summaryrefslogtreecommitdiffstats
path: root/docs/rel_notes.txt
diff options
context:
space:
mode:
Diffstat (limited to 'docs/rel_notes.txt')
-rw-r--r--docs/rel_notes.txt1338
1 files changed, 1303 insertions, 35 deletions
diff --git a/docs/rel_notes.txt b/docs/rel_notes.txt
index e9302db1f..f6d986073 100644
--- a/docs/rel_notes.txt
+++ b/docs/rel_notes.txt
@@ -1,22 +1,87 @@
-***************************************
-*** The Bugzilla 2.18 Release Notes ***
-***************************************
+*****************************************
+*** The Bugzilla 2.18.1 Release Notes ***
+*****************************************
+
+Table of Contents
+*****************
+
+- Introduction
+- Important Updates In This Point Release
+ * Version 2.18.1
+- Requirements
+ * Dependency Requirements
+- What's New?
+ * Generic Reporting
+ * Generic Charting
+ * Request System
+ * Enterprise Group Support
+ * User Wildcard Matching
+ * Support for "Insiders"
+ * Time Tracking
+ * Authentication module/LDAP improvements
+ * Improved localization support
+ * Patch Viewer
+ * Comment Reply Links
+ * Full-Text Search
+ * Email Address Munging
+ * Simple Search
+ * Miscellaneous Improvements
+ * All Changes
+- What's Changed?
+ * Flag Names
+ * New Saved Search User Interface
+ * Rules for changing fields
+- Removed Features
+- Code Changes Which May Affect Customizations
+- Recommended Practice for the Upgrade
+ * Note About Upgrading From MySQL With ISAM Tables
+ * Steps for Upgrading
+- Outstanding Issues (<======================== IMPORTANT, PLEASE READ)
+- Security Fixes In 2.18 Releases
+- Detailed Version-To-Version Release Notes
+
Introduction
************
-This document contains the release notes for Bugzilla 2.18. In this document
-recently added, changed, and removed features of Bugzilla are described.
+This document contains the release notes for Bugzilla 2.18 and
+the bugfix releases after 2.18. In this document, recently added,
+changed, and removed features of Bugzilla are described.
+
+The 2.18 release is our current stable series, containing the results
+of over two years of hard and dedicated work by volunteers all over
+the world under the lead of Dave Miller.
+
+
+Important Updates In This Point Release
+***************************************
-The 2.18 release is the first in a new stable series, containing the results
-of over two years of hard and dedicated work by volunteers all over the world
-under the lead of Dave Miller.
+There are usually many other bug fixes than those listed below,
+but the below fixes are the ones that we thought System Administrators
+would like to specifically know about.
-This is a preliminary document detailing how we expect things to be in the
-final 2.18 release. The contents of this document are subject to change up
-until the final release. Please file bugs in Bugzilla for any additions or
-corrections needed in this document.
+To see a listing of all changes in this release, you can use the
+table available at:
+http://www.bugzilla.org/status/changes.html
+
+Version 2.18.1
+--------------
+
++ You can now enter a negative time for "Hours Worked"
+ in the time-tracking area. (Bug 271276)
+
++ The BugMail.pm customization required for Windows (as
+ described in the Bugzilla Guide) now actually works. (Bug 280911)
+
++ Users who were using Bugzilla 2.8 can now successfully upgrade
+ to 2.18.1 (they couldn't upgrade to 2.18). (Bug 283403)
+
++ Dependency mails are now properly sent during a mass-change of bugs.
+ (Bug 178157)
+
+Requirements
+************
Dependency Requirements
-----------------------
@@ -71,6 +136,31 @@ way. These views may be more appropriate for particular data types, and are
suitable for saving and then putting into presentations or web pages.
+Generic Charting
+----------------
+
+Bugzilla has a new mechanism for generating charts (graphs over time) of any
+arbitrary search. This is known as "New Charts." Legacy data from the previous
+charting mechanism ("Old Charts") is migrated into the "New Charts" when you
+upgrade. The Old Charts mechanism remains, but is deprecated and will be
+removed in a future version of Bugzilla.
+
+Individual users can see/create charts as long as they are a member of the
+group specified in the Param 'chartgroup'. Data can be collected for
+personal charts every seven days (or a longer period, as set by the user).
+Charts created by an administrator can be made public (visible to all). Data
+is collected for administrator charts every day (or a longer period, as set
+by the admin).
+
+The data is collected by the collectstats.pl script, which an administrator
+will need to arrange to be run once every day (see the manual). Chart data can
+be plotted in a number of different ways, and different data sets can be
+plotted on the same graph for comparison.
+
+Please see the Known Bugs section for some important limitations relating to
+access controls on charts.
+
+
Request System
---------------
@@ -211,11 +301,11 @@ Bugzilla's buglists. This change adds HTML obfuscation of email addresses as
they appear in the Bugzilla web pages.
-Generic Charting
-----------------
+Google-like Bug Search
+----------------------
-Bugzilla's new charting feature allows you to display flexible summary charts,
-based on configurable data sets (bug 16009).
+Bugzilla now includes a very simple, Google-like "Find a Specific Bug" page,
+in addition to its advanced search page.
Miscellaneous Improvements
@@ -260,6 +350,23 @@ Miscellaneous Improvements
- Mail handling is now between 125% to 175% faster.
+- Guided Bug Entry: You can see a sample enter_bug.cgi template at
+ enter_bug.cgi?format=guided that "guides" users through the process of
+ filing a "good" bug. It needs to be modified before use in your organization.
+
+- There is now a "Give me some help" link on the Advanced Search page that will
+ enable pop-up help for every field on the page.
+
+- The Bugzilla administrator can now forbid users from marking bugs RESOLVED
+ when there are unresolved dependencies.
+
+
+All Changes
+-----------
+
+To see a list of EVERY bug that was fixed between 2.16 and 2.18 (over 1000),
+see: http://tinyurl.com/6m3e4
+
What's Changed?
***************
@@ -279,6 +386,17 @@ running checksetup will attempt to automatically rename them by
replacing commas and spaces with underscores.
+New Saved Search User Interface
+-------------------------------
+
+In previous Bugzilla versions, you could specify on the search page that you
+wanted to save a search and store it as a link in your footer. This option has
+now moved to the search results page (buglist.cgi), where you will see a
+"Remember search" button with a box next to it to enter the name of the search.
