Blog

Want to always keep up-to-date with Bugzilla news? Subscribe to announce@bugzilla.org, a read-only mailing list where we'll post announcements about new versions of Bugzilla and security advisories.

Browse Archives »

You can also see what's going on in the project by looking at the notes of, or watching the video of, our monthly developer meetings.

Loading the upcoming event

22. September 2004

Bugzilla-Submit 0.6 Released

by Bugzilla Team

Christian Reis has released a new version of bugzilla-submit, a command-line utility to post new bugs to a Bugzilla installation. This version fixes issues with .netrc parsing of base URLs, Python version checking and processing of Operating-System and URL fields. It also include text and manpage versions of the documentation (which was only available as XML source in previous versions).

Note that bugzilla-submit requires Python 2.3. Bug reports should go to bugzilla.mozilla.org.

27. July 2004

Bugzilla 2.18rc2 Released

by Bugzilla Team

Our second release candidate for Bugzilla 2.18 is now available. There are a few major issues addressed that snuck into 2.18rc1, so if you’re already running 2.18rc1, an upgrade is strongly recommended. Information about what’s new and what’s still left to fix is on the 2.18 Release Status page.

10. July 2004

Status Update

by Zach Lipton (zach)

Introduction and Updates

Welcome to the new Bugzilla status update, covering the four months since our last update and the release of Bugzilla 2.17.7. In this update, the Bugzilla Team is pleased to announce the release of Bugzilla 2.18, Release Candidate 1 (rc1), and Bugzilla 2.16.6, the latest maintenance release in the current stable series.

We are also pleased to announce the new Bugzilla Website, thanks to the efforts of Mike Morgan and the Bugzilla Team. The new site is designed to more closely match the look and feel of the mozilla.org website and is standards-compliant.

As usual, we’d like to remind all Bugzilla administrators that to assist them in keeping up-to-date with release announcements and security advisories, we provide an ultra-low-volume administrator mailing list ([email protected]). We advise all Bugzilla administrators to subscribe so they can keep up with important Bugzilla announcements.

Those looking to get involved with Bugzilla development may want to consider joining the developers list ([email protected]). This list offers discussion on new features and issues. Developers are invited to subscribe to the list.

New Releases

2.18rc1

This release is a developers’ release and is not recommended for production use, but all existing users of the 2.17 development branch are strongly encouraged to upgrade to 2.18rc1, both for the increased stability and new features, and for the security updates described below. 2.18rc1 is the first Bugzilla release to support operation on Microsoft Windows servers with no modifications to Bugzilla itself.

2.16.5

All users of the 2.16 stable branch are encouraged to update their production installations to 2.16.6 for security reasons. More details on the security vulnerabilities fixed in this update are available in the 2.16.5 Security Advisory. See the check-in manifest at the bottom of this status update for a list of changes.

They are also requested to test their installations with 2.18rc1 using a backup copy of their database, in order to help us make the best 2.18 final release. Since 2.16 was originally released, Bugzilla has come a long way. This list shows many of the major new features that have been added to the 2.17 development branch. Those using 2.16 should take a look at this list for an indication of what will be new in 2.18.

The 2.16 branch will be retired with the release of Bugzilla 2.22, scheduled for approximately April 2005. Administrators using the 2.16 branch are encouraged to investigate migration to the 2.18 stable branch when 2.18 is released.

2.14

We would like to remind all administrators running Bugzilla instances from the old 2.14 branch that this branch has been retired, and is no longer being supported actively by the team. We strongly recommend upgrading to a stable version (either 2.16.5, or 2.18 when it is released) to ensure security and proper operation, and for the new features provided by this branch.

New Features Since the Last Status Update

Several new features are available for testing in our release candidate, 2.18rc1. The following items describe the most important of these changes since the previous status update, and the manifest at the end of this document describe the full list of changes.

  • All remaining static HTML pages (with the exception of QuickSearch) have been converted to template files processed by page.cgi. This feature allows all pages in Bugzilla to be localized (bug 170213).
  • A preference panel for the management of saved searches was added to the User Preferences page (bug 232176).
  • Buglists can now be exported as calendars in the icalendar format (bug 235459).
  • The “noresolveonopenblockers” parameter was added to allow administrators to prevent a bug being closed when it has open dependencies (bug 24496).

Major New Features Since 2.16

Users upgrading from 2.16 may be interested in a list of major new features since the 2.16 release.

Date-Based Releases and More

An update from Dave Miller, Bugzilla project leader on the new date-based release scheme:

Well, today we’re finally releasing our first release candidate for Bugzilla 2.18.

It’s been a long time coming. It’s been just shy of 2 years since Bugzilla 2.16 was released. This is a contributing factor to why this release is just now coming, even after our feature freeze on March 15th has now passed us by almost 4 months.

There are a lot of new features in 2.18. Large substantial humungous chunks (am I repeating myself?) of Bugzilla code have been reorganized and rewritten since 2.16. Bugzilla’s underpinning now features substantial amounts of well-organized object-oriented Perl code. We’re not there, yet, though. There’s still a pretty good chunk of it (post_bug, process_bug, and the administrative utilities) that are still the old code that’s had extra stuff hacked into it for years. :) And therein lies our challenge for the next few releases.

There are quite a number of new features that are almost ready to land on the trunk. Several of them have been put off for the last 4 months because they would violate our feature freeze to check them in. Those will start landing over the next few weeks, now that what will become 2.18 is living on a branch in CVS.

We announced a while back that the 2.18 Release would start us on a 6-month release cycle. Following that schedule, our feature freeze for 2.20 will be on September 15th, 2004. Yes, that’s only 2 months from now. I don’t expect the freeze to last 4 months again like it did for 2.18. For 2.18 we had 2 years worth of cleaning up to do. :) Since we only have 2 months of development time between now and the 2.20 freeze, it can’t get that bad. So we should be able to expect to see Bugzilla 2.20 in final release form by mid-October.

Even with all of that going on, we’re not done with 2.18 yet. Today’s release is just a candidate. It will evolve with your help, as you test it and point out any regressions we need to fix. There will be a second release candidate in a week or two, after we knock off any major regressions anyone reports. The second candidate will also get a week or two of testing before being declared the final release.

We have a few flags on the bugs for dealing with this. If a bug you report is something that you think is important to have fixed in 2.18, set the “blocking2.18” flag to the question mark (“?”) setting. This will send a message to me asking me to evaluate it. If I (or Myk) set it to “+”, that means we’ve agreed, and attempts will be made to get it fixed on the 2.18 branch so it can be included in the final 2.18 release. Similarly, once a patch is ready to go, it must get a “+” on the “approval2.18” flag (set by Myk or myself) before it can be checked in on the branch. Please do request that if you have something blocking 2.18 after you get it reviewed.

Before I sign off here, I want to take a moment to profusely thank Mike Morgan for the work he’s done on our website over the last couple months. This is a really wonderful new website he cooked up for us! :) If you have any feedback on the new site design, or find any dead links that need to be fixed, please post on the mozilla-webtools mailing list. (See the support page to find out where to subscribe).

Upcoming Features

This section lists major new features that are either in progress or have some amount of work toward them completed already, but have not yet landed in CVS. If you would like to help out – many of these features need either planning, coding, or testing – or just figure what the current status is on one of these items, check out the parenthesized bug links.

