From 2ffc3562d5c9d6859cfbadb2e748dca27e999a91 Mon Sep 17 00:00:00 2001 From: "jake%acutex.net" <> Date: Fri, 4 Apr 2008 11:47:33 +0000 Subject: Updating release notes for 2.14 Release Notes written by Matthew Tuck r= justdave@syndicomm.com, jake@acutex.net --- docs/en/rel_notes.txt | 291 +++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 238 insertions(+), 53 deletions(-) diff --git a/docs/en/rel_notes.txt b/docs/en/rel_notes.txt index 81807ef4f..ad97cb65a 100644 --- a/docs/en/rel_notes.txt +++ b/docs/en/rel_notes.txt @@ -1,6 +1,10 @@ -There has not been a Bugzilla release for a while, but -development has continued, and the Bugzilla team is proud -to announce release of Bugzilla 2.12. +After many hours of banging heads against brick walls and +much imbibed caffeine, the Bugzilla team is proud to +announce Bugzilla 2.14. + +This release is primarily a security release, in order to +rectify security issues. However, some other important +changes were made. Recommended Practice For The Upgrade ------------------------------------ @@ -19,28 +23,233 @@ contains more errors after an upgrade, it doesn't necessarily mean there are more errors in your database, as it is likely they weren't being checked for in the old version. -New email tech for email notifications is now recommended. -Old email tech will probably be removed in Bugzilla 2.14. -It is strongly recommended that you turn on the newemailtech -and newemailtechdefault options on the Edit Parameters page -(editparams.cgi), so new accounts will use new email tech. - -If you wish, you may move all old accounts over to new email -tech by executing the following SQL statement in MySQL: - - UPDATE profiles SET newemailtech = '1'; +Administrators must make sure that certain files are +inaccessible or confidential information might become +available to enterprising individuals. This includes the +localconfig file and the entire data directory. Please +see the Bugzilla Guide for more information. -About This Version ------------------- +************************** +*** ABOUT THIS VERSION *** +************************** Bugs referenced in the following text are bug numbers on bugzilla.mozilla.org. *** IMPORTANT CHANGES *** -- There is now a facility for new email tech users to choose - the sort of notifications they wish to receive. This - facility will probably be improved in future versions. +- Bugzilla 2.14 no longer supports old email tech. Upon + upgrading, all users will be moved over to new email tech. + This should speed up upgrading for installations with + a large number of bugs. + (bug 71552) + +- There is new functionality for people to see why they are + receiving notification mails. + + Previously, some people filtered old email tech + notifications depending on whether they were in the To or the + CC header, in order to get a limited way of determining why + they were receiving the notification for filtering purposes. + + Existing installations will need to make changes to support + this feature. The receive reasons can be added to the + notifications as a header and/or in the body. To add these + you will need to modify your newchangedmail parameter on + editparams.cgi, either by resetting it or appropriately + modifying it. The header value is specified by + %reasonsheader% and the body by %reasonsbody%. For example, + the new default parameter is: + + -------------------------------------------------- + From: bugzilla-daemon + To: %to% + Subject: [Bug %bugid%] %neworchanged%%summary% + X-Bugzilla-Reason: %reasonsheader% + + %urlbase%show_bug.cgi?id=%bugid% + + %diffs% + + + + %reasonsbody% + -------------------------------------------------- + + (bug 26194) + +- Very long fields (especially multi-valued fields like keywords, + CCs, dependencies) on bug activity and notifications previously + could get truncated, resulting in useless notifications and data + loss on bug activity. Now the multi-valued fields only show + changes, and very big changes are split into multiple lines. + Where data loss has already occurred on bug activity, it is + indicated using question marks. + (bug 55161, 92266) + +- Previously, when a product's voting preferences changed all + votes were removed from all the bugs in the product. Also, + when a bug was moved to another product, all of its votes + were removed. This no longer occurs. + + Instead, if the action would leave one or more bugs with + greater than the maximum number of votes per person per bug, + the number of votes will be reduced to the maximum. The + person