+
+You can manage your saved searches on the Preferences page.
+
+
Rules for changing fields
-------------------------
@@ -355,6 +473,19 @@ The effective differences in the rules:
to the 'everconfirmed' flag.
+Removed Features
+****************
+
+- Please note that Bugzilla no longer supports MySQL 3.22. The minimum required
+ version is now 3.23.41.
+
+- The "shadow database" mechanism is no longer used. Instead, use MySQL's
+ built-in replication feature.
+
+- If you have placed any comments in the localconfig file, they may be removed
+ by checksetup.pl.
+
+
Code Changes Which May Affect Customizations
********************************************
@@ -381,32 +512,1169 @@ Code Changes Which May Affect Customizations
- Use Bugzilla->user->login in place of $::COOKIE{Bugzilla_login}
-- You can tell if there's a user logged in or not by checking if
- Bugzilla->user->id != 0 rather than looking for $::userid != 0
+- You can tell if there's a user logged in or not by using
+ Bugzilla->user rather than looking for $::userid==0.
+ In new 2.18 code, use defined(Bugzilla->user) && (Bugzilla->user->id)
+ In 2.20, this will become just (Bugzilla->user->id)
+ In templates, always test [% IF user.id %] rather than [% IF user %]
+
+- SendSQL() and related calls are deprecated, and the various $dbh methods
+ should be used instead, such as $dbh->prepare() and $dbh->execute().
+ Bugzilla->dbh is the $dbh handle to use.
Recommended Practice for the Upgrade
************************************
-As always, please ensure you have run checksetup.pl after replacing the
-files in your installation.
+Note About Upgrading From MySQL With ISAM Tables
+------------------------------------------------
+As previously noted in the Dependency Requirements MySQL is now required
+to be at least version 3.23.41. This implies that all tables of type ISAM will
+be converted by the checksetup.pl script to MyISAM.
+
+
+Steps for Upgrading
+-------------------
+
+1) View the Sanity Check (sanitycheck.cgi) page on your installation before
+ upgrading.
+
+2) As with any upgrade it is recommended that you make a backup of the
+ Bugzilla database before you upgrade, perhaps by using mysqldump.
+
+ Example:
+
+ mysqldump -u root -p --databases bugs > bugs.db.backup
+
+3) Replace the files in your installation, or you can try to use CVS to upgrade.
+ The Bugzilla.org website has instructions on how to do the actual
+ installation.
-It is recommended that you view the sanity check page (sanitycheck.cgi) both
-before the upgrade and after running checksetup.pl after the upgrade, to see
-if there are any problems with your installation.
+4) Make sure that you run checksetup.pl after you install the new version.
-It is also recommended that, if possible, you fix any problems you find
-immediately. Failure to do this may mean that Bugzilla will not work correctly.
-Be aware that if the sanity check page contains more errors after an upgrade,
-it doesn't necessarily mean there are more errors in your database, as
-additional tests are added to the sanity check over time, and it is possible
-that those errors weren't being checked for in the old version.
+5) View the Sanity Check page again after you run checksetup.pl.
-As previously noted in the Dependency Requirements MySQL is now required to be
-at least version 3.23.41. This implies that all tables of type ISAM will be
-converted by the checksetup.pl script to MyISAM. As with any upgrade it is
-recommended to make a backup of the database, perhaps by using mysqldump.
+6) It is recommended that, if possible, you fix any problems you find
+ immediately. Failure to do this may mean that Bugzilla will not work
+ correctly. Be aware that if the sanity check page contains more errors after
+ an upgrade, it doesn't necessarily mean there are more errors in your
+ database, as additional tests are added to the sanity check over time, and
+ it is possible that those errors weren't being checked for in the old
+ version.
+
+
+Outstanding Issues
+******************
+
+These are known problems with the release that we think you should know about.
+They each have a bug number for http://bugzilla.mozilla.org/
+
+- If at any time you upgraded from a version of Bugzilla between 2.17.4 -
+ 2.17.7 to either 2.18rc3 or 2.19.1, you must manually fix your New Charts in
+ order for them to work. See the following link for instructions on how to do
+ this: https://bugzilla.mozilla.org/show_bug.cgi?id=276237#c18
+ If you are using 2.18rc3, but did not upgrade from version 2.17.4 or newer,
+ then you don't need to do this.
+
+- bug 37765: If you use an MTA other than sendmail (such as Postfix, Exim,
+ etc.) you MUST turn on the "sendmailnow" parameter or Bugzilla will not send
+ e-mail correctly.
+
+- bug 276230: The support for restricting access to particular Categories of
+ New Charts is not complete. You should treat the 'chartgroup' Param as the
+ only access mechanism available. However, additionally, charts migrated from
+ Old Charts will be restricted to the groups that are marked MANDATORY for
+ the corresponding Product. There is currently no way to change this
+ restriction, and the groupings will not be updated if the group configuration
+ for the Product changes.
+
+- bug 69621: If you rename or remove a keyword that is in use on bugs, you will
+ need to rebuild the "keyword cache" by running sanitycheck.cgi and choosing
+ the option to rebuild the cache when it asks. Otherwise keywords may not show
+ up properly in search results.
+
+- (No Bug Number) If you have a lot of non-ASCII data in your Bugzilla (for
+ example, if you use a translation of Bugzilla), don't enable the XS::Stash
+ option when you install the Template Toolkit, or your Bugzilla installation
+ may become slow. This problem is fixed in a not-yet-released version of the
+ Template Toolkit (after 2.14).
+
+- bug 266579: Users may be able to circumvent not having "canconfirm" privileges
+ in some circumstances. This is fixed starting with 2.19.3, but will not
+ be fixed in any 2.18 release, as the changes require to fix it are quite
+ large.
+
+- bug 99215: Attachment changes have no mid-air collision detection, unlike bug
+ changes.
+
+- bug 57350: Searching using the "commenter is" option may be VERY slow. Note
+ that searching for "field: comment, changed by: user@domain.com" is fast,
+ though.
+
+- bug 151509: Using the boolean chart option "contains the string" with the
+ "flag name" field or certain other fields will cause Bugzilla to emit an
+ error.
+
+- bug 225042: If sendmail dies while you are marking a bug as a duplicate,
+ the duplicates table can become corrupted.
+
+- bug 234159: Bugzilla may sometimes send multiple notices in one email.
