarily mean there are more errors in your + database, as additional tests are added to the sanity check over time, and + it is possible that those errors weren't being checked for in the old + version. + + +Outstanding Issues +****************** + +These are known problems with the release that we think you should know about. +They each have a bug number for http://bugzilla.mozilla.org/ + +- If at any time you upgraded from a version of Bugzilla between 2.17.4 - + 2.17.7 to either 2.18rc3 or 2.19.1, you must manually fix your New Charts in + order for them to work. See the following link for instructions on how to do + this: https://bugzilla.mozilla.org/show_bug.cgi?id=276237#c18 + If you are using 2.18rc3, but did not upgrade from version 2.17.4 or newer, + then you don't need to do this. + +- bug 37765: If you use an MTA other than sendmail (such as Postfix, Exim, + etc.) you MUST turn on the "sendmailnow" parameter or Bugzilla will not send + e-mail correctly. + +- bug 276230: The support for restricting access to particular Categories of + New Charts is not complete. You should treat the 'chartgroup' Param as the + only access mechanism available. However, additionally, charts migrated from + Old Charts will be restricted to the groups that are marked MANDATORY for + the corresponding Product. There is currently no way to change this + restriction, and the groupings will not be updated if the group configuration + for the Product changes. + +- bug 69621: If you rename or remove a keyword that is in use on bugs, you will + need to rebuild the "keyword cache" by running sanitycheck.cgi and choosing + the option to rebuild the cache when it asks. Otherwise keywords may not show + up properly in search results. + +- (No Bug Number) If you have a lot of non-ASCII data in your Bugzilla (for + example, if you use a translation of Bugzilla), don't enable the XS::Stash + option when you install the Template Toolkit, or your Bugzilla installation + may become slow. This problem is fixed in a not-yet-released version of the + Template Toolkit (after 2.14). + +- bug 266579: Users may be able to circumvent not having "canconfirm" privileges + in some circumstances. This is fixed starting with 2.19.3, but will not + be fixed in any 2.18 release, as the changes required to fix it are quite + large. + +- bug 99215: Attachment changes have no mid-air collision detection, unlike bug + changes. + +- bug 57350: Searching using the "commenter is" option may be VERY slow. Note + that searching for "field: comment, changed by: user@domain.com" is fast, + though. + +- bug 151509: Using the boolean chart option "contains the string" with the + "flag name" field or certain other fields will cause Bugzilla to emit an + error. This is fixed in 2.20rc1, but will not be fixed in the 2.18 series. + +- bug 234159: Bugzilla may sometimes send multiple notices in one email. + +- bug 237107: If you search for attachment information using the Boolean Charts + at the bottom of the Advanced Query page, bugs without attachments will not + show up in the result list. + + +Security Fixes In 2.18 Releases +******************************* + +Version 2.18 +------------ + +Summary: XSS in Internal Error messages in Bugzilla 2.16.7 and 2.18rc3 +CVE Name: CAN-2004-1061 +Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=272620 +Details: + It is possible to send a carefully crafted URL to Bugzilla designed to +trigger an error message. The Internal Error message includes javascript code +which displays the URL the user is visiting. The javascript code does not +escape the URL before displaying it, allowing scripts contained in the URL to +be executed by the browser. Many browsers do not allow unescaped URLs to be +sent to a webserver (thus complying with RFC 2616 section 2.3.1 and RFC 2396 +section 2.4.3), and are thus immune to this issue. + Browsers which are known to be immune: Firefox 1.0, Mozilla 1.7.5, +Camino 0.8.2, Netscape 7.2, Safari 1.2.4 + Browsers known to be susceptible: Internet Explorer 6 SP2, +Konqueror 3.2 + Browsers not listed here have not been tested. + + +Version 2.18.1 +-------------- + +Two security issues were fixed in Bugzilla 2.18.1, neither of them +critical. + +See http://www.bugzilla.org/security/2.16.8/ for details. + + +Version 2.18.2 +-------------- + +Two security issues were fixed in Bugzilla 2.18.2. One of them +is a major Information Leak/Unauthorized Bug Change. The other +is a minor Information Leak. + +See http://www.bugzilla.org/security/2.18.1/ for details. + + +Detailed Version-To-Version Release Notes +***************************************** + +********************************************************* +*** USERS UPGRADING FROM ALL VERSIONS PRIOR TO 2.16.7 *** +********************************************************* + +*** Security fixes *** + +- It is possible to send a carefully crafted HTTP POST message to + process_bug.cgi which will remove keywords from a bug even if you don't have + permissions to edit all bug fields (the "editbugs" permission). Such changes + are reported in "bug changed" email notifications, so they are easily + detected and reversed if someone abuses it. Users are now prevented from + making changes to keywords if they do not have editbugs privileges. (bug + 252638) + +*** Bug fixes of note *** + +- Enforce a minimum of 10 minutes between attempts