  • Ability to send email via SMTP instead of relying on a local installation of sendmail. (Bug 84876)
  • PostgreSQL support. (Bug 98304)
  • Oracle support. (Bug 189947)
  • Ability to add generic customized fields to bugs. (Bug 91037)
  • Customized resolutions, that allow adding, removing, deactivating and renaming of resolutions. (Bug 94534)
  • Expanding e-mail preferences to allow watching components, keywords, etc. (Bug 73665)
  • mod_perl support. (Bug 87406)
  • New makefile-based installation system. (Bug 104660, Bug 105854, Bug 105855, and Bug 105856)
  • Wiki integration. (Bug 102685)

Trunk Checkins Since the Last Status Update

The following is a list of specific bugs fixed (and their checkin messages) since the last Bugzilla status report. It is ordered by the checkin date as rendered by Bonsai. It includes checkins on the trunk from 2004/03/03 to 2004/07/8. This list was generated by filtering Bonsai’s output on that query.

Checkins that don’t refer to a specific bug number have been omitted, and were a small minority. Bold bugs are security bugs.

Checkin manifest:

  • Bug 236296 - Fix Build Identifier on guided entry form
  • Bug 236567 - Update the documentation describing the Perl modules installation on Windows using ppm
  • Bug 236019 - Make request.cgi use $cgi->param instead of %::FORM
  • Bug 236443 - Respect customization of customized words in create.html.tmpl
  • Bug 234879 - Remove %FORM from editkeywords.cgi
  • Bug 234875 - Use ->param in quips.cgi
  • Bug 220814 - Add to FAQ: How to upgrade Bugzilla from CVS
  • Bug 236634 - Move colon out of anchor text in “Target Milestone:” in show_bug
  • Bug 235278 - Eliminate %::FORM from userprefs.cgi
  • Bug 236652 - Fix libgdi typo in section 2.4.2 of the docs
  • Bug 232141 - All all saved searches to footer until linkinfooter UI returns
  • Bug 170213 - Make static HTML files into page.cgi pages. This does votehelp.html (-> id=voting.html), bug_status.html (-> id=fields.html) and bugwritinghelp.html (-> id=bug-writing.html)
  • Bug 232176 - Add a preferences panel for saved searches, to allow management all in one place
  • Bug 143490 - Eliminate unsupported calls from checksetup.pl when running in Windows
  • Bug 236322 - Trivial inaccuracy in description of “find a specific bug” search corrected (the search doesn’t really search summaries, so I’ve removed the text that says it does).
  • Bug 178162 - Move the vote checkbox to the left
  • Bug 236664 - Make checksetup.pl print good install instructions for Perl modules on win32
  • Bug 232491 - Try harder to avoid parameterless searches (either saved or otherwise)
  • Bug 237540 - Remove unused hidden field from edit-multiple
  • Bug 235459 - Add icalendar output format in buglist
  • Bug 237646 - Fix for regression in userprefs.cgi that disallowed users to change their password via this page
  • Bug 236424 - Allow showdependencies trees to collapse. Adds [optional] Javascript-enabled +/- controls that allow branches in the dependency tree to collapse.
  • Bug 232397 - .bz_obsolete shouldn’t specify “underline”. Define specific bz_obsolete/closed/inactive classes (that don’t specify underline, but line-through instead) and additional Template filters for conveniently applying them
  • Bug 237757 - Resolved bugs are no longer struck out on dependency trees. Includes a global CSS file that defines the relevant bz_* classes and adds a link to it from the global header template
  • Bug 192516 - Moving the loose .pm files into the Bugzilla directory, where they belong. These files pre-date the Bugzilla directory, and would have gone there had it existed at the time. The four files in question were copied on the CVS server to preserve CVS history in the files.
  • Bug 24496 - Adds a parameter “noresolveonopenblockers” which when enabled, prevents bugs from being closed if there are any bugs blocking it which are still open.
  • Bug 132066 - Add a note to the login page about needing cookies for a good user experience
  • Bug 237864 - Clean up leftover issues from the bug 192516 checkin (some occurances of Token got missed)
  • Bug 203869 - Update documentation to better describe group controls
  • Bug 237513 - Change password uses semi empty field
  • Bug 237514 - Confirmed email address is missing
  • Bug 237517 - Inconsistent spelling of cancelled or canceled
  • Bug 237772 - Instances of “a terms.bug” should be replaced with “terms.abug” also fix the spelling of decipher
  • Bug 234293 - Complete the conversion from “query” terminology to “search” terminology
  • Bug 238025 - Generate HTML table header in editkeywords.cgi even when there are no keywords defined
  • Bug 179351 - Improve variable scoping issues in order to fix a bug causing oddly formatted dependency emails
  • Bug 228423 - Document adjustment of MySQL 4GB default table size limit
  • Bug 232338 - Make the footer wrap cleanly, so it doesn’t over-widen the page
  • Bug 238033 - Eliminate HTML closing tags that haven’t been opened and fix an indentation issue
  • Bug 126252 - Add the gnatsparse Python script to the contrib directory
  • Bug 207039 - Add documentation explaining how to install bugzilla under regular user privileges
  • Bug 233246 - Improve documentation on enter_bug comment formatting templates.
  • Bug 224420 - Documentation for new reporting and charting systems.
  • Bug 237515 - Change ‘also’ to ‘too’ in the watching help page
  • Bug 237840 - Eliminate case sensitivity for “attachment N” linkification
  • Bug 238282 - An incorrect bugword
  • Bug 236650 - Clarify choice of install directory in docs
  • Bug 238396 - Update the README file for the gnatsparse project
  • Bug 238506 - Fix checksetup.pl so that it does not fail if an upgrading site never changed a groupset
  • Bug 218206 - Document ft_min_word_len MySQL param for indexing small words in full-text indexes and fix several typos in documentation
  • Bug 127862 - Have sanitycheck.cgi use perl to evaluate email regexp
  • Bug 238669 - Add a space between ‘entered’ and ‘(‘ in illegal_email_address error
  • Bug 238656 - Reword the “Account self-creation” error message
  • Bug 238673 - Add missing article in change email address page
  • Bug 238677 - Fix wording of the “require_new_password” message
  • Bug 238683 - Fix for usage of uninitialized value in concatenation in Bugzilla/CGI.pm
  • Bug 238693 - Replace depreciated v-strings with calls to the pack() function
  • Bug 177224 - Update installation docs to note XUL and RDF MIME types
  • Bug 181589 - Add mass-remove to editgroups
  • Bug 232097 - Use an entity reference for the landfill base URL in the demos, to make it easy to change each release.
  • Bug 237369 - Implement relatively simple changes from %FORM to $cgi->param variable
  • Bug 226764 - Move InvalidateLogins into Bugzilla::Auth::CGI. Consolidates the logout code into Bugzilla::Auth::CGI, and provides simple front-end wrappers in Bugzilla.pm for use in the CGIs we have. Adds a set of constants to the logout() API which allow specifying “how much” we should log out – all sessions, the current session, or all sessions but the current one. Fixes callsites to use this new API; cleans and documents things a bit while we’re at it. Part I in the great COOKIE apocalypse.
  • Bug 226754 - Move InvalidateLogins into Bugzilla::Auth::CGI. Consolidates the logout code into Bugzilla::Auth::CGI, and provides simple front-end wrappers in Bugzilla.pm for use in the CGIs we have. Adds a set of constants to the logout() API which allow specifying “how much” we should log out – all sessions, the current session, or all sessions but the current one. Fixes callsites to use this new API; cleans and documents things a bit while we’re at it. Part I in the great COOKIE apocalypse.
  • Bug 234175 - Remove deprecated ConnectToDatabase() and quietly_check_login()/confirm_login() calls. Cleans up callsites (consisting of most of our CGIs), swapping (where appropriate) for calls to Bugzilla->login
  • Bug 235265 - Getting rid of some unwanted form value dumps.
  • Bug 233962 - UserInGroup() should not accept a second parameter any longer
  • Bug 238860 - Remove %FORM from editversions.cgi
  • Bug 237778 - Update filter list in t/004template
  • Bug 238867 - Remove one last %FORM from quips.cgi
  • Bug 238650 - Reword duplicate of self error message
  • Bug 237508 - Have checksetup.pl specify which perl to use (the same one it’s running under) when giving instructions how to use CPAN to install needed modules.