+
+- bug 237107: If you search for attachment information using the Boolean Charts
+ at the bottom of the Advanced Query page, bugs without attachments will not
+ show up in the result list.
+
+
+Security Fixes In 2.18 Releases
+*******************************
+
+Version 2.18
+------------
+
+Summary: XSS in Internal Error messages in Bugzilla 2.16.7 and 2.18rc3
+CVE Name: CAN-2004-1061
+Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=272620
+Details:
+ It is possible to send a carefully crafted URL to Bugzilla designed to
+trigger an error message. The Internal Error message includes javascript code
+which displays the URL the user is visiting. The javascript code does not
+escape the URL before displaying it, allowing scripts contained in the URL to
+be executed by the browser. Many browsers do not allow unescaped URLs to be
+sent to a webserver (thus complying with RFC 2616 section 2.3.1 and RFC 2396
+section 2.4.3), and are thus immune to this issue.
+ Browsers which are known to be immune: Firefox 1.0, Mozilla 1.7.5,
+Camino 0.8.2, Netscape 7.2, Safari 1.2.4
+ Browsers known to be susceptible: Internet Explorer 6 SP2,
+Konqueror 3.2
+ Browsers not listed here have not been tested.
+
+
+Version 2.18.1
+--------------
+
+Two security issues were fixed in Bugzilla 2.18.1, neither of them
+critical.
+
+See http://www.bugzilla.org/security/2.16.8/ for details.
+
+
+Detailed Version-To-Version Release Notes
+*****************************************
+
+*********************************************************
+*** USERS UPGRADING FROM ALL VERSIONS PRIOR TO 2.16.7 ***
+*********************************************************
+
+*** Security fixes ***
+
+- It is possible to send a carefully crafted HTTP POST message to
+ process_bug.cgi which will remove keywords from a bug even if you don't have
+ permissions to edit all bug fields (the "editbugs" permission). Such changes
+ are reported in "bug changed" email notifications, so they are easily
+ detected and reversed if someone abuses it. Users are now prevented from
+ making changes to keywords if they do not have editbugs privileges. (bug
+ 252638)
+
+*** Bug fixes of note ***
+
+- Enforce a minimum of 10 minutes between attempts to reset a password, so
+ we don't mailbomb the user if someone submits the form many times in a
+ row. (bug 250897)
+
+- Put products in alphabetical order on the create attachment status page.
+ (bug 251427)
+
+- Specify MyISAM as the table type when creating new tables. MySQL 4.1 and
+ up default to InnoDB, which doesn't support some of the indexing methods
+ that we use. (bug 263165)
+
+*********************************************************
+*** USERS UPGRADING FROM ALL VERSIONS PRIOR TO 2.16.6 ***
+*********************************************************
+
+*** Security fixes ***
+
+- If Bugzilla is configured to hide entire products from some users, both
+ duplicates.cgi and the form for mass-editing a list of bugs in buglist.cgi
+ can disclose the names of those hidden products to such users.
+ (bugs 234825 and 234855)
+
+- Several administration CGIs echo invalid data back to the user without
+ escaping it. (bug 235265)
+
+- A user with privileges to grant membership to any group (i.e. usually an
+ administrator) can trick editusers.cgi into executing arbitrary SQL.
+ (bug 244272)
+
+*** Bug fixes of note ***
+
+- Allow XML import to function when there are regexp metacharacters in product
+ names (bug 237591)
+
+- Allow the bug_email.pl contrib script to work with useqacontact (bug 239912)
+
+- Improve the error message used by checksetup.pl when the MySQL requirements
+ are not met (bug 240228)
+
+- Elimnate the warning in checksetup.pl about the minimum sendmail version (bug
+ 240060)
+
+- $webservergroup now defaults to group 'apache' in new installations (bug
+ 224477)
+
+- Correct a situation where a bugmail message could be sent twice to a user
+ being added to the CC list if the address was entered in a different case
+ than the user registered with. (bug 117297)
+
+- Various documentation updates
+
+*********************************************************
+*** USERS UPGRADING FROM ALL VERSIONS PRIOR TO 2.16.4 ***
+*********************************************************
+
+*** Bug fixes of note ***
+
+- Fix a "used only once" warning that ocurred only in perl 5.00503
+ (bug 2321691)
+
+- When a user is creating a new account and enters an invalid email
+ address, the error page sent the "Content-type" header twice, causing
+ the second one to be visible at the top of the page.
+ (bug 137121)
+
+- An HTML encoding issue which only affected Internet Explorer was
+ corrected in the "Change several bugs at once" page.
+ (bug 181106)
+
+- During initial setup, using invalid characters in the administrator
+ password would present an error message stating your password was
+ too long or too short instead of telling you it had invalid
+ characters.
+ (bug 166755)
+
+- When a user reset their own password via an emailed token, the new
+ password in the first field would be accepted if the second password
+ field was left blank.
+ (bug 123077)
+
+- Reopening bugs from the "change several bugs at once" page now works.
+ (bug 95430)
+
+- Fix a regression in xml.cgi caused by the previous bugfix for MySQL
+ SUM() changes. The original fix didn't work properly either.
+ (bug 225474)
+
+- No longer use server push with the "Safari" browser, which claims to
+ use the Mozilla layout engine but doesn't.
+ (bug 188712)
+
+- Creating a shadow database no longer fails with taint mode errors.
+ (bug 227510)
+
+- If you change your cookiepath setting at some stage (because you have
+ moved the directory Bugzilla resides on your webserver), users can
+ have login cookies with the old cookiepath, and their browsers will
+ send multiple logincookies. Bugzilla now uses the first rather than
+ the last in order to get the most specific cookie which will be the
+ correct one.
+ (bug 121419)
+
+- Fixed a regression caused by the previous DBD::mysql fixes, that
+ caused older versions of DBD::mysql to break due to not supporting
+ the new DBI syntax.
+ (bug 224815)
+
+- Bugzilla no longer sends out invalid dates for cookie expiry. This
+ bug had no known user visible ramifications.
+ (bug 228706)
+
+- Update the shadow database parameters description to tell the user
+ about permissions requirements for creating a shadow database.
+ (bug 227513)
+
+- Various documentation updates.
+
+*********************************************************
+*** USERS UPGRADING FROM ALL VERSIONS PRIOR TO 2.16.3 ***
+*********************************************************
+
+*** SECURITY ISSUES RESOLVED ***
+
+- A user with 'editproducts' privileges (i.e. usually an administrator)
+ can select arbitrary SQL to be run by the nightly statistics cron job
+ (collectstats.pl), by giving a product a special name.