to reset a password, so + we don't mailbomb the user if someone submits the form many times in a + row. (bug 250897) + +- Put products in alphabetical order on the create attachment status page. + (bug 251427) + +- Specify MyISAM as the table type when creating new tables. MySQL 4.1 and + up default to InnoDB, which doesn't support some of the indexing methods + that we use. (bug 263165) + +********************************************************* +*** USERS UPGRADING FROM ALL VERSIONS PRIOR TO 2.16.6 *** +********************************************************* + +*** Security fixes *** + +- If Bugzilla is configured to hide entire products from some users, both + duplicates.cgi and the form for mass-editing a list of bugs in buglist.cgi + can disclose the names of those hidden products to such users. + (bugs 234825 and 234855) + +- Several administration CGIs echo invalid data back to the user without + escaping it. (bug 235265) + +- A user with privileges to grant membership to any group (i.e. usually an + administrator) can trick editusers.cgi into executing arbitrary SQL. + (bug 244272) + +*** Bug fixes of note *** + +- Allow XML import to function when there are regexp metacharacters in product + names (bug 237591) + +- Allow the bug_email.pl contrib script to work with useqacontact (bug 239912) + +- Improve the error message used by checksetup.pl when the MySQL requirements + are not met (bug 240228) + +- Elimnate the warning in checksetup.pl about the minimum sendmail version (bug + 240060) + +- $webservergroup now defaults to group 'apache' in new installations (bug + 224477) + +- Correct a situation where a bugmail message could be sent twice to a user + being added to the CC list if the address was entered in a different case + than the user registered with. (bug 117297) + +- Various documentation updates + +********************************************************* +*** USERS UPGRADING FROM ALL VERSIONS PRIOR TO 2.16.4 *** +********************************************************* + +*** Bug fixes of note *** + +- Fix a "used only once" warning that ocurred only in perl 5.00503 + (bug 2321691) + +- When a user is creating a new account and enters an invalid email + address, the error page sent the "Content-type" header twice, causing + the second one to be visible at the top of the page. + (bug 137121) + +- An HTML encoding issue which only affected Internet Explorer was + corrected in the "Change several bugs at once" page. + (bug 181106) + +- During initial setup, using invalid characters in the administrator + password would present an error message stating your password was + too long or too short instead of telling you it had invalid + characters. + (bug 166755) + +- When a user reset their own password via an emailed token, the new + password in the first field would be accepted if the second password + field was left blank. + (bug 123077) + +- Reopening bugs from the "change several bugs at once" page now works. + (bug 95430) + +- Fix a regression in xml.cgi caused by the previous bugfix for MySQL + SUM() changes. The original fix didn't work properly either. + (bug 225474) + +- No longer use server push with the "Safari" browser, which claims to + use the Mozilla layout engine but doesn't. + (bug 188712) + +- Creating a shadow database no longer fails with taint mode errors. + (bug 227510) + +- If you change your cookiepath setting at some stage (because you have + moved the directory Bugzilla resides on your webserver), users can + have login cookies with the old cookiepath, and their browsers will + send multiple logincookies. Bugzilla now uses the first rather than + the last in order to get the most specific cookie which will be the + correct one. + (bug 121419) + +- Fixed a regression caused by the previous DBD::mysql fixes, that + caused older versions of DBD::mysql to break due to not supporting + the new DBI syntax. + (bug 224815) + +- Bugzilla no longer sends out invalid dates for cookie expiry. This + bug had no known user visible ramifications. + (bug 228706) + +- Update the shadow database parameters description to tell the user + about permissions requirements for creating a shadow database. + (bug 227513) + +- Various documentation updates. + +********************************************************* +*** USERS UPGRADING FROM ALL VERSIONS PRIOR TO 2.16.3 *** +********************************************************* + +*** SECURITY ISSUES RESOLVED *** + +- A user with 'editproducts' privileges (i.e. usually an administrator) + can select arbitrary SQL to be run by the nightly statistics cron job + (collectstats.pl), by giving a product a special name. + (bug 214290) + +- A user with 'editkeywords' privileges (i.e. usually an administrator) + can inject arbitrary SQL via the URL used to edit an existing keyword. + (bug 219044) + +- When deleting products and the 'usebuggroups' parameter is on, the + privilege which allows someone to add people to the group which is + being deleted does not get removed, allowing people with that + privilege to get that privilege for the next group that is created + which reuses that group ID. Note that this only allows someone who + had been granted privileges in the past to retain them. + (bug 219690) + +- If you know the email address of someone who has voted on a secure + bug, you can access the summary of that