  • Bug 189156 - Explain quip moderation in documentation.
  • Bug 146087 - Set the default of the sendmailnow param to ON on the trunk as well
  • Bug 236926 - Supply a missing a $cgi-header in buglist.cgi
  • Bug 232554 - Fix SQL queries in Flag.pm in order to fix a bug that causes flags to remain set but inaccessible when product changes.
  • Bug 220817 - Add to FAQ documentation for ‘Why do I have to log in every time I access a page?’.
  • Bug 238874 - Remove %FORM and %COOKIE from colchange.cgi. Does precisely that, swapping them for references to cgi->param/cookie.
  • Bug 233295 - Document terminology customization feature
  • Bug 238352 - Remove alphabetical sorting from some fields in reports (e.g. priority) and keep them in a sensible order instead
  • Bug 239346 - Add hook at end of comments
  • Bug 239255 - Update docs in order to specify that $webservergroup is the group of the webserver, not the user
  • Bug 14887 - Put
  • Bug 239576 - Make sure detaint_natural is always called with a defined value in editkeywords.cgi
  • Bug 230293 - Send CSV buglists with “Content-Disposition: attachment”
  • Bug 237176 - Allows power users to display relevance values as a column in the search results for a fulltext search
  • Bug 238862 - Remove %FORM and %COOKIE from enter_bug.cgi
  • Bug 238864 - Remove %FORM and %COOKIE from move.pl
  • Bug 192775 - Rearrange parameter order in token URLs to make them always fully linked in some MUAs
  • Bug 233245 - Update documentation of formats to include ctypes as well
  • Bug 239885 - Don’t display the sendmail message if the current platform is Windows
  • Bug 239912 - Make bug_email.pl work with useqacontact
  • Bug 239826 - Support closing resolved bugs when changing multiple bugs
  • Bug 224698 - Remove localconfig variable mysqlpath
  • Bug 87770 - Make attachment.cgi work with no parameters
  • Bug 240228 - Improve the format of the error message displayed by checksetup.pl when the MySQL requirements are not satisfied
  • Bug 238865 - Remove %FORM from page.cgi. Does so, fixing the linked page template and adding a code error for the “bad id provided” case
  • Bug 194332 - Fix spelling that caused error message mismatch for the “invalid_maxrows” error message
  • Bug 233245 - Replace “variable” with “constant” since there is no contenttypes variable in Constants.pm.
  • Bug 240219 - Display valid PPM commands when using PPM version 2
  • Bug 240060 - Stop yelling at people about the minimum sendmail version
  • Bug 224477 - Make webservergroup default to apache on new installs
  • Bug 238869 - Remove %FORM from votes.cgi.
  • Bug 240439 - “Edit user again” link didn’t work if the user had a + in their email address
  • Bug 240434 - Replace increased with improved on the login page
  • Bug 237638 - Make bugzilla_email_append.pl work with BugMail.pm instead of processmail
  • Bug 192571 - Empty default owner (assignee or QA) causes “Reassign bug to owner and QA contact of selected component to NOOP
  • Bug 240004 - Limit the password generation subroutine to nice characters only
  • Bug 241516 - Remove possible namespace conflicts in the additional CSS classes for bugid, component, and status on show_bug
  • Bug 234540 - “Take bug” on create attachment screen missed an API change to BugMail which caused it not to mail the previous bug owner about the change.
  • Bug 237838 - Make sure CheckCanChangeField() always gets correct resolution
  • Bug 241259 - Add a CSS tag for ‘Additional Comments’
  • Bug 242740 - URL to Bug Writing Help document changed
  • Bug 204042 - Taint issues in perl 5.6.0 that were causing an Internal Error to ocurr after adding an attachment.
  • Bug 240486 - Makes the banner template CSS friendly
  • Bug 231975 - Avoid naming new product groups the same as existing groups and do not rename product groups on product rename.
  • Bug 240036 - Unlock tables after address error before attempting to process footer
  • Bug 227785 - Add navigation/summary/last-modified after modifying a bug
  • Bug 232861 - Prevent references to bugs or comments from being expanded in attachment links
  • Bug 226477 - Fix undefined method call in Bugzilla::User->in_group
  • Bug 226411 - Make DiffStrings handle fields with duplicate values
  • Bug 238675 - Improved wording for the reassign-to-entry error message
  • Bug 239263 - User.pm should always use the main database to avoid a potential error
  • Bug 244053 - Improve grammar in checksetup.pl
  • Bug 244045 - –no-silent option for checksetup.pl
  • Bug 217627 - Fixes error that occured with bug aliases starting with zero
  • Bug 208847 - Fixes taint errors in editgroups.cgi
  • Bug 141006 - Runs all edit* cgi scripts in taint mode
  • Bug 244650 - Fix searches on commentatators when searching for other email addresses
  • Bug 227172 - Fixes a potential race codition when users change their email address
  • Bug 243351 - Prevents an issue of MySQL version sensitivity in case sensitive searches
  • Bug 183753 - Make collectstats.cgi work on Win32
  • Bug 179671 - Fix boolean charts
  • Bug 223541 - Make flags appear correctly in “view all attachments” mode
  • Bug 240079 - Improved wording in README file
  • Bug 242161 - Adds a patchviewer(“diff”) link to process_bug.cgi
  • Bug 240252 - Improved wording in editproducts.cgi
  • Bug 245976 - Fixes an error that occured when trying to add a milestone
  • Bug 240325 - Update regexp-based groups
  • Bug 160210 - Fixes Mac OS X detection and adds 10.1 and 10.2 to the OS list
  • Bug 246599 - Adds Mac OS 10.3 (Panther) to the OS list
  • Bug 142744 - Makes the test suite work on Win32
  • Bug 246328 - Make editmilestone.cgi check for invalid sortkeys
  • Bug 246778 - Fixes an error that occured with ThrowUserError and timetracking
  • Bug 247209 - Improves OS detection for Solaris
  • Bug 247192 - Improves OS detection for StarOffice on Solaris SPARC
  • Bug 225359 - Allows dependency graphs to work on Win32
  • Bug 245924 - Uses HTML 4 and CSS formatting for the Bugzilla footer
  • Bug 248685 - Fixes the lack of terms in the header of showdependencytree.cgi
  • Bug 248001 - Converts boolean conditions in SQL statements to improve database independence
  • Bug 245101 - Fixes warnings that occured from upgrades from 2.14.x without going through a 2.16.x version
  • Bug 239343 - Adds the sendbugmail.pl script to contrib/ for external scripts that need processmail’s functionality
  • Bug 243463 - Use a param to prevent charts from leaking secure information
  • Bug 223878 - Avoids problems that occur when changing a deleted flag
  • Bug 249802 - Document granting of permissions to a MySQL user for MySQL 4
  • Bug 245077 - The “find a specific bug” tab is now the default when loading query.cgi, the script will remember the previously selected tab and display it when query.cgi is loaded again.
  • Bug 248988 - Prevents a possible error with attachments on Win32
  • Bug 249863 - Fix invalid HTML in create.html.tmpl
  • Bug 190432 - Avoids using non-ANSI SQL when saving a named query
  • Bug 250265 - Fix taint errors with vote fields when editing products
  • Bug 227191 - Prevents the database password from being disclosed when the SQL server is halted and the webserver is left running in 2.17.x releases.
  • Bug 233486 - Fixes a privilege escalation in 2.17.x releases where a user with privileges to grant membership to one or more individual groups (i.e. usually an administrator) can trick the administrative controls into granting membership in groups other than the ones he has privileges for.
  • Bug 234825 - Prevents an information leak in all versions of Bugzilla where duplicates.cgi can disclose the names of products to which the user does not have access.
  • Bug 234855 - Prevents an information leak in all versions of Bugzilla where the form for mass-editing bugs can list products to which the user does not have access.
  • Bug 235265 - Prevents a Cross-Site Scripting vulnerability in several administrative scripts.
  • Bug 235510 - Avoids a potential user password compromise in versions 2.17.5 through 2.17.7 where the user password could be visible in web server logs when accessing a chart.
  • Bug 244272 - Fixes an issue where a user with permission to grant membership to any group (i.e. usually an administrator) could cause editusers.cgi to execute arbitrary SQL.