+ (bug 214290)
+
+- A user with 'editkeywords' privileges (i.e. usually an administrator)
+ can inject arbitrary SQL via the URL used to edit an existing keyword.
+ (bug 219044)
+
+- When deleting products and the 'usebuggroups' parameter is on, the
+ privilege which allows someone to add people to the group which is
+ being deleted does not get removed, allowing people with that
+ privilege to get that privilege for the next group that is created
+ which reuses that group ID. Note that this only allows someone who
+ had been granted privileges in the past to retain them.
+ (bug 219690)
+
+- If you know the email address of someone who has voted on a secure
+ bug, you can access the summary of that bug even if you do not have
+ sufficient permissions to view the bug itself.
+ (bug 209376)
+
+*** Bug fixes of note ***
+
+Perl 5.8.0 Compatibility fixes:
+
+- Two taint errors were fixed, one in process_bug.cgi, and
+ another in post_bug.cgi.
+ (bugs 220332 and 177828)
+
+MySQL 4.0 Compatibility fixes:
+
+- A cosmetic fix was applied to votes.cgi (if there were no
+ votes, the "0" was not displayed) due to a change in semantics
+ in SUM() in MySQL 4.0.
+ (bug 217422)
+
+DBD::mysql > 2.1026 Compatibility fixes:
+
+- DBD::mysql versions after 2.1026 return the table list quoted, which
+ broke the existing "table exists" check in checksetup.pl, which caused
+ the second and subsequent attempts to run checksetup.pl to fail.
+ (bug 212095)
+
+Miscellaneous bug fixes:
+
+- A Mozilla-specific reference was removed from one of the report
+ templates.
+ (bug 221626)
+
+- It was possible to enter a situation where you were unable to get to
+ editparams.cgi to turn the shutdownhtml param back off after you
+ turned it on when Apache was configured to run Bugzilla in suexec
+ mode.
+ (bug 213384)
+
+- The processmail rescanall task would not send e-mails about more than
+ one bug to the same address.
+ (bug 219508)
+
+- If Bugzilla hadn't been accessed in the last hour when the
+ collectstats.pl or whineatnews.pl cron jobs ran, the versioncache
+ would get recreated with the file owner being the user the cron job
+ was running as (usually not the webserver user), causing subsequent
+ access to Bugzilla by the webserver to fail until the permissions were
+ fixed. Now if versioncache isn't readable when accessing from the
+ webserver, we pretend it doesn't exist and recreate it again.
+ (bug 160422)
+
+- The 'sendmailnow' param is now on by default in new installations
+ (this does not affect existing installations).
+ (bug 146087)
+
+- The 008filter.t test would fail if you had multiple language packs
+ installed. It now properly tests all of the installed language packs.
+ (bug 203318)
+
+- A few minor documentation changes were committed.
+
+*********************************************************
+*** USERS UPGRADING FROM ALL VERSIONS PRIOR TO 2.16.2 ***
+*********************************************************
+
+*** SECURITY ISSUES RESOLVED ***
+
+- A cross site scripting (XSS) vulnerability was fixed in which bug
+ summaries were not properly filtered when a user viewed a dependency graph
+ allowing JavaScript to be embedded on that page.
+ (bug 192661)
+
+- Several XSS vulnerabilities were fixed in which user
+ input was not escaped when being displayed. A new
+ test has been added to warn about unfiltered data in template
+ files (t/008filter.t).
+ (bug 192677)
+
+- An issue was fixed in which the QA contact was still treated as the QA
+ contact even after the 'useqacontact' setting was turned off. This also
+ allowed the QA contact to edit the security groups and view secured bugs that
+ he/she was allowed to access prior to the 'useqacontact' setting being
+ deactivated.
+ (bug 194394)
+
+- Fixed a situation where an attacker (with local access to the webserver)
+ could overwrite any file on the webserver to which the webserver user
+ has write access by creating appropriately named symbolic links in the
+ data and webdot directories (world-writable in many configurations).
+ Bugzilla now uses File::Temp to create secure temporary files. File::Temp
+ is part of the Perl distribution for Perl 5.6.1 and later, but if you're
+ using an older version of Perl you'll need to install it with CPAN.
+ (bug 197153)
+
+** IMPORTANT CHANGES ***
+
+- New module requirement: File::Temp, as mentioned above.
+
+*** Bug fixes of note ***
+
+- An issue was fixed in which administrator rights could be removed from an
+ administrator who deleted a product while the 'usebuggroups' setting is
+ activated.
+ (bug 157704)
+
+- Fixed an issue in which importxml.pl would fail the test suite when running
+ under perl 5.8.0 with the optional XML::Parse module.
+ (bug 172331)
+
+- There was previously a bug in CGI.pl in which the following warning
+ would be given under certain conditions:
+ "Character in "c" format wrapped at CGI.pl..."
+ This is now fixed. In some cases the warning was filling up web server log
+ files.
+ (bug 194125)
+
+- Fixed a bug in which long component names (in excess of 50 characters) would
+ be accepted when creating the component but would cause problems when trying
+ to use that component on a bug because it would get truncated. It is now no
+ longer possible to create components with names in excess of 50 characters.
+ (bug 197180)
+
+- Fixed a bug in checksetup.pl in which permissions were not being fixed
+ on the 'data/comments' file, the quip file.
+ (bug 160279)
+
+*****************************************************************
+*** USERS UPGRADING FROM 2.16.1 OR EARLIER, 2.14.4 OR EARLIER ***
+*****************************************************************
+
+*** SECURITY ISSUES RESOLVED ***
+
+- Fixed a cross site scriptability issue in quips. This is only a problem
+ if quips with HTML could have been inserted into your quips files. Bugzilla
+ has not allowed this since 2.12.
+ (bug 179329)
+- checksetup.pl will now attempt to prevent access to "editor backups" of
+ localconfig.
+ (bug 186383)
+- collectstats.pl no longer makes data/mining (which contains graphing
+ information) world writeable.
+ (bug 183188)
+
+***********************************************
+*** USERS UPGRADING FROM 2.16.0 OR EARLIER ***
+***********************************************
+
+*** SECURITY ISSUES RESOLVED ***
+
+- Apostrophes were not properly handled in email addresses. This was a
+ regression introduced in 2.16. It is not known whether this was
+ exploitable.