bug even if you do not have + sufficient permissions to view the bug itself. + (bug 209376) + +*** Bug fixes of note *** + +Perl 5.8.0 Compatibility fixes: + +- Two taint errors were fixed, one in process_bug.cgi, and + another in post_bug.cgi. + (bugs 220332 and 177828) + +MySQL 4.0 Compatibility fixes: + +- A cosmetic fix was applied to votes.cgi (if there were no + votes, the "0" was not displayed) due to a change in semantics + in SUM() in MySQL 4.0. + (bug 217422) + +DBD::mysql > 2.1026 Compatibility fixes: + +- DBD::mysql versions after 2.1026 return the table list quoted, which + broke the existing "table exists" check in checksetup.pl, which caused + the second and subsequent attempts to run checksetup.pl to fail. + (bug 212095) + +Miscellaneous bug fixes: + +- A Mozilla-specific reference was removed from one of the report + templates. + (bug 221626) + +- It was possible to enter a situation where you were unable to get to + editparams.cgi to turn the shutdownhtml param back off after you + turned it on when Apache was configured to run Bugzilla in suexec + mode. + (bug 213384) + +- The processmail rescanall task would not send e-mails about more than + one bug to the same address. + (bug 219508) + +- If Bugzilla hadn't been accessed in the last hour when the + collectstats.pl or whineatnews.pl cron jobs ran, the versioncache + would get recreated with the file owner being the user the cron job + was running as (usually not the webserver user), causing subsequent + access to Bugzilla by the webserver to fail until the permissions were + fixed. Now if versioncache isn't readable when accessing from the + webserver, we pretend it doesn't exist and recreate it again. + (bug 160422) + +- The 'sendmailnow' param is now on by default in new installations + (this does not affect existing installations). + (bug 146087) + +- The 008filter.t test would fail if you had multiple language packs + installed. It now properly tests all of the installed language packs. + (bug 203318) + +- A few minor documentation changes were committed. + +********************************************************* +*** USERS UPGRADING FROM ALL VERSIONS PRIOR TO 2.16.2 *** +********************************************************* + +*** SECURITY ISSUES RESOLVED *** + +- A cross site scripting (XSS) vulnerability was fixed in which bug + summaries were not properly filtered when a user viewed a dependency graph + allowing JavaScript to be embedded on that page. + (bug 192661) + +- Several XSS vulnerabilities were fixed in which user + input was not escaped when being displayed. A new + test has been added to warn about unfiltered data in template + files (t/008filter.t). + (bug 192677) + +- An issue was fixed in which the QA contact was still treated as the QA + contact even after the 'useqacontact' setting was turned off. This also + allowed the QA contact to edit the security groups and view secured bugs that + he/she was allowed to access prior to the 'useqacontact' setting being + deactivated. + (bug 194394) + +- Fixed a situation where an attacker (with local access to the webserver) + could overwrite any file on the webserver to which the webserver user + has write access by creating appropriately named symbolic links in the + data and webdot directories (world-writable in many configurations). + Bugzilla now uses File::Temp to create secure temporary files. File::Temp + is part of the Perl distribution for Perl 5.6.1 and later, but if you're + using an older version of Perl you'll need to install it with CPAN. + (bug 197153) + +** IMPORTANT CHANGES *** + +- New module requirement: File::Temp, as mentioned above. + +*** Bug fixes of note *** + +- An issue was fixed in which administrator rights could be removed from an + administrator who deleted a product while the 'usebuggroups' setting is + activated. + (bug 157704) + +- Fixed an issue in which importxml.pl would fail the test suite when running + under perl 5.8.0 with the optional XML::Parse module. + (bug 172331) + +- There was previously a bug in CGI.pl in which the following warning + would be given under certain conditions: + "Character in "c" format wrapped at CGI.pl..." + This is now fixed. In some cases the warning was filling up web server log + files. + (bug 194125) + +- Fixed a bug in which long component names (in excess of 50 characters) would + be accepted when creating the component but would cause problems when trying + to use that component on a bug because it would get truncated. It is now no + longer possible to create components with names in excess of 50 characters. + (bug 197180) + +- Fixed a bug in checksetup.pl in which permissions were not being fixed + on the 'data/comments' file, the quip file. + (bug 160279) + +***************************************************************** +*** USERS UPGRADING FROM 2.16.1 OR EARLIER, 2.14.4 OR EARLIER *** +***************************************************************** + +*** SECURITY ISSUES RESOLVED *** + +- Fixed a cross site scriptability issue in quips. This is only a problem + if quips with HTML could have been inserted into your quips files. Bugzilla + has not allowed this since 2.12. + (bug 179329) +- checksetup.pl will now attempt to prevent access to "editor backups" of + localconfig. + (bug 186383) +- collectstats.pl no longer makes data/mining (which contains graphing + information) world writeable. + (bug 183188) + +*********************************************** +*** USERS UPGRADING FROM 2.16.0 OR EARLIER *** +*********************************************** + +*** SECURITY ISSUES RESOLVED *** + +- Apostrophes were not properly handled in email addresses. This was a + regression introduced in 2.16. It is not known whether this was + exploitable. + (bug 165221) + +See also next major section. + +*** Bug fixes of note *** + +- The VERSION cookie which allowed the previously entered version of a product + to be remembered was not correctly set. It was only set as a session + cookie, and under some circumstances could interfere with other cookies + (such as the login information) send at the same time. + (bug 160227) + +- importxml.pl would fail if the versioncache needed to be updated. + (bug 164464) + +- Bug changes going through intermediate pages would munge fields with + multiple fields, such as CCs. + (bug 161203) + +- On failure in template->new, Bugzilla will now die rather than futilely + attempt to use an error template. + (bug 166023) + +- Fixed a problem where checksetup had problems converting old installations + that didn't have a duplicates table. + (bug 151619) + +- Fixed a problem that caused taint errors when viewing or editing user + preferences with Perl 5.005 and Template 2.08. + (bug 160710) + +See also next section. + +****************************************************** +*** USERS UPGRADING FROM 2.16.0, 2.14.3 OR EARLIER *** +****************************************************** + +*** SECURITY ISSUES RESOLVED *** + +- When a new product is added to an installation with 47 groups or more and + "usebuggroups" is enabled, the new group will be assigned a groupset bit + using Perl math that is not exact beyond 2^48. This results in the new + group being defined with a "bit" that has several bits set. As users are + given access to the new group, those users will also gain access to + spurious lower group privileges. Also, group bits were not always reused + when groups were deleted. + (bug 167485) + +- The email interface had another insecure single parameter system call. This + could potentially allow arbitrary shell commands to be run. This file is + not supported at this time, but as long as we knew about the problem, we + couldn't overlook it. + (bug 163024) + +*** Bug fixes of note *** + +- The email interface was broken. This was a 2.14.3 regression. This file + is not supported at this time, but as long as we knew about the problem, we + couldn't overlook it. + (bug 160631) + +*********************************************** +*** USERS UPGRADING FROM 2.14.5 OR EARLIER *** +*********************************************** + +*** SECURITY ISSUES RESOLVED *** + +- The bug reporter could set the priority even when + 'letsubmitterchoosepriority' was off. + (bug 63018) + +- Most CGIs are now templatized. This helps to make it + easier to remember to HTML filter values and easier to spot + when they are not, preventing cross site scripting attacks. + (bug 86168) + +- Most CGIs now run in taint mode. This helps to prevent + failure to validate errors. + (bug 108982) + +*** IMPORTANT CHANGES *** + +- 2.16 introduces "templatization", a new feature that allows + administrators to easily customize the HTML output (the "look and feel") + of Bugzilla without altering Perl code. Bugzilla uses the + "Template Toolkit" for this. Please see the "Template Customization" + section of the Bugzilla Guide for more details. + + Administrators who ran the 2.15 development version with custom + templates should check the templates are still valid, as file names + and file paths have changed. + + Most output is now templatized. This process will be complete next + milestone. + + For speed, compiled templates are cached on disk. If you modify the + templates, the toolkit will normally detect the changes, and recompile the + changed templates. + + Adding new directories anywhere inside the template directory may cause + permission errors if you don't have a webservergroup specified in + localconfig. If you see these, rerun checksetup.pl as root. If you do not + have root access, or cannot get someone who does to do this for you, you can + rename the data/template directory to data/template.old (or any other name + Bugzilla doesn't use). Then rerun checksetup.pl to regenerate the compiled + templates. + (bug 86168, 97832) + +- Administrators can now configure maximum attachment sizes. These + should remain below the maximum size for your MySQL server, or you + will get obscure MySQL errors if you attach a bigger attachment. + + To find out the current size attachment that MySQL can accept, type + the command 'mysqladmin variables' and find out the value of the + 'max_allowed_packet' varible in bytes. + + To change the maximum size that MySQL can accept you can alter this + variable in your 'my.cnf' file. + (bug 91664) + +- Perl 5.004 is no longer supported because the Template Toolkit + requires 5.005. + (bug 97721) + +- New module requirements: Text::Wrap, Template [requires AppConfig], + File::Spec. + (bugs 97784, 84338, 103778) + +- The index page is now a CGI instead of an HTML page. You should remove + any existing index.html file and make sure your web server allows index.cgi + to be the default page in a directory. If you are not able to