Stable (2.16) Branch Checkins Since the Last Status Update

The following is a list of specific bugs fixed (and their checkin messages) since the last Bugzilla status report. It is ordered by the checkin date as rendered by Bonsai. It includes checkins on the branch from 2004/03/03 to 2004/07/08. This list was written from Bonsai’s output on that query.

Bold bugs are security bugs.

Checkin manifest:

  • Bug 236567 - Update the documentation for installing perl modules with PPM
  • Bug 220814 - Update the FAQ to explain how to update Bugzilla from CVS
  • Bug 207039 - Improve documentation on installing Bugzilla with regular user privlieges
  • Bug 237591 - Allows XML import to function when there are regexp metacharacters in product names
  • Bug 220817 - Update the FAQ to include information on why Bugzilla may request a username and password every time a page is accessed
  • Bug 238628 - Adjust the database schema chart to fit on an 8.5X11 inch page
  • Bug 239912 - Allows the bug_email.pl contrib script to work with useqacontact
  • Bug 240228 - Improves the error message used by checksetup.pl when the MySQL requirements are not met
  • Bug 240060 - Elimnates a warning in checksetup.pl about the minimum sendmail version
  • Bug 224477 - Makes webservergroup default to group ‘apache’ in new installations
  • Bug 117297 - Fixes an error where a bugmail message could be sent twice to a user on the CC list
  • Bug 240079 - Improves the wording in the README
  • Bug 249802 - Document how to create a MySQL user with permissions using MySQL 4
  • Bug 234825 - Prevents an information leak in all versions of Bugzilla where duplicates.cgi can disclose the names of products to which the user does not have access.
  • Bug 234855 - Prevents an information leak in all versions of Bugzilla where the form for mass-editing bugs can list products to which the user does not have access.
  • Bug 235265 - Prevents a Cross-Site Scripting vulnerability in several administrative scripts.
  • Bug 244272 - Fixes an issue where a user with permission to grant membership to any group (i.e. usually an administrator) could cause editusers.cgi to execute arbitrary SQL.

Conclusion and Credits

Thank you very much to everyone who has helped to bring us so much closer to the 2.18 release. A special thank you to those who helped to edit this status update and those who have assisted in other parts of the the release process. Lastly and as always, a big thank you to Bugzilla’s users and testers for their feedback.

10. July 2004

Bugzilla 2.16.6 and 2.18rc1 Released

by Bugzilla Team

The Bugzilla Team is please to announce the release of our first release candidate for Bugzilla 2.18. This release will be shaped by your feedback over the next few weeks.

Also released is version 2.16.6. Both releases fix a number of security issues.

The 2.18rc1 release is also the first to offer installation on Windows without modification of Bugzilla itself. See the download page for details.

We have also posted a new status update to help keep everyone informed of where the project is heading.

21. March 2004

Bugzilla 2.16.x documentation now available as PDF

by Bugzilla Team

A long-standing bug in the 2.16 branch documentation sources has been knocked out, and we’re now pleased to offer the 2.16 documentation in PDF format on the documentation page. The 2.17.x documentation has been available this way for a while now.

03. March 2004

Status Update

by Dave Miller (justdave)

Introduction

This status update covers the four months that have gone by since our last update. At the time of our last status update, we released version 2.17.5 of Bugzilla. It was followed a week later by version 2.17.6, which was released to seal a small security hole discovered in one of the new features that was introduced in 2.17.5.

As of this status update, we are also releasing 2.17.7 and 2.16.5. For the first time in a while, there’s no security advisory to go with it, which feels pretty good! So, if there’s no security advisory, why are we releasing a new stable release? Well, 2.16.5 had a few regressions from 2.16.4 that we had to fix. The most major of which was that xml.cgi was completely busted. We also fixed some compatibility problems with older versions of DBI, fixed a MySQL 4 compatibility issue which we thought we’d fixed in 2.16.4, but it turns out we really hadn’t, and several other minor bugfixes that we hope will improve the overall stability of the 2.16 series.

Note that (in tradition with previous updates, which have included a bit on this subject) Windows support (which implies being able to run a Bugzilla instance on a Windows web server) is still to be completed and integrated! We would really appreciate community assistance in fixing the remaining issues for Windows support. So far, very few people have been contributing towards the Win32 effort.

We’d also like to remind all Bugzilla administrators that to assist them in keeping up-to-date with release announcements and security advisories, we provide an ultra-low-volume administrator mailing list ([email protected]). We advise all Bugzilla administrators to subscribe so they can keep up with important Bugzilla news.

New Releases

The Bugzilla Team is pleased to announce the 2.16.5 and 2.17.7 releases of Bugzilla.

  • The stable (2.16.5) release provides a number of bug fixes, as mentioned above. See the check-in manifest at the bottom of this status update for details.
  • The development (2.17.7) release provides a large number of feature enhancements and bug fixes. This release is a developers’ release and is not intended for production use.

We would like to remind all administrators running Bugzilla instances from the old 2.14 branch that this branch has been retired, and is no longer being supported actively by the team. We strongly recommend upgrading to the latest stable version to ensure security and proper operation.

New Features (on the Trunk)

A few new features are available for testing on our latest development release. The following items describe the most important of them, and the manifests towards the end of this document describe the full list of changes committed.