+ (bug 165221)
+
+See also next major section.
+
+*** Bug fixes of note ***
+
+- The VERSION cookie which allowed the previously entered version of a product
+ to be remembered was not correctly set. It was only set as a session
+ cookie, and under some circumstances could interfere with other cookies
+ (such as the login information) send at the same time.
+ (bug 160227)
+
+- importxml.pl would fail if the versioncache needed to be updated.
+ (bug 164464)
+
+- Bug changes going through intermediate pages would munge fields with
+ multiple fields, such as CCs.
+ (bug 161203)
+
+- On failure in template->new, Bugzilla will now die rather than futilely
+ attempt to use an error template.
+ (bug 166023)
+
+- Fixed a problem where checksetup had problems converting old installations
+ that didn't have a duplicates table.
+ (bug 151619)
+
+- Fixed a problem that caused taint errors when viewing or editing user
+ preferences with Perl 5.005 and Template 2.08.
+ (bug 160710)
+
+See also next section.
+
+******************************************************
+*** USERS UPGRADING FROM 2.16.0, 2.14.3 OR EARLIER ***
+******************************************************
+
+*** SECURITY ISSUES RESOLVED ***
+
+- When a new product is added to an installation with 47 groups or more and
+ "usebuggroups" is enabled, the new group will be assigned a groupset bit
+ using Perl math that is not exact beyond 2^48. This results in the new
+ group being defined with a "bit" that has several bits set. As users are
+ given access to the new group, those users will also gain access to
+ spurious lower group privileges. Also, group bits were not always reused
+ when groups were deleted.
+ (bug 167485)
+
+- The email interface had another insecure single parameter system call. This
+ could potentially allow arbitrary shell commands to be run. This file is
+ not supported at this time, but as long as we knew about the problem, we
+ couldn't overlook it.
+ (bug 163024)
+
+*** Bug fixes of note ***
+
+- The email interface was broken. This was a 2.14.3 regression. This file
+ is not supported at this time, but as long as we knew about the problem, we
+ couldn't overlook it.
+ (bug 160631)
+
+***********************************************
+*** USERS UPGRADING FROM 2.14.5 OR EARLIER ***
+***********************************************
+
+*** SECURITY ISSUES RESOLVED ***
+
+- The bug reporter could set the priority even when
+ 'letsubmitterchoosepriority' was off.
+ (bug 63018)
+
+- Most CGIs are now templatised. This helps to make it
+ easier to remember to HTML filter values and easier to spot
+ when they are not, preventing cross site scripting attacks.
+ (bug 86168)
+
+- Most CGIs now run in taint mode. This helps to prevent
+ failure to validate errors.
+ (bug 108982)
+
+*** IMPORTANT CHANGES ***
+
+- 2.16 introduces "templatisation", a new feature that allows
+ administrators to easily customise the HTML output (the "look and feel")
+ of Bugzilla without altering Perl code. Bugzilla uses the
+ "Template Toolkit" for this. Please see the "Template Customisation"
+ section of the Bugzilla Guide for more details.
+
+ Administrators who ran the 2.15 development version and customised
+ templates should check the templates are still valid, as file names
+ and file paths have changed.
+
+ Most output is now templatised. This process will be complete next
+ milestone.
+
+ For speed, compiled templates are cached on disk. If you modify the
+ templates, the toolkit will normally detect the changes, and recompile the
+ changed templates.
+
+ Adding new directories anywhere inside the template directory may cause
+ permission errors if you don't have a webservergroup specified in
+ localconfig. If you see these, rerun checksetup.pl as root. If you do not
+ have root access, or cannot get someone who does to do this for you, you can
+ rename the data/template directory to data/template.old (or any other name
+ Bugzilla doesn't use). Then rerun checksetup.pl to regenerate the compiled
+ templates.
+ (bug 86168, 97832)
+
+- Administrators can now configure maximum attachment sizes. These
+ should remain below the maximum size for your MySQL server, or you
+ will get obscure MySQL errors if you attach a bigger attachment.
+
+ To find out the current size attachment that MySQL can accept, type
+ the command 'mysqladmin variables' and find out the value of the
+ 'max_allowed_packet' varible in bytes.
+
+ To change the maximum size that MySQL can accept you can alter this
+ variable in your 'my.cnf' file.
+ (bug 91664)
+
+- Perl 5.004 is no longer supported because the Template Toolkit
+ requires 5.005.
+ (bug 97721)
+
+- New module requirements: Text::Wrap, Template [requires AppConfig],
+ File::Spec.
+ (bugs 97784, 84338, 103778)
+
+- The index page is now a CGI instead of an HTML page. You should remove
+ any existing index.html file and make sure your web server allows index.cgi
+ to be the default page in a directory. If you are not able to do that you
+ can instead set index_html in the 'localconfig' file to 1 and checksetup.pl
+ will create a redirect page for you.
+ (bug 80183)
+
+- It is now recommended that administrators run "processmail rescanall"
+ after upgrading to 2.16 or beyond.
+
+ This will send out notification emails for changes that were
+ made but not emailed, due to Bugzilla bugs. All known
+ causes of this have been fixed in this version (bug 104589 and 99519).
+
+ It is also recommended that this be run nightly to avoid
+ lengthy delays in future if this problem reoccurs.
+ (bug 106377)
+
+- In parallel with templatisation, a lot of changes have been made to the HTML
+ output of the Bugzilla CGIs. This could break code that attempts to parse
+ such code. For example, this breaks mozbot.
+ (no bug number)
+
+- The "HTML template" parameters (headerhtml, bodyhtml, footerhtml,
+ errorhtml, bannerhtml, blurbhtml, mostfreqhtml, entryheaderhtml) have now
+ been moved to Template Toolkit templates. If you have modified these
+ parameters you will need to make corresponding changes to the corresponding
+ templates. Your old parameter values will be moved to a file called
+ old-params.txt by checksetup.pl.
+
+ The old parameters correspond to files in template/en/default as follows:
+
+ headerhtml: global/header.html.tmpl
+ footerhtml: global/footer.html.tmpl
+ bannerhtml: global/banner.html.tmpl
+ blurbhtml: global/banner.html.tmpl
+ mostfreqhtml: reports/duplicates*.html.tmpl
+ entryheaderhtml: bug/create/user-message.html.tmpl
+
+ (bug 140437)
+
+*** Other changes of note ***
+
+- The query page has been redesigned for better user friendliness.