will still be notified of this as before. + + If the action would leave a user with more votes in a product + than is allowed, the limit will be breached so as to not lose + votes. However the user will not be able to update their + votes except to fix this situation. No further action is taken + in this version to make sure that the user does this. + (bug 28882, 92593) + +*** SECURITY ISSUES RESOLVED *** + +- Multiple instances of unauthorised access to confidential + bugs has been fixed. + (bug 39524, 39526, 39527, 39531, 39533, 70189, 82781) +- Multiple instances of untrusted parameters not being + checked/escaped was fixed. These included definite security + holes. + (bug 38854, 38855, 38859, 39536, 87701, 95235) +- After logging in passwords no longer appear in the URL. + (bug 15980) +- Procedures to prevent unauthorised access to confidential + files are now simpler. In particular the shadow directory + no longer exists and the data/comments file no longer needs + to be directly accessible, so the entire data directory can + be blocked. However, no changes are required here if you + have a properly secured 2.12 installation as no new files + must be protected. + (bug 71552, 73191) +- If they do not already exist, checksetup.pl will attempt to + write Apache .htaccess files by default, to prevent + unauthorised access to confidential files. You can turn this + off in the localconfig file. + (bug 76154) +- Sanity check can now only be run by people in the 'editbugs' + group. Although it would be better to have a separate + group, this is not possible until the limitation on the + number of groups allowed has been removed. + (bug 54556) +- The password is no longer stored in plaintext form. It will + be eradicated next time you run checksetup.pl. A user must + now change their password via a password change request that + gets validated at their e-mail account, rather than have it + mailed to them. + (bug 74032) +- When you using product groups and you move a bug between + products (single or mass change), the bug will no longer be + restricted to the old product's group (if it was) and will + be restricted to the new product's group. + (bug 66235) +- There are now options on a bug to choose whether the + reporter, assignee, QA and CCs can access a bug even if + they aren't in groups the bug it is restricted to. + (bug 39816) +- You can no longer mark a bug as a duplicate of a bug you + can't see, and if you mark a bug a duplicate of a bug + the reporter cannot see you will be given options as to + what to do regarding adding the reporter of the resolved + bug to the CC of the open bug. + (bug 96085) + +*** Other changes of note *** + +- Groups can now be marked inactive, so you can't add a new + restriction on that group to a bug, while leaving bugs that + were previously restricted on that group alone. + (bug 75482) +- backdoor.cgi has been removed from the installation. It was + old code that was Netscape-specific and its name was scaring + people. + (bug 87983) +- You can now add or remove from CC on the bulk change page. + (bug 12819) +- New users created by administrators are now automatically + inserted into groups according to the group's regular + expression. Administrators must edit the user in a second + step to override these choices. Previously the + administrator specified these explicitly which could lead + to incorrect settings. + (bug 45164) +- The userregexp of system groups can now be edited without + resorting to direct database access. + (bug 65290) + + +*** Bug fixes of note *** + +- The bug list page was sometimes bringing up a not logged in + footer when the user was logged in and the installation was + using a shadow database. + (bug 47914) +- You can now view the bug summary in your browser title for + a group-restricted bug if you have proper permissions. + (bug 71767) +- Quick search for search terms did not work in IE5. + This has been worked around. + (bug 77699) +- Quick search for search terms crashed NN4.76/4.77 for Unix. + This has been worked around. + (bug 83619) +- Queries on bugs you have commented on using the "added + comment" feature should be a lot faster and not time out + on large installations due to the addition of an index. + (bug 57350) +- You can now alter group settings on bulk change for groups + that aren't on for all bugs or off for all bugs. + (bug 84714) +- New bug notifications now include the CC and QA fields. + (bug 28458) +- Bugzilla is now more Windows friendly, although it is still + not an official