  • CSS Customization: A CSS id signature unique to each Bugzilla installation is now added to the <body> tag on Bugzilla pages to allow custom end-user CSS to explicitly affect Bugzilla. (224242)
  • Template Hooks: A mechanism for third party extensions to plug into existing templates without having to patch or replace distributed templates has been added. More information on this can be found in the Documentation. (232903)
  • ‘commentoncreate’ Parameter: A parameter has been added which allows the administrator to prevent users from submitting new bugs with an empty description. (213679)

The Road to 2.18

An update from Dave Miller, Bugzilla project leader, and Matthew Tuck, QA lead

After a long discussion on the mozilla-webtools mailing list, we’ve decided to cave in to popular demand and move to date-based releases for 2.20 and beyond, in response to the enormously long periods for the feature-based releases 2.16 and 2.18. The current plan is as follows:

The releases will be approximately six-monthly to start with. This should be an upper limit, and we could perhaps consider to go to four-monthly later if things runs smoothly. More releases means code gets out faster and developers have less pain missing a release, and I don’t think there’s much overhead from extra releases, given pretty much all work before and after a release will be proportionately smaller.

There will be no promises of features appearing in releases, on behalf of the Bugzilla project. We have no way of guaranteeing features in a given or reasonable time frame. If you want to make an individual promise to someone, it’s on your head. =)

The date-based part of the release process will be the feature freeze. All other aspects of development will stay “when they’re ready”. This in particular means the releases will only be approximately six months apart. This means that although the freeze will happen on a set date, the release itself will not happen until the release branch passes release candidate testing.

When the tree opens for 2.19, there will be a little less than six months of development time (so that the freezes themselves can happen every six months). Once this elapses, a feature freeze will be declared, at which point the tree will be closed to anything that is not a user or administrator-visible bug fix, docs updates or an otherwise freeze-approved checkin.

This will continue until the tree is declared fit for Release Candidate (RC) 1. At this point, the tree will branch, and HEAD will reopen for development. The branch will continue the RC cycle until it’s ready for release.

Note that the tree closed time will be deducted from the development time for the next release, which will mean the feature freezes will stay exactly every six months. One would not expect this to be greater than 1-2 weeks, if which case the development time would be about 5 months and 2-3 weeks.

Upcoming Features

This section lists major new features that are either in progress or have some amount of work toward them completed already, but have not yet landed in CVS. If you would like to help out – many of these features need either planning, coding, or testing – or just figure what the current status is on one of these items, check out the parenthesized bug links.

  • Ability to send email via SMTP instead of relying on a local installation of sendmail. (Bug 84876)
  • PostgreSQL support. (Bug 98304)
  • Sybase support. (Bug 173130)
  • Ability to add generic customized fields to bugs. (Bug 91037)
  • Customised resolutions, that allow adding, removing, deactivating and renaming of resolutions. (Bug 94534)
  • Expanding e-mail preferences to allow watching components, keywords, etc. (Bug 73665)
  • mod_perl support. (Bug 87406)
  • New makefile-based installation system. (Bug 104660, Bug 105854, Bug 105855, and Bug 105856)
  • Wiki integration. (Bug 102685)

Apart from work on Bugzilla itself, Mike Morgan has started work on redesigning the Bugzilla website to a standards-compliant version that matches mozilla.org’s new look-and-feel. This is already underway, and will be rolled out with the Bugzilla 2.18 release.

Trunk Checkins Since the Last Status Update

The following is a list of specific bugs fixed (and their checkin messages) since the last Bugzilla status report. It is ordered by the checkin date as rendered by Bonsai. It includes checkins on the trunk from 2003/11/03 to 2004/03/03. This list was generated by filtering Bonsai’s output on that query.

Checkins that don’t refer to a specific bug number have been omitted, and were a significant minority. Bold italic bugs are security-sensitive bugs.

Checkin manifest:

  • Bug 123077 - improve the ValidatePassword sub so that a password change is no longer accepted with a blank second field
  • Bug 234898 - start to use $cgi->param in queryhelp.cgi.
  • Bug 234896 - makes sanitycheck.cgi use $cgi->param instead of ::FORM.
  • Bug 234876 - removes %FORM from token.cgi.
  • Bug 192247 - make Bugzilla quips truly random.
  • Bug 235268 - Convert show_activity.cgi to get rid of %FORM
  • Bug 235287 - improve a whineatnews.pl comment
  • Bug 65313 - improves the email regexp in order to detect better invalid email addresses
  • Bug 235175 - replaces ::FORM from createaccount.cgi with CGI based methods that are mod_perl compatible
  • Bug 234264 - eliminates a double escaping issue by removing filtering of searchname in title.
  • Bug 226251 - (internal error when server push is enabled): Due to randomization of perl hash table functionality since 5.8.1 the ‘hack’ to unset the nph parameter for multipart messages is not working reliable, instead a modified clone of the original multipart_init function is setting this parameter to ‘0’ and is ignoring the given nph parameter from buglist.cgi.
  • [SCHEMA CHANGE] Bug 220232: short_desc field in the bugs table is no longer allowed to be NULL. Null summaries would cause BugMail.pm to crash. (Normally this would only be caused by third party touching of the bugs table, such as bugs manually migrated from another system or inserted by a script - such scripts will now break if they don’t set a short_desc)
  • Bug 234171 - removes \%COOKIE from index.cgi.
  • Bug 233645 - fix a number of ‘undef’ warnings which were killing performance for multiple bug change.
  • Bug 234100 - removes redundant longdescs table join criterion
  • Bug 232749 - fix various charting problems revealed by b.m.o. upgrade, including editing, subscribe buttons and terminology.
  • Bug 232897 - make collectstats.pl work with shadow databases, by reading from shadow and writing to master.
  • Bug 232441 - Suggest solution in the error message in case admin forgets to rerun checksetup.pl
  • Bug 158527 - Fix up description for the editbugs group so it is closer to the reality
  • Bug 127995 - shows the size of attachments in the show bug and attachment interfaces.
  • Bug 218401 - add in some places templatization support for the bug term in query.cgi.
  • Bug 194472 - link to the product’s component editor when displaying error regarding lack of components.
  • Bug 232993 - Quote the filenames in the Content-disposition header when downloading attachments. This allows spaces to be used in filenames, and fixes compliance with RFCs 2183, 2045, and 822.
  • Bug 232830 - use url_quote instead of html filtering to make sure we can delete queries which contain a “+”.
  • Bug 224242 - Add a CSS id signature to the <body> attribute on Bugzilla pages to allow user CSS to explicitly affect Bugzilla.
  • Bug 220998 - Allows blocks, dependson, and keywords values to be part of a bug entry template (i.e. a URL that presets those fields to specific values). Original
  • Bug 232903 - hook to allow addition of extra administration links in the footer.
  • Bug 232804 - add a “–check-modules” switch to checksetup.pl to get it to only do the Perl module checks. This makes installation easier to explain.
  • Bug 232413 - remove occurrences of   in favour of [%+ construct to prevent whitespace chomping.
  • Bug 228917 - Makes some flag SQL work with PostgreSQL by using the semantically equivalent INNER JOIN over a comma (,).
  • Bug 213679 - Implement a parameter that allows administrators to control whether blank comments are allowed when filling new bugs.
  • Bug 232485 - fix missing space between words.
  • Bug 232494 - fix missing space between words.
  • Bug 232508 - adds back missing space between “tell” and “[% terms.Bugzilla %]”.
  • Bug 232447 - Warns user about missing bug number instead of dying in GetBugLink().
  • Bug 232161 - add ability to forget or edit saved searches when the search throws an error.
  • Bug 225043 - enhance chart migration code to populate ‘All Open’ charts from historical data.
  • Bug 232164 - Adds backwards-compatibility hack for changedin queries for newly created bugs and simplifies the code.
  • Bug 232160 - adds the header back in to the “verify component, etc.” page that appears when a user changes the product to which a bug belongs.
  • Bug 232154 - Make old column lists work again by correctly translating old -> new column names.
  • Bug 232140 - makes tests work on b.m.o by making BugMail.pm use Bugzilla::Util, which contains the trim() function BugMail.pm needs.
  • Bug 232150 - Corrects “field changed” queries including [Bug creation] as one of the fields so that they actually work instead of taking forever. The query was structured as “[Bug creation] clause OR (bugs_activity JOIN clause OR (other field clauses))” when it should have been “bugs_activity JOIN CLAUSE AND ([Bug creation] clause OR other field clauses)”
  • Bug 183774 - makes duplicates.xul compute a correct base URL when jarred so that links to bugs work.
  • Bug 232055 - add more colours to line graphs (default is 7; we now have 16 - .)
  • Bug 227155 - make sure running collectstats.pl twice in a day, or migrating data from old charts to new charts where there are duplicate entries, doesn’t cause an SQL error.
  • Bug 231391 - make “cumulate” option work on new charts, together with a few UI tweaks.
  • Bug 225075 - Fix exact case search so it only selects bugs with matching case strings.
  • Bug 231026 - improve the appearance of the buglist options at the bottom of the buglist.
  • Bug 36379 - adds command-line switches for default product, component, and version to bug_email.pl
  • Bug 227026 - remove obsolete MacsBug information from guided template (we no longer support OS 9.)
  • Backing out bug 230293, we decided this was the wrong approach.
  • Backing out code change that was accidentally left in the patch on bug 228894 (see comment 9)
  • Bug 228894 - Change HTML comments to template-toolkit ones for template version numbers.
  • Bug 224420 - fix test bustage caused by accidental use of the word “bugs”. Oops.
  • Bug 224420 - add a warning that only public bugs are counted by the new charting system at the moment.
  • Bug 90468 - Bugzilla does not log out automatically when closing the session.
  • Bug 229998 - bugzilla-submit ‘Operating-System’ and ‘URL’ fields are rejected. Minor fixes to bugzilla-submit’s argument parsing.
  • Bug 231037 - remove JS popup from bug entry page.