+ (bug 98707)
+- Users can now change their email account.
+ (bug 23067)
+- "Dependent Bug Changed" notification emails now contain the
+ dependent bug's summary and URL.
+ (bug 28736, 113383)
+- Bugs with severity "critical", "blocker", and "enhancement" are
+ visually differentiated on bug lists for browsers with sufficient
+ CSS support.
+ (bug 28884)
+- Bugzilla now has a sidebar for the Mozilla browser.
+ (bug 37339)
+- A link to just created attachments now appears in notification
+ email.
+ (bug 66651)
+- Comments now have numbers and can be referenced with
+ autohyperlinkifying similar to bugs.
+ (bug 71840)
+- The attachment system has been rewritten, supporting new
+ "attachment statuses" (like keywords, but for attachments),
+ the ability to obsolete attachments, edit attachment MIME type,
+ and edit whether the attachment is a patch.
+ (bugs 84338, 75176)
+- syncshadowdb now supports a configurable temp file location,
+ and properly shuts down Bugzilla while running.
+ (bug 75840)
+- Dependency tree now lets you exclude resolved bugs and bugs
+ below a specified depth.
+ (bugs 83058)
+- The "strictvaluechecks" parameter has gone away. These checks
+ are now always done.
+ (bug 119715)
+- The midair collision page now shows all changes since the bug
+ page was loaded, not just the last one.
+ (bug 108312)
+- Added support for making dependency graphs with 'dot', which
+ is better at creating complex graphs than 'webdot'.
+ (bug 120537)
+
+*** Bug fixes of note ***
+
+- Bugzilla scripts are now usually not terminated when the browser
+ window they are running in is closed. This caused hard to
+ reproduce bugs.
+ (bug 104589)
+- On browsers that "reflow" the page, large component / milestone /
+ version fields were extremely slow to reflow when you altered
+ the product field.
+ (bug 96534)
+- The selection in the component / milestone / version fields is
+ no longer lost when you change the selection in the product
+ field or use the back/forward buttons in your browser to return
+ to the page.
+ (bug 97966)
+- You could not reverse dependencies in one step.
+ (bug 82143)
+- Mass reassignment of non-open bugs will no longer reopen them.
+ (bug 30731)
+- Attempting to bulk change no bugs will now give a user-friendly
+ error message.
+ (bug 90333)
+- If you make a change to a bug where you only add yourself to CC,
+ email notifications are now properly sent out for MySQL 3.23.
+ (bug 99519)
+- Bug entry now properly validates the data it has been sent.
+ (bug 107743)
+- Midair collision checks will now properly work in all situations
+ where dependencies have changed.
+ (bug 73502)
+- Browsers can no longer corrupt the params file if they use the "wrong"
+ end-of-line markers.
+ (bug 92500)
+- The MySQL port defined in localconfig is now properly honoured.
+ (bug 98368)
+- Apostrophes in component/milestone/version names no longer cause
+ a problem on the query page.
+ (bug 30689/42810)
+- File attachment comments will now wrap.
+ (bug 52060)
+- Saved queries are no longer mangled if you need to log in again,
+ for example if you had cookies off.
+ (bug 38835)
+- Bug counts (on reports.cgi) were very slow if you had to
+ count a lot of bugs.
+ (bug 63249)
+- 2.14 introduced options to let people see a bug when their name
+ is on it but who aren't in the groups the bug is restricted
+ to. These only allowed the people to view the bugs directly,
+ and not see them on buglists and receive email about them.
+ (bugs 95024, 97469)
+- A new 'cookiepath' parameter on editparams.cgi allows multiple
+ Bugzilla installations to exist on one host without problems.
+ (bug 19910)
+- whineatnews.pl now respects the 'sendmailnow' parameter.
+ (bug 52782)
+- The query page came up even when Bugzilla was shut down.
+ (bug 121747)
+- Quicksearch gave a weird error message when Bugzilla was
+ shut down.
+ (bug 121741)
+- Operating system detection fixes.
+ (bugs 92763, 135666)
+- QA contacts now receive emails when a new bug is created and
+ their only email preference was being added or removed from QA.
+ (bug 143091)
+
+***********************************************
+*** USERS UPGRADING FROM 2.14.4 OR EARLIER ***
+***********************************************
+
+See section above about users upgrading from 2.16.1 or earlier,
+2.14.4 or earlier.
+
+***********************************************
+*** USERS UPGRADING FROM 2.14.3 OR EARLIER ***
+***********************************************
+
+See section above about users upgrading from 2.16.0 or earlier.
+
+***********************************************
+*** USERS UPGRADING FROM 2.14.2 OR EARLIER ***
+***********************************************
+
+*** SECURITY ISSUES RESOLVED ***
+
+- Basic maintenance on contrib/bug_email.pl and
+ contrib/bugzilla_email_append.pl which also fixes a
+ possible security hole with a misuse of a system() call.
+ These files are not supported at this time, but as long
+ as we knew about the problem, we couldn't overlook it.
+ (bug 154008)
+
+*** Bug fixes of note ***
+
+- The fix for bug 130821 in 2.14.2 broke being able to sort
+ bug lists on more than one field. buglist.cgi now allows
+ you to sort on more than one field again.
+ (bug 152138)
+
+***********************************************
+*** USERS UPGRADING FROM 2.14.1 OR EARLIER ***
+***********************************************
+
+*** SECURITY ISSUES RESOLVED ***
+
+- queryhelp.cgi no longer shows confidential products to
+ people it shouldn't.
+ (bug 126801)
+
+- It was possible for a user to bypass the IP check by
+ setting up a fake reverse DNS, if the Bugzilla web server
+ was configured to do reverse DNS lookups. Apache is not
+ configured as such by default. This is not a complete
+ exploit, as the user's login cookie would also need to
+ be divulged for this to be a problem.
+ (bug 129466)
+
+- In some situations the data directory became world writeable.
+ (bug 134575)
+
+- Any user with access to editusers.cgi could delete a user
+ regardless of whether 'allowuserdeletion' is on.
+ (bug 141557)
+
+- Real names were not HTML filtered, causing possible cross
+ site scripting attacks.
+ (bug 146447, 147486)
+
+- Mass change would set the groupset of every bug to be the
+ groupset of the first bug.
