From e5daf5788336ccbf910ecaf9cf6463ef0ed7081c Mon Sep 17 00:00:00 2001
From: Frédéric Buclin <LpSolit@gmail.com>
Date: Tue, 15 Apr 2014 23:53:26 +0200
Subject: Bug 996168: Release notes for Bugzilla 4.2.8 r=dkl a=justdave

---
 template/en/default/pages/release-notes.html.tmpl | 31 +++++++++++++++++++++++
 1 file changed, 31 insertions(+)

(limited to 'template/en')

diff --git a/template/en/default/pages/release-notes.html.tmpl b/template/en/default/pages/release-notes.html.tmpl
index ebc08afb1..c91dd77a7 100644
--- a/template/en/default/pages/release-notes.html.tmpl
+++ b/template/en/default/pages/release-notes.html.tmpl
@@ -53,6 +53,37 @@
 
 <h2 id="v42_point">Updates in this 4.2.x Release</h2>
 
+<h3>4.2.8</h3>
+
+<p>This release fixes one minor security issue. See the
+  <a href="http://www.bugzilla.org/security/4.0.11/">Security Advisory</a>
+  for details.</p>
+
+<p>In addition, the following [% terms.bugs %] have been fixed in this release:</p>
+
+<ul>
+  <li><kbd>checksetup.pl</kbd> was incorrectly reporting DBI 1.630 (1.63) as
+    being older than 1.614, preventing the upgrade to complete.
+    If you still use Perl 5.10.0 or older, make sure you have the
+    <a href="http://search.cpan.org/~jpeacock/version/lib/version.pod">version</a>
+    module installed before running <kbd>checksetup.pl</kbd>.
+    If you use Perl 5.10.1 or newer, this module is already available and
+    no special action is required.
+    (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=938300">[% terms.Bug %] 938300</a>)</li>
+  <li><kbd>checksetup.pl</kbd> no longer fails with "Invalid version format (non-numeric data)"
+    when a Perl module contains an invalid version number.
+    (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=781672">[% terms.Bug %] 781672</a>)</li>
+  <li>The PROJECT environment variable is now correctly taken into account
+    when mod_perl is enabled (this variable allows several installations to
+    share the same codebase).
+    (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=843457">[% terms.Bug %] 843457</a>)</li>
+  <li>[% terms.Bugzilla %] no longer crashes when the <kbd>shutdownhtml</kbd>
+    parameter is set and using a non-cookie based authentication method.
+    (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=748095">[% terms.Bug %] 748095</a>)</li>
+  <li>The default date and time format used for SQLite has been fixed.
+    (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=938161">[% terms.Bug %] 938161</a>)</li>
+</ul>
+
 <h3>4.2.7</h3>
 
 <p>This release fixes several security issues. See the
-- 
cgit v1.2.3-24-g4f1b


From 6066ff31980fddc2eb97b987c5bbd1a931495f1e Mon Sep 17 00:00:00 2001
From: Manish Goregaokar <manishearth@gmail.com>
Date: Thu, 17 Apr 2014 18:37:11 +0200
Subject: Bug 968576: [SECURITY] Dangerous control characters allowed in
 Bugzilla text r=glob a=justdave

---
 template/en/default/email/bugmail.txt.tmpl | 2 +-
 template/en/default/request/email.txt.tmpl | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

(limited to 'template/en')

diff --git a/template/en/default/email/bugmail.txt.tmpl b/template/en/default/email/bugmail.txt.tmpl
index 0b349fb15..a3a0b873c 100644
--- a/template/en/default/email/bugmail.txt.tmpl
+++ b/template/en/default/email/bugmail.txt.tmpl
@@ -32,7 +32,7 @@
 [%- IF comment.count %]
 --- Comment #[% comment.count %] from [% comment.author.identity %] ---
 [% END %]
-[%+ comment.body_full({ is_bugmail => 1, wrap => 1 }) %]
+[%+ comment.body_full({ is_bugmail => 1, wrap => 1 }) FILTER strip_control_chars %]
 [% END %]
 
 -- [%# Protect the trailing space of the signature marker %]
diff --git a/template/en/default/request/email.txt.tmpl b/template/en/default/request/email.txt.tmpl
index fb957484b..65946a1e1 100644
--- a/template/en/default/request/email.txt.tmpl
+++ b/template/en/default/request/email.txt.tmpl
@@ -84,7 +84,7 @@ Attachment [% attidsummary %]
 [%-# .defined is necessary to avoid a taint issue in Perl < 5.10.1, see bug 509794. %]
 [% IF Bugzilla.cgi.param("comment").defined && Bugzilla.cgi.param("comment").length > 0 %]
 ------- Additional Comments from [% user.identity %]
-[%+ Bugzilla.cgi.param("comment") %]
+[%+ Bugzilla.cgi.param("comment") FILTER strip_control_chars %]
 [% END %]
 
 [%- END %]
-- 
cgit v1.2.3-24-g4f1b