platform. + (bug 88179, 29064) +- Passwords are now encrypted using Perl's encrypt function. + This makes Bugzilla more portable to more operating systems. + (bug 77473) +- Bugzilla didn't properly shut down when told to - some + queries could still be sent to the database. + (bug 95082) + +*** Outstanding issues of note *** + +- Bug counts (on reports.cgi) can be very slow if you have to + count a lot of bugs. In this case the connection can time + out before the page finishes loading. Extending the cgi + timeout on your web server might help this situation. + (bug 63249) +- Renaming or removing keywords will not update the "keyword + cache", and queries on keywords may not work properly, until + you rebuild the cache on the sanity check page + (sanitycheck.cgi). The changer will receive a warning to do + this when altering the keyword. + (bug 69621) +- Email notifications will not work out of the box if you are + using Postfix, Exim or possibly other non-SendMail mail + transfer agents, as Bugzilla sends mail by default in + "deferred" mode using the "-ODeliveryMode=deferred" command + line option, which needs to be supported by the sendmail + program. To fix this, you can turn on the "sendmailnow" + parameter on the Edit Parameters page (editparams.cgi). + (bug 50159) +- The new options to let people see a bug when their name + is on it but who aren't in the groups the bug is restricted + to only allow people to view bugs if they know the bug number. + It still will not show up in these people's buglists and + they will not receive email about changes to the bugs. + (bugs 95024, 97469) + +********************************************************** +*** USERS UPGRADING FROM 2.10 OR EARLIER - 2.12 ISSUES *** +********************************************************** + +*** IMPORTANT CHANGES *** + +- There is now a facility for users to choose the sort of + notifications they wish to receive. This facility will + probably be improved in future versions. (bug 17464) - "Changed" will no longer appear on the subject line of @@ -97,10 +306,11 @@ bugzilla.mozilla.org. open bug. (bug 28676) + *** Bug fixes of note *** -- Notification emails using new email tech will now be sent to - QA contacts. +- Notification emails will now always be sent to QA contacts. + Previously they wouldn't if you were using new email tech. (bug 30826) - When marking a bug as a duplicate, the duplicate stamp marked on the open bug will no longer be written too early (such as @@ -113,43 +323,18 @@ bugzilla.mozilla.org. check these. (bug 66876) - Administrators can no longer create an email accounts that do - not match the global email regexp parameter. Previously this - would cause sanity check errors. + not match the global email regular expression parameter. + Previously this could occur and would cause sanity check + errors. (bug 32971) - The resolution field can no longer become empty when the bug is resolved. This occurred because of midair collisions. (bug 49306) -*** Outstanding issues of note *** - -- Bug counts (on reports.cgi) can be very slow if you have to - count a lot of bugs. In this case the connection can time - out before the page finishes loading. Extending the cgi - timeout on your web server might help this situation. - (bug 63249) -- Administrators must make sure that certain files are - properly inaccessible or confidential information might become - available to enterprising individuals. This includes the - localconfig file, the entire shadow directory and the entire - data directory except for data/comments (the quips file). - (bug 65572) -- Renaming or removing keywords will not update the "keyword - cache", and queries on keywords may not work properly, until - you rebuild the cache on the sanity check page - (sanitycheck.cgi). The changer will receive a warning to do - this when altering the keyword. - (bug 69621) -- Email notifications will not work out of the box if you are - using Postfix, Exim or possibly other non-SendMail mail - transfer agents, as Bugzilla sends mail by default in - "deferred" mode using the "-ODeliveryMode=deferred" command - line option, which needs to be supported by the sendmail - program. To fix this, you can turn on the "sendmailnow" - parameter on the Edit Parameters page (editparams.cgi). - (bug 50159) - - - - +******************************************* +*** USERS UPGRADING FROM 2.8 OR EARLIER *** +******************************************* +Release notes were not compiled for versions of Bugzilla before +2.12. -- cgit v1.2.3-24-g4f1b