do that you + can instead set index_html in the 'localconfig' file to 1 and checksetup.pl + will create a redirect page for you. + (bug 80183) + +- It is now recommended that administrators run "processmail rescanall" + after upgrading to 2.16 or beyond. + + This will send out notification emails for changes that were + made but not emailed, due to Bugzilla bugs. All known + causes of this have been fixed in this version (bug 104589 and 99519). + + It is also recommended that this be run nightly to avoid + lengthy delays in future if this problem reoccurs. + (bug 106377) + +- In parallel with templatization, a lot of changes have been made to the HTML + output of the Bugzilla CGIs. This could break code that attempts to parse + such code. For example, this breaks mozbot. + (no bug number) + +- The "HTML template" parameters (headerhtml, bodyhtml, footerhtml, + errorhtml, bannerhtml, blurbhtml, mostfreqhtml, entryheaderhtml) have now + been moved to Template Toolkit templates. If you have modified these + parameters you will need to make corresponding changes to the corresponding + templates. Your old parameter values will be moved to a file called + old-params.txt by checksetup.pl. + + The old parameters correspond to files in template/en/default as follows: + + headerhtml: global/header.html.tmpl + footerhtml: global/footer.html.tmpl + bannerhtml: global/banner.html.tmpl + blurbhtml: global/banner.html.tmpl + mostfreqhtml: reports/duplicates*.html.tmpl + entryheaderhtml: bug/create/user-message.html.tmpl + + (bug 140437) + +*** Other changes of note *** + +- The query page has been redesigned for better user friendliness. + (bug 98707) +- Users can now change their email account. + (bug 23067) +- "Dependent Bug Changed" notification emails now contain the + dependent bug's summary and URL. + (bug 28736, 113383) +- Bugs with severity "critical", "blocker", and "enhancement" are + visually differentiated on bug lists for browsers with sufficient + CSS support. + (bug 28884) +- Bugzilla now has a sidebar for the Mozilla browser. + (bug 37339) +- A link to just created attachments now appears in notification + email. + (bug 66651) +- Comments now have numbers and can be referenced with + autohyperlinkifying similar to bugs. + (bug 71840) +- The attachment system has been rewritten, supporting new + "attachment statuses" (like keywords, but for attachments), + the ability to obsolete attachments, edit attachment MIME type, + and edit whether the attachment is a patch. + (bugs 84338, 75176) +- syncshadowdb now supports a configurable temp file location, + and properly shuts down Bugzilla while running. + (bug 75840) +- Dependency tree now lets you exclude resolved bugs and bugs + below a specified depth. + (bugs 83058) +- The "strictvaluechecks" parameter has gone away. These checks + are now always done. + (bug 119715) +- The midair collision page now shows all changes since the bug + page was loaded, not just the last one. + (bug 108312) +- Added support for making dependency graphs with 'dot', which + is better at creating complex graphs than 'webdot'. + (bug 120537) + +*** Bug fixes of note *** + +- Bugzilla scripts are now usually not terminated when the browser + window they are running in is closed. This caused hard to + reproduce bugs. + (bug 104589) +- On browsers that "reflow" the page, large component / milestone / + version fields were extremely slow to reflow when you altered + the product field. + (bug 96534) +- The selection in the component / milestone / version fields is + no longer lost when you change the selection in the product + field or use the back/forward buttons in your browser to return + to the page. + (bug 97966) +- You could not reverse dependencies in one step. + (bug 82143) +- Mass reassignment of non-open bugs will no longer reopen them. + (bug 30731) +- Attempting to bulk change no bugs will now give a user-friendly + error message. + (bug 90333) +- If you make a change to a bug where you only add yourself to CC, + email notifications are now properly sent out for MySQL 3.23. + (bug 99519) +- Bug entry now properly validates the data it has been sent. + (bug 107743) +- Midair collision checks will now properly work in all situations + where dependencies have changed. + (bug 73502) +- Browsers can no longer corrupt the params file if they use the "wrong" + end-of-line markers. + (bug 92500) +- The MySQL port defined in localconfig is now properly honoured. + (bug 98368) +- Apostrophes in component/milestone/version names no longer cause + a problem on the query page. + (bug 30689/42810) +- File attachment comments will now wrap. + (bug 52060) +- Saved queries are no longer mangled if you need to log in again, + for example if you had cookies off. + (bug 38835) +- Bug counts (on reports.cgi) were very slow if you had to + count a lot of bugs. + (bug 63249) +- 2.14 introduced options to let people see a bug when their name + is on it but who aren't in the groups the bug is restricted + to. These only allowed the people to view the bugs directly, + and not see them on buglists and receive email about them. + (bugs 95024, 97469) +- A new 'cookiepath' parameter on editparams.cgi allows multiple + Bugzilla installations to exist on one host without problems. + (bug 19910) +- whineatnews.pl now respects the 'sendmailnow' parameter. + (bug 52782) +- The query