Stable (2.16) Branch Checkins Since the Last Status Update

The following is a list of specific bugs fixed (and their checkin messages) since the last Bugzilla status report. It is ordered by the checkin date as rendered by Bonsai. It includes checkins on the branch from 2003/11/03 to 2004/03/03. This list was generated by filtering Bonsai’s output on that query (with some manual adjustments).

Checkin manifest:

  • Bug 123077 - improve the ValidatePassword sub so that a password change is no longer accepted with a blank second field
  • Bug 166755 - improve checksetup.pl’s error message when asking for administrator’s password
  • Bug 137121 - modify the way in which headers are printed in order to avoid printing them twice when reporting an error in createaccount.cgi
  • Bug 181106 - edit-multiple.html.tmpl uses &apos which Internet Explorer cannot use. Changed the entity in the template to a literal apostrophe.
  • Bug 231691 - fix used only once error in Perl 5.00503
  • Bug 224815 - The check-in for bug 212095 (which fixed a forward-compatibility problem with DBD::mysql) created a backward compatibility issue with DBI (unintentionally bumped the required minimum DBI version). This checkin puts the proper code in place to allow the minimum stated DBI according to the Bugzilla 2.16 documentation as well as the current DBI version as of this writing.
  • Bug 228706 - Fixes invalid expiration dates on almost all of the cookies. Amazingly it mostly worked before. It’ll work better now. :)
  • Bug 227513 - Add text to shadowdb param description to indicate that the privileges to access the shadowdb must be granted from MySQL prior to entering the shadowdb name in the param.
  • Bug 227510 - The shadowdb parameter wasn’t getting detainted before using it to create the shadowdb.
  • Bug 121419 - Use the most-specific cookie if more than one exists with different cookiepaths. Should help ease login troubles related to the cookiepath setting.
  • Bug 188712 - Safari thinks it’s Gecko, but it doesn’t support server-push. Look for it and don’t give it server-push.
  • Bug 225474 - Fixing regression from bug 217422, xml.cgi got busted, and the patch from bug 217422 (MySQL 4 compatibility for show_bug) didn’t accomplish what it was supposed to anyway. This checkin fixes both.
  • Bug 95430 - Reopening bugs from the “change several bugs at once” page did not work.

Conclusion and Credits

Well, that’s it for this status update. We’d like to thank everybody who submitted a patch, helpful comment or bug to Bugzilla – it’s very much appreciated, even when everybody’s too busy to stop and say “great work”; we always mean it! Let’s work together to make 2.18 the killer release we all want it to be.

03. March 2004

bugzilla-submit 0.5 posted

by Bugzilla Team

Christian Reis and Eric S. Raymond have released an initial version of bugzilla-submit, a command-line utility to post new bugs to a Bugzilla installation. We’d like to invite testing and feedback on the tool and its functionality; note that it requires Python 2.3. Post bug reports as usual to bugzilla.mozilla.org.

03. March 2004

Bugzilla 2.17.7 and 2.16.5 Released

by Bugzilla Team

The Bugzilla Team is pleased to announce the release of the Bugzilla 2.17.7 developer snapshot. For details on the newest features and bugfixes, see the new status update.

Also released today is Bugzilla 2.16.5. Version 2.16.5 is the latest stable Bugzilla release, and contains fixes to a regression and some compatibility issues in Bugzilla 2.16.4.

09. November 2003

Bugzilla 2.17.6 Released

by Bugzilla Team

We had a small “oops” with the 2.17.5 release, whereas one of the new features that was introduced also introduced a new security hole. For the full details, read the security advisory. Note that this affects version 2.17.5 only and the current stable version 2.16.4 is not affected. Since this is the development branch, there have been other checkins besides the security fix. For a complete list, click the “2.17.5 → 2.17.6” link on the changelog page. Version 2.17.6 is available on the download page.

02. November 2003

Bugzilla Status Update

by Christian Reis (kiko)

Introduction

This status update covers the 6 months that have gone by since our last update. It’s been an interesting period in Bugzilla’s time, with a quite a few feature enhancements hitting the trunk and a significant number of external contributions being submitted.

To start off, we’d like to congratulate (and nudge ahead) Vlad Dascalu, Chuck Duvall and Mike Morgan who have been doing excellent work both on triage and on providing bugfixes. Independent contribution has always been the mainstay of Bugzilla development, so it’s really nice to see people volunteer the time and expertise that make this a great product. The lowest bug number fixed was bug 13540 – generalizing previously fixed terms such as “bug” – which was coaxed in by Jon Wilmoth. A number of others had first-time patches integrated, too, and we’d definitely like to see more good work from you all.

We’ve got a few security updates that have been covered in the security advisory simultaneously released. The bugs found and fixed are not critical – they are mainly leaks and minor privilege issues – but it’s always a good idea to update to the latest stable release. The bug fixes have also been applied to the development branch where relevant.