+ (bug 107718)
+
+- Some browsers (eg NetPositive) interacted with Bugzilla
+ badly and could have various form problems, including
+ removing group restrictions on bugs.
+ (bug 148674)
+
+- It was possible for random confidential information to be
+ divulged, if the shadow database was in use and became
+ corrupted.
+ (bug 92263)
+
+- The bug list sort order is now stricter about the SQL it will accept,
+ ensuring you use correct column name syntax. Before this, there were
+ some syntax checks, so it is not known whether this problem was
+ exploitable.
+ (bug 130821)
+
+********************************************
+*** USERS UPGRADING FROM 2.14 OR EARLIER ***
+********************************************
+
+The 2.14.1 release fixes several security issues that became
+known to us after the Bugzilla 2.14 release.
+
+*** SECURITY ISSUES RESOLVED ***
+
+- If LDAP Authentication was being used, Bugzilla would allow
+ you to log in as anyone if you left the password blank.
+ (bug 54901)
+
+- It was possible to add comments or file a bug as someone else
+ by editing the HTML on the appropriate submission page before
+ submitting the form. User identity is checked now, and the
+ form values suggesting the user are now ignored.
+ (bug 108385, 108516)
+
+- The Product popup menu on the show_bug form listed all
+ products, even if the user didn't have access to all of them.
+ It now only shows products the user has access to (and the
+ product the bug is in, if the user is viewing it because of
+ some other override).
+ (bug 102141)
+
+- If a user had any blessgroupset privileges (the ability to
+ change only specific privileges for other users), it was
+ possible to change your own groupset (privileges) by
+ altering the page HTML before submitting on editusers.cgi.
+ (bug 108821)
+
+- An untrusted variable was echoed back to user in the HTML
+ output if there was a login error while editing votes.
+ (bug 98146)
+
+- buglist.cgi had an undocumented parameter that allowed you
+ to pass arbitrary SQL for the "WHERE" part of a query.
+ This has been disabled.
+ (bug 108812)
+
+- It was possible for a user to send arbitrary SQL by inserting
+ single quotes in the "mybugslink" field in the user
+ preferences.
+ (bug 108822)
+
+- buglist.cgi was not validating that the field names being
+ passed from the "boolean chart" query form were valid field
+ names, thus allowing arbitrary SQL to be inserted if you
+ edited the HTML by hand before submitting the form.
+ (bug 109679)
+
+- long_list.cgi was not validating that the bug ID parameter
+ was actually a number, allowing arbitrary SQL to be inserted
+ if you edited the HTML by hand.
+ (bug 109690)
+
+********************************************
+*** USERS UPGRADING FROM 2.12 OR EARLIER ***
+********************************************
+
+*** SECURITY ISSUES RESOLVED ***
+
+- Multiple instances of unauthorised access to confidential
+ bugs has been fixed.
+ (bug 39524, 39526, 39527, 39531, 39533, 70189, 82781)
+
+- Multiple instances of untrusted parameters not being
+ checked/escaped was fixed. These included definite security
+ holes.
+ (bug 38854, 38855, 38859, 39536, 87701, 95235)
+
+- After logging in passwords no longer appear in the URL.
+ (bug 15980)
+
+- Procedures to prevent unauthorised access to confidential
+ files are now simpler. In particular the shadow directory
+ no longer exists and the data/comments file no longer needs
+ to be directly accessible, so the entire data directory can
+ be blocked. However, no changes are required here if you
+ have a properly secured 2.12 installation as no new files
+ must be protected.
+ (bug 71552, 73191)
+
+- If they do not already exist, checksetup.pl will attempt to
+ write Apache .htaccess files by default, to prevent
+ unauthorised access to confidential files. You can turn this
+ off in the localconfig file.
+ (bug 76154)
+
+- Sanity check can now only be run by people in the 'editbugs'
+ group. Although it would be better to have a separate
+ group, this is not possible until the limitation on the
+ number of groups allowed has been removed.
+ (bug 54556)
+
+- The password is no longer stored in plaintext form. It will
+ be eradicated next time you run checksetup.pl. A user must
+ now change their password via a password change request that
+ gets validated at their e-mail account, rather than have it
+ mailed to them.
+ (bug 74032)
+
+- When you are using product groups and you move a bug between
+ products (single or mass change), the bug will no longer be
+ restricted to the old product's group (if it was) and will
+ be restricted to the new product's group.
+ (bug 66235)
+
+- There are now options on a bug to choose whether the
+ reporter, and CCs can access a bug even if they aren't in
+ groups the bug it is restricted to.
+ (bug 39816)
+
+- You can no longer mark a bug as a duplicate of a bug you
+ can't see, and if you mark a bug a duplicate of a bug
+ the reporter cannot see you will be given options as to
+ what to do regarding adding the reporter of the resolved
+ bug to the CC of the open bug.
+ (bug 96085)
+
+*** IMPORTANT CHANGES ***
+
+- Bugzilla 2.14 no longer supports old email tech. Upon
+ upgrading, all users will be moved over to new email tech.
+ This should speed up upgrading for installations with
+ a large number of bugs.
+ (bug 71552)
+
+- There is new functionality for people to see why they are
+ receiving notification mails.
+
+ Previously, some people filtered old email tech
+ notifications depending on whether they were in the To or the
+ CC header, in order to get a limited way of determining why
+ they were receiving the notification for filtering purposes.
+
+ Existing installations will need to make changes to support
+ this feature. The receive reasons can be added to the
+ notifications as a header and/or in the body. To add these
+ you will need to modify your newchangedmail parameter on
+ editparams.cgi, either by resetting it or appropriately
+ modifying it. The header value is specified by
+ %reasonsheader% and the body by %reasonsbody%. For example,
+ the new default parameter is:
+
+ --------------------------------------------------
+ From: bugzilla-daemon
+ To: %to%
+ Subject: [Bug %bugid%] %neworchanged%%summary%
+ X-Bugzilla-Reason: %reasonsheader%
+
+ %urlbase%show_bug.cgi?id=%bugid%
+
+ %diffs%
+
+
+
+ %reasonsbody%
+ --------------------------------------------------
+
+ (bug 26194)
+
+- Very long fields (especially multi-valued fields like keywords,
+ CCs, dependencies) on bug activity and notifications previously
+ could get truncated, resulting in useless notifications and data
+ loss on bug activity. Now the multi-valued fields only show
+ changes, and very big changes are split into multiple lines.