page came up even when Bugzilla was shut down. + (bug 121747) +- Quicksearch gave a weird error message when Bugzilla was + shut down. + (bug 121741) +- Operating system detection fixes. + (bugs 92763, 135666) +- QA contacts now receive emails when a new bug is created and + their only email preference was being added or removed from QA. + (bug 143091) + +*********************************************** +*** USERS UPGRADING FROM 2.14.4 OR EARLIER *** +*********************************************** + +See section above about users upgrading from 2.16.1 or earlier, +2.14.4 or earlier. + +*********************************************** +*** USERS UPGRADING FROM 2.14.3 OR EARLIER *** +*********************************************** + +See section above about users upgrading from 2.16.0 or earlier. + +*********************************************** +*** USERS UPGRADING FROM 2.14.2 OR EARLIER *** +*********************************************** + +*** SECURITY ISSUES RESOLVED *** + +- Basic maintenance on contrib/bug_email.pl and + contrib/bugzilla_email_append.pl which also fixes a + possible security hole with a misuse of a system() call. + These files are not supported at this time, but as long + as we knew about the problem, we couldn't overlook it. + (bug 154008) + +*** Bug fixes of note *** + +- The fix for bug 130821 in 2.14.2 broke being able to sort + bug lists on more than one field. buglist.cgi now allows + you to sort on more than one field again. + (bug 152138) + +*********************************************** +*** USERS UPGRADING FROM 2.14.1 OR EARLIER *** +*********************************************** + +*** SECURITY ISSUES RESOLVED *** + +- queryhelp.cgi no longer shows confidential products to + people it shouldn't. + (bug 126801) + +- It was possible for a user to bypass the IP check by + setting up a fake reverse DNS, if the Bugzilla web server + was configured to do reverse DNS lookups. Apache is not + configured as such by default. This is not a complete + exploit, as the user's login cookie would also need to + be divulged for this to be a problem. + (bug 129466) + +- In some situations the data directory became world writeable. + (bug 134575) + +- Any user with access to editusers.cgi could delete a user + regardless of whether 'allowuserdeletion' is on. + (bug 141557) + +- Real names were not HTML filtered, causing possible cross + site scripting attacks. + (bug 146447, 147486) + +- Mass change would set the groupset of every bug to be the + groupset of the first bug. + (bug 107718) + +- Some browsers (eg NetPositive) interacted with Bugzilla + badly and could have various form problems, including + removing group restrictions on bugs. + (bug 148674) + +- It was possible for random confidential information to be + divulged, if the shadow database was in use and became + corrupted. + (bug 92263) + +- The bug list sort order is now stricter about the SQL it will accept, + ensuring you use correct column name syntax. Before this, there were + some syntax checks, so it is not known whether this problem was + exploitable. + (bug 130821) + +******************************************** +*** USERS UPGRADING FROM 2.14 OR EARLIER *** +******************************************** + +The 2.14.1 release fixes several security issues that became +known to us after the Bugzilla 2.14 release. + +*** SECURITY ISSUES RESOLVED *** + +- If LDAP Authentication was being used, Bugzilla would allow + you to log in as anyone if you left the password blank. + (bug 54901) + +- It was possible to add comments or file a bug as someone else + by editing the HTML on the appropriate submission page before + submitting the form. User identity is checked now, and the + form values suggesting the user are now ignored. + (bug 108385, 108516) + +- The Product popup menu on the show_bug form listed all + products, even if the user didn't have access to all of them. + It now only shows products the user has access to (and the + product the bug is in, if the user is viewing it because of + some other override). + (bug 102141) + +- If a user had any blessgroupset privileges (the ability to + change only specific privileges for other users), it was + possible to change your own groupset (privileges) by + altering the page HTML before submitting on editusers.cgi. + (bug 108821) + +- An untrusted variable was echoed back to user in the HTML + output if there was a login error while editing votes. + (bug 98146) + +- buglist.cgi had an undocumented parameter that allowed you + to pass arbitrary SQL for the "WHERE" part of a query. + This has been disabled. + (bug 108812) + +- It was possible for a user to send arbitrary SQL by inserting + single quotes in the "mybugslink" field in the user + preferences. + (bug 108822) + +- buglist.cgi was not validating that the field names being + passed from the "boolean chart" query form were valid field + names, thus allowing arbitrary SQL to be inserted if you + edited the HTML by hand before submitting the form. + (bug 109679) + +- long_list.cgi was not validating that the bug ID parameter + was actually a number, allowing arbitrary SQL to be inserted + if you edited the HTML by hand. + (bug 109690) + +******************************************** +*** USERS UPGRADING FROM 2.12 OR EARLIER *** +******************************************** + +*** SECURITY ISSUES