A number of interesting features have also been included (in the trunk); in particular, Gerv integrated a patch that provides partial email spam-proofing, which has always been one of the top requests on public installations. Gerv also landed an extension to Bugzilla which allows generating charts from Bugzilla-collected data. Another notable feature by the great John Keiser has been included: Patch Viewer, which is an complete (and integrated) diff-viewing tool. I’m not going to spoil the rest of the surprises, so read the sections below to find out what other goodies are in this month’s grab bag.

Note that (in tradition with previous updates, which have included a bit on this subject) Windows support (which implies being able to run a Bugzilla instance on a Windows web server) is still to be completed and integrated! We would really appreciate community assistance in fixing the remaining issues for Windows support.

We’d also like to remind all Bugzilla administrators that to assist them in keeping up-to-date with release announcements and security advisories, we provide an ultra-low-volume administrator mailing list ([email protected]). We advise all Bugzilla administrators to subscribe so they can keep up with important Bugzilla news.

New Releases

The Bugzilla Team is pleased to announce the 2.16.4 and 2.17.5 releases of Bugzilla.

  • The stable (2.16.4) release provides a number of bug fixes, including fixes for 4 security issues discovered since the 2.16.3 release. It is recommended that all production installations upgrade to 2.16.4 to make sure they get the fixes for these security bugs.
  • The development (2.17.5) release provides a large number of feature enhancements and bug fixes, including fixes for 3 security issues discovered since the 2.17.4 release. This release is a developers’ release and is not intended for production use.

We would like to remind all administrators running Bugzilla instances from the old 2.14 branch that this branch has been retired, and is no longer being supported actively by the team. We strongly recommend upgrading to the latest stable version to ensure security and proper operation.

New Features (on the Trunk)

A number of interesting new features are available for testing on our latest development release. The following items describe the most important of them, and the manifests towards the end of this document describe the full list of changes committed.

  • Patch Viewer: Viewing and reviewing patches in Bugzilla is often difficult due to lack of context, improper format and the inherent readability issues that raw patches present. Patch Viewer is an enhancement to Bugzilla designed to fix that by offering increased context, linking to sections, and integrating with Bonsai, LXR and CVS. (174942, 215268)
  • Term Customization: Formerly, the terms “bug” and “Bugzilla” were hard-coded into many places in the templates, which made localizing a Bugzilla instance to an organization’s terminology quite difficult. This change allows this localization to be done in a single template file; the localized terms are used in all subsequent templates. (13540)
  • Comment Reply Links: In Edit Bug, each bug comment now includes a convenient (reply) link that quotes the comment text into the textarea. This feature is only enabled in Javascript-capable browsers, but causes no inconvenience to other user agents. (207754)
  • Full-Text Search: It is now possible to query the Bugzilla database using full-text searching, which spans comments and summaries, and which searches for substrings and stem variations of the search term. (145588)
  • Email Address Munging: The fact that raw email addresses are displayed in Bugzilla makes it trivial for bots that spamharvest to spider through Bugzilla, in particular, through Bugzilla’s buglists. This change allows obscuring email addresses as they appear in the Bugzilla web pages. (120030, 219216)
  • Generic Charting: Bugzilla’s new charting feature allows you to display flexible summary charts, based on configurable data sets. (16009)

A couple of other features were checked into the trunk, notably prefilling of the default component owner when entering a new bug, a bug alias column in the buglist page, and a “view as buglist” link for the sanity check page.

A note to users upgrading to version 2.17.5: Bug 201816 changed header output to use CGI.pm, in a step towards enabling mod_perl compatibility. This change will affect users that had customized charsets in their CGI files: previously the charset had to be added everyplace that printed the Content-Type header; now it only needs changing in one spot, in Bugzilla/CGI.pm. Alternatively, Apache’s AddDefaultCharset directive can be used.

The Road to 2.18

An update from Dave Miller, Bugzilla project leader

Bugzilla 2.16 was released on July 29, 2002. It’s been just over 15 months since then, and we still don’t have a Bugzilla 2.18. What’s the deal? This is what I get asked quite frequently these days. I’m hoping to answer that question here.

The usual way stable Bugzilla releases get planned is that we decide on a feature set that we want to have available in the next version, and then development plugs away until those features are completed. Shortly after version 2.16 came out, several of us sat down and hashed out a list of things that we thought would fit in that list for version 2.18. In hindsight, the list that we came up with turned out to be a bit much to handle. It didn’t look so bad at the time, and in fact I don’t think we “overbooked” ourselves, not if everyone’s lives had continued as they had been at that time.

What ended up happening is that a large percentage of the core contributors wound up having job changes that eliminated much of the time they used to spend on Bugzilla. We went several months with very little development actually happening. With the lack of available developers in mind, and a desire to get 2.18 out the door as soon as we could and still be able to call it “stable” in good conscience, the list of goals for version 2.18 was revisited, and significantly pared down.

We now have 2 remaining goals that have yet to be completed for version 2.18.

  • Full templatization of the Administrative interfaces (the edit*.cgi files)
  • Out-of-the-box Win32 compatibility

Many of the other items that had been on the list (such as support for PostgreSQL and Sybase, and admin-definable customized fields) will still be taken if they get completed by then, but will no longer hold up the release if they aren’t completed.

Things are getting better! The “dire situation” I painted above seems to be abating. As Christian pointed out in his introduction above, we have several new folks contributing on a regular basis. Also, my second-in-command, Myk Melez, is now employed by the Mozilla Foundation as of last month, with continued development of the entire Mozilla Webtools Suite (which includes Bugzilla) now being his primary job responsibility. In short, the future of Bugzilla once again looks very bright!

Upcoming Features

This section lists major new features that are planned for the next releases. If you would like to help out – many of these features need either planning, coding, or testing – or just figure what the current status is on one of these items, check out the parenthesized bug links.

  • Ability to send email via SMTP instead of relying on a local installation of sendmail. (Bug 84876)
  • PostgreSQL support. (Bug 98304)
  • Sybase support. (Bug 173130)
  • Ability to add generic customized fields to bugs. (Bug 91037)
  • Customised resolutions, that allow adding, removing, deactivating and renaming of resolutions. (Bug 94534)
  • Expanding e-mail preferences to allow watching components, keywords, etc. (Bug 73665)
  • mod_perl support. (Bug 87406)
  • New makefile-based installation system. (Bug 104660, Bug 105854, Bug 105855, and Bug 105856)
  • Wiki integration. (Bug 102685)

Apart from work on Bugzilla itself, Mike Morgan has started work on redesigning the Bugzilla website to a standards-compliant version that matches mozilla.org’s new look-and-feel. This is already underway, and we should be seeing a beta site up shortly.

Trunk Checkins Since the Last Status Update

The following is a list of specific bugs fixed (and their checkin messages) since the last Bugzilla status report. It is ordered by the checkin date as rendered by Bonsai. It includes checkins on the trunk from 2003/04/25 to 2003/11/02. This list was generated by filtering Bonsai’s output on that query.

Checkins that don’t refer to a specific bug number have been omitted, and were a significant minority. Bold italic bugs are security-sensitive bugs.