+ Where data loss has already occurred on bug activity, it is
+ indicated using question marks.
+ (bug 55161, 92266)
+
+- Previously, when a product's voting preferences changed all
+ votes were removed from all the bugs in the product. Also,
+ when a bug was moved to another product, all of its votes
+ were removed. This no longer occurs.
+
+ Instead, if the action would leave one or more bugs with
+ greater than the maximum number of votes per person per bug,
+ the number of votes will be reduced to the maximum. The
+ person will still be notified of this as before.
+
+ If the action would leave a user with more votes in a product
+ than is allowed, the limit will be breached so as to not lose
+ votes. However the user will not be able to update their
+ votes except to fix this situation. No further action is taken
+ in this version to make sure that the user does this.
+ (bug 28882, 92593)
+
+*** Other changes of note ***
+
+- Groups can now be marked inactive, so you can't add a new
+ restriction on that group to a bug, while leaving bugs that
+ were previously restricted on that group alone.
+ (bug 75482)
+- backdoor.cgi has been removed from the installation. It was
+ old code that was Netscape-specific and its name was scaring
+ people.
+ (bug 87983)
+- You can now add or remove from CC on the bulk change page.
+ (bug 12819)
+- New users created by administrators are now automatically
+ inserted into groups according to the group's regular
+ expression. Administrators must edit the user in a second
+ step to override these choices. Previously the
+ administrator specified these explicitly which could lead
+ to incorrect settings.
+ (bug 45164)
+- The userregexp of system groups can now be edited without
+ resorting to direct database access.
+ (bug 65290)
+
+*** Bug fixes of note ***
+
+- The bug list page was sometimes bringing up a not logged in
+ footer when the user was logged in and the installation was
+ using a shadow database.
+ (bug 47914)
+- You can now view the bug summary in your browser title for
+ a group-restricted bug if you have proper permissions.
+ (bug 71767)
+- Quick search for search terms did not work in IE5.
+ This has been worked around.
+ (bug 77699)
+- Quick search for search terms crashed NN4.76/4.77 for Unix.
+ This has been worked around.
+ (bug 83619)
+- Queries on bugs you have commented on using the "added
+ comment" feature should be a lot faster and not time out
+ on large installations due to the addition of an index.
+ (bug 57350)
+- You can now alter group settings on bulk change for groups
+ that aren't on for all bugs or off for all bugs.
+ (bug 84714)
+- New bug notifications now include the CC and QA fields.
+ (bug 28458)
+- Bugzilla is now more Windows friendly, although it is still
+ not an official platform.
+ (bug 88179, 29064)
+- Passwords are now encrypted using Perl's encrypt function.
+ This makes Bugzilla more portable to more operating systems.
+ (bug 77473)
+- Bugzilla didn't properly shut down when told to - some
+ queries could still be sent to the database.
+ (bug 95082)
+
+********************************************
+*** USERS UPGRADING FROM 2.10 OR EARLIER ***
+********************************************
-Example:
+*** SECURITY ISSUES RESOLVED ***
+
+- Some security holes have been fixed where shell escape characters
+ could be passed to Bugzilla, allowing remote users to execute
+ system commands on the web server.
+
+*** IMPORTANT CHANGES ***
+
+- There is now a facility for users to choose the sort of
+ notifications they wish to receive. This facility will
+ probably be improved in future versions.
+ (bug 17464)
+
+- "Changed" will no longer appear on the subject line of
+ change notification emails. Because of this, you should
+ change the subject line in your 'changedmail' and
+ 'newchangedmail' params on editparams.cgi. The subject
+ line needs to be changed from
+
+ Subject: [Bug %bugid%] %neworchanged% - %summary%
+
+ to:
+
+ Subject: [Bug %bugid%] %neworchanged%%summary%
+
+ or whatever is appropriate for the subject you are using
+ on your system. Note the removal of the " - " in the
+ middle.
+ (bug 29820)
+
+*** Other changes of note ***
+
+- Bug titles now appear in the page title, and will hence
+ display in the user's browser's bookmarks and history.
+ (bug 22041)
+- Edit groups functionality (editgroups.cgi).
+ (bug 25010)
+- Support for moving bugs to other Bugzilla databases.
+ (bug 36133)
+- Bugzilla now can generate a frequently reported bugs list
+ based on what duplicates you receive.
+ (bug 25693)
+- When installing Bugzilla fresh, the administrator account is
+ now created in checksetup.pl.
+ (bug 17773)
+- Stored queries now show their name above the bug list, which
+ helps the user when they have multiple bug lists in multiple
+ browser windows. It also appears in the page title, and will
+ hence display in the user's browser's bookmarks and history.
+ (bug 52228)
+- All states and resolutions can now be collected for charting.
+ (bug 6682)
+- A new search-engine-like "quick search" feature appears on
+ the front page to try and making searching easier.
+ (bug 69793)
+- Querying on dependencies now works in the advanced query
+ section of the query page.
+ (bug 30823)
+- When a bug is marked as a duplicate, the reporter of the
+ resolved bug is automatically added to the CC list of the
+ open bug.
+ (bug 28676)
+
+*** Bug fixes of note ***
+
+- Notification emails will now always be sent to QA contacts.
+ Previously they wouldn't if you were using new email tech.
+ (bug 30826)
+- When marking a bug as a duplicate, the duplicate stamp marked
+ on the open bug will no longer be written too early (such as
+ on mid-air collisions).
+ (bug 7873)
+- Various bug fixes were made to the initial assignee and QA
+ of a component. It is no longer possible to enter an
+ invalid address. They will also now properly update when
+ a user's email address is changed. Sanity check will now
+ check these.
+ (bug 66876)
+- Administrators can no longer create an email accounts that do
+ not match the global email regular expression parameter.
+ Previously this could occur and would cause sanity check
+ errors.
+ (bug 32971)
+- The resolution field can no longer become empty when the
+ bug is resolved. This occurred because of midair collisions.
+ (bug 49306)
+
+*******************************************
+*** USERS UPGRADING FROM 2.8 OR EARLIER ***
+*******************************************
+
+Release notes were not compiled for versions of Bugzilla before
+2.12.
+
+The file 'UPGRADING-pre-2.8' contains instructions you may
+need to perform in addition to running 'checksetup.pl' if you
+are running a pre 2.8 version.
- mysqldump -u root -p --databases bugs > bugs.db.backup