RESOLVED *** + +- Multiple instances of unauthorized access to confidential + bugs have been fixed. + (bug 39524, 39526, 39527, 39531, 39533, 70189, 82781) + +- Multiple instances of untrusted parameters not being + checked/escaped was fixed. These included definite security + holes. + (bug 38854, 38855, 38859, 39536, 87701, 95235) + +- After logging in passwords no longer appear in the URL. + (bug 15980) + +- Procedures to prevent unauthorized access to confidential + files are now simpler. In particular the shadow directory + no longer exists and the data/comments file no longer needs + to be directly accessible, so the entire data directory can + be blocked. However, no changes are required here if you + have a properly secured 2.12 installation as no new files + must be protected. + (bug 71552, 73191) + +- If they do not already exist, checksetup.pl will attempt to + write Apache .htaccess files by default, to prevent + unauthorized access to confidential files. You can turn this + off in the localconfig file. + (bug 76154) + +- Sanity check can now only be run by people in the 'editbugs' + group. Although it would be better to have a separate + group, this is not possible until the limitation on the + number of groups allowed has been removed. + (bug 54556) + +- The password is no longer stored in plaintext form. It will + be eradicated next time you run checksetup.pl. A user must + now change their password via a password change request that + gets validated at their e-mail account, rather than have it + mailed to them. + (bug 74032) + +- When you are using product groups and you move a bug between + products (single or mass change), the bug will no longer be + restricted to the old product's group (if it was) and will + be restricted to the new product's group. + (bug 66235) + +- There are now options on a bug to choose whether the + reporter, and CCs can access a bug even if they aren't in + groups the bug it is restricted to. + (bug 39816) + +- You can no longer mark a bug as a duplicate of a bug you + can't see, and if you mark a bug a duplicate of a bug + the reporter cannot see you will be given options as to + what to do regarding adding the reporter of the resolved + bug to the CC of the open bug. + (bug 96085) + +*** IMPORTANT CHANGES *** + +- Bugzilla 2.14 no longer supports old email tech. Upon + upgrading, all users will be moved over to new email tech. + This should speed up upgrading for installations with + a large number of bugs. + (bug 71552) + +- There is new functionality for people to see why they are + receiving notification mails. + + Previously, some people filtered old email tech + notifications depending on whether they were in the To or the + CC header, in order to get a limited way of determining why + they were receiving the notification for filtering purposes. + + Existing installations will need to make changes to support + this feature. The receive reasons can be added to the + notifications as a header and/or in the body. To add these + you will need to modify your newchangedmail parameter on + editparams.cgi, either by resetting it or appropriately + modifying it. The header value is specified by + %reasonsheader% and the body by %reasonsbody%. For example, + the new default parameter is: + + -------------------------------------------------- + From: bugzilla-daemon + To: %to% + Subject: [Bug %bugid%] %neworchanged%%summary% + X-Bugzilla-Reason: %reasonsheader% + + %urlbase%show_bug.cgi?id=%bugid% + + %diffs% + + + + %reasonsbody% + -------------------------------------------------- + + (bug 26194) + +- Very long fields (especially multi-valued fields like keywords, + CCs, dependencies) on bug activity and notifications previously + could get truncated, resulting in useless notifications and data + loss on bug activity. Now the multi-valued fields only show + changes, and very big changes are split into multiple lines. + Where data loss has already occurred on bug activity, it is + indicated using question marks. + (bug 55161, 92266) + +- Previously, when a product's voting preferences changed all + votes were removed from all the bugs in the product. Also, + when a bug was moved to another product, all of its votes + were removed. This no longer occurs. + + Instead, if the action would leave one or more bugs with + greater than the maximum number of votes per person per bug, + the number of votes will be reduced to the maximum. The + person will still be notified of this as before. + + If the action would leave a user with more votes in a product + than is allowed, the limit will be breached so as to not lose + votes. However the user will not be able to update their + votes except to fix this situation. No further action is taken + in this version to make sure that the user does this. + (bug 28882, 92593) + +*** Other changes of note *** + +- Groups can now be marked inactive, so you can't add a new + restriction on that group to a bug, while leaving bugs that + were previously restricted on that group alone. + (bug 75482) +- backdoor.cgi has been removed from the installation. It was + old code that was Netscape-specific and its name was scaring + people. + (bug 87983) +- You can now add or remove from CC on the bulk change page. + (bug 12819) +- New users created by administrators are now automatically + inserted into groups according to the group's regular + expression. Administrators must edit the user in a second + step to override these choices. Previously the + administrator specified these explicitly which could lead + to incorrect settings. + (bug 45164) +- The userregexp of system groups can now be edited without + resorting to direct database access. + (bug 65290) + +*** Bug fixes of note *** + +- The bug list page was sometimes bringing up a not logged in + footer when the user was logged in and the installation was + using a shadow database. + (bug 47914) +- You can now view the bug summary in your browser title for + a group-restricted bug if you have proper permissions. + (bug 71767) +- Quick search for search terms did not work in IE5. + This has been worked around. + (bug 77699) +- Quick search for search terms crashed NN4.76/4.77 for Unix. + This has been worked around. + (bug 83619) +- Queries on bugs you have commented on using the "added + comment" feature should be a lot faster and not time out + on large installations due to the addition of an index. + (bug 57350) +- You can now alter group settings on bulk change for groups + that aren't on for all bugs or off for all bugs. + (bug 84714) +- New bug notifications now include the CC and QA fields. + (bug 28458) +- Bugzilla is now more Windows friendly, although it is still + not an official platform. + (bug 88179, 29064) +- Passwords are now encrypted using Perl's encrypt function. + This makes Bugzilla more portable to more operating systems. + (bug 77473) +- Bugzilla didn't properly shut down when told to - some + queries could still be sent to the database. + (bug 95082) + +******************************************** +*** USERS UPGRADING FROM 2.10 OR EARLIER *** +******************************************** + +*** SECURITY ISSUES RESOLVED *** + +- Some security holes have been fixed where shell escape characters + could be passed to Bugzilla, allowing remote users to execute + system commands on the web server. + +*** IMPORTANT CHANGES *** + +- There is now a facility for users to choose the sort of + notifications they wish to receive. This facility will + probably be improved in future versions. + (bug 17464) + +- "Changed" will no longer appear on the subject line of + change notification emails. Because of this, you should + change the subject line in your 'changedmail' and + 'newchangedmail' params on editparams.cgi. The subject + line needs to be changed from + + Subject: [Bug %bugid%] %neworchanged% - %summary% + + to: + + Subject: [Bug %bugid%] %neworchanged%%summary% + + or whatever is appropriate for the subject you are using + on your system. Note the removal of the " - " in the + middle. + (bug 29820) + +*** Other changes of note *** + +- Bug titles now appear in the page title, and will hence + display in the user's browser's bookmarks and history. + (bug 22041) +- Edit groups functionality (editgroups.cgi). + (bug 25010) +- Support for moving bugs to other Bugzilla databases. + (bug 36133) +- Bugzilla now can generate a frequently reported bugs list + based on what duplicates you receive. + (bug 25693) +- When installing Bugzilla fresh, the administrator account is + now created in checksetup.pl. + (bug 17773) +- Stored queries now show their name above the bug list, which + helps the user when they have multiple bug lists in multiple + browser windows. It also appears in the page title, and will + hence display in the user's browser's bookmarks and history. + (bug 52228) +- All states and resolutions can now be collected for charting. + (bug 6682) +- A new search-engine-like "quick search" feature appears on + the front page to try and making searching easier. + (bug 69793) +- Querying on dependencies now works in the advanced query + section of the query page. + (bug 30823) +- When a bug is marked as a duplicate, the reporter of the + resolved bug is automatically added to the CC list of the + open bug. + (bug 28676) + +*** Bug fixes of note *** + +- Notification emails will now always be sent to QA contacts. + Previously they wouldn't if you were using new email tech. + (bug 30826) +- When marking a bug as a duplicate, the duplicate stamp marked + on the open bug will no longer be written too early (such as + on mid-air collisions). + (bug 7873) +- Various bug fixes were made to the initial assignee and QA + of a component. It is no longer possible to enter an + invalid address. They will also now properly update when + a user's email address is changed. Sanity check will now + check these. + (bug 66876) +- Administrators can no longer create an email accounts that do + not match the global email regular expression parameter. + Previously this could occur and would cause sanity check + errors. + (bug 32971) +- The resolution field can no longer become empty when the + bug is resolved. This occurred because of midair collisions. + (bug 49306) + +******************************************* +*** USERS UPGRADING FROM 2.8 OR EARLIER *** +******************************************* + +This version of Bugzilla cannot upgrade from version 2.8 (released +November 19, 1999). You will first have to upgrade to Bugzilla 3.6 and +then upgrade to the latest release. + +If you are upgrading from a version earlier than 2.8, See the +PGRADING-pre-2.8 file in Bugzilla 3.0 for information +on upgrading from a version that is earlier than 2.8. |