Checkin manifest:

  • Bug 209742 - describecomponents.cgi displays products for which the user can’t enter bugs
  • Bug 219044 - MySQL injection vulnerability in editkeywords.cgi
  • Bug 209376 - Can access summary for secure bug if its been voted on.
  • Bug 210735 - collectstats.pl broken. Removes “uninitialised value” warning.
  • Bug 224397 - Mismatch of user error: insufficient_privs vs insufficient_perms;
  • Bug 123565 - Add to FAQ: Why can’t I close bugs from “Change Several Bugs at Once” ?
  • Bug 190611 - Query page crashes if any product has no versions defined
  • Bug 220724 - Provide standalone bug submission program. Includes a python script that submits bugs to a specified Bugzilla instance.
  • Bug 216707 - Add user documentation for Patch Viewer
  • Bug 224218 - Fix wrong version in administration.xml
  • Bug 216703 - Need PatchReader note in install docs
  • Bug 217219 - Messages in votes errors are incorrectly CHOMP’d
  • Bug 223937 - web site error while updating email address
  • Bug 47925 - describe MOVED resolution in bug_status.html
  • Bug 67663 - globals.pl and CGI.pl emit “subroutine redefined” messages.
  • Bug 221039 - Separating knob in edit.html.tmpl.
  • Bug 111522 - Provide ability to specify MIME type of attachment when downloading.
  • Bug 223854 - masscc on change several bugs doesn’t honor usermatchmode
  • Bug 222204 - A mailto: link for the reporter would be very useful
  • Bug 221900 - duplicates.cgi query fails if more than one product selected
  • Bug 223093 - correcting the title on “perldoc Bugzilla::Auth::DB”
  • Bug 201294 - showdependencygraph.cgi now uses the global IsOpenedState() sub instead of its own list of which states are open.
  • Bug 218386 - add ‘view-source:’ to the link of URL protocols which automatically get hyperlinked in comments.
  • Bug 208647 - Fixes taint error in add new products code.
  • Bug 183788 - make request mail go out when a request is created and there’s no requestee but there is a cc: list
  • Bug 178624 - checksetup.pl needs to be run after copying templates to the custom directory.
  • Bug 215051 - Document the language auto-chooser.
  • Bug 218977 - “Table ‘namedqueries’ was not locked with LOCK TABLES” on ThrowUserError(‘product_edit_denied’).
  • Bug 221977 - Insecure dependency in require while running with -T switch at Bugzilla/Auth.pm
  • Bug 108528 - knob is not a defined error message and it does not help a user find the error
  • Bug 222566 - Fixing wording on enter_bug.cgi when using the create-guided template
  • Bug 108528 - knob is not defined doesn’t explain to 2001110503 users what to do
  • Bug 220034 - empty form after changing bug details
  • Bug 221391 - Bugzilla Quickstart guide could exist. Provide a QUICKSTART file, and alter README slightly to point to it.
  • Bug 219724 - typo in URL in section 4.2.5 of the guide.
  • Bug 213384 - shutdownhtml login bypass via editparams.cgi is broken under suexec.
  • Bug 220183 - post_bug.cgi could allow setting the status_whiteboard attribute. Added “status_whiteboard” to parsed attribute list.
  • Bug 221264 - Making no changes shouldn’t affect Last modified
  • Bug 219086 - use method=”post” on the “My Votes” page to submit changes to votes
  • Bug 65316 - Typos on edit*.cgi. Change use of PutTrailer() (and the default output, in certain cases) in the edit pages.
  • Bug 76157 - Give proper error message on non-numeric sortkey when editing milestones.
  • Bug 219659 - Misleading wording describing severity “blocker” on Bugzilla Helper form.
  • Bug 152748 - Make lack of sidebar support suggest Mozilla instead of Netscape as an upgrade.
  • Bug 177449 - When changing email address, old email address confirmation was case sensitive
  • Bug 129315 - incorrect column definition for bugs.delta_ts; adds ‘not null’ constraint
  • Bug 219216 - Javascript improperly using FILTER html instead of FILTER js causing data with @ produced by javascript to show up as &#64.
  • Bug 218569 - Clean up reporting UI.
  • Bug 219170 - single letter s missing on https://bugzilla.mozilla.org/bug_status.html
  • Bug 180257 - incorrect padding around words on “cancel email address change” page
  • Bug 208699 - Move Throw{Code,Template}Error into Error.pm.
  • Bug 120030 - Bugzilla bug lists are a spammer’s paradise.
  • Bug 215918 - All graphs that show numeric value on x-axis are useless and misleading. We now sort numerical fields numerically.
  • Bug 169354 - add “Windows Server 2003” - OS
  • Bug 217632 - Remove @@@ comment from message.html.tmpl.
  • Bug 218523 - undefined warning in query.cgi.
  • Bug 218515 - fix tree bustage from bug 207044.
  • Bug 207044 - Filter more template directives. None of these are security bugs, but they need fixing anyway.
  • Bug 145588 - adds full-text search option for more accurate finding of individual bugs via words that appear in their descriptions/comments/summaries.
  • Bug 215729 - “Column ‘value’ cannot be null” trying to upgrade chart data.
  • Bug 217422 - “0” was missing in “votes: 0” (MySQL 4 compatibility)
  • Bug 165366 - When editparams is used to shutdown Bugzilla, provide a link back to editparams
  • Bug 65383 - Clean up milestone prefs - currmilestone and nummilestones are obsolete
  • Bug 190040 - sanitycheck now has “view as buglist” links after lists of bugs as well as all listed bugs linked
  • Bug 217242 - CheckIfVotedConfirmed tripped Table ‘fielddefs’ was not locked with LOCK TABLES [for statement ``SELECT fieldid FROM fielddefs WHERE name = ‘bug_status’’’]
  • Bug 207754 - It should be possible to produce a quoted reply to a comment. Adds a reply link that uses JS to paste in a quoted comment into the comment textarea.
  • Bug 199502 - It’s possible to take down Bugzilla by changing the languages param
  • Bug 213577 - New reporting imports old series with wrong status query.
  • Bug 217485 - displays query in the “please wait” server push page if the “debug” parameter is set in the URL.
  • Bug 217256 - “No Interdiff Notification message has two run on words.” Patch adds newlines where they are needed.
  • Bug 217029 - creates appropriate date string if string is empty now that Date::Parse 2.27 doesn’t do it for us auto-magically.
  • Bug 217103 - page.cgi passes the correct pathname prefix in the correct place, so it actually works now.
  • Bug 160422 - If data/versioncache is not readable, pretend it’s expired and rebuild it.
  • Bug 192385 - Bug ID wordwrapped in change-several-bugs page if window was narrow
  • Bugs 171127 and 192512 - bug_email.pl was still using the old groups system and also the old outgoing mail system. This patch brings it up to date.
  • Bug 139011 - Improve buglist colors further.
  • bug 215268 - Check for PatchReader as a part of the installation and disable the “Diff” links if it is not there.
  • Bug 216019 - Change various sentences in BugMail.pm
  • Bug 215962 - Missing {} around implied hash reference in params to ThrowUserError.
  • Bug 204560 - display alias in long listing.
  • Bug 212095 - checksetup.pl gets confused by newer DBD::mysql quoting of table values.
  • Bug 120030 - adds template filter for obscuring email addresses.
  • Bug 214558 - Don’t spew “which: program not found” errors all the time
  • Bug 174942 - Patch Viewer, a pretty way of viewing and manipulating patches. Requires PatchIterator to be installed, classes uploaded to that bug and will be soon in CPAN.
  • Bug 153583 - Links to obsoleted attachment should use line-through style
  • Bug 211435 - Fix “Table ‘namedqueries’ was not locked with LOCK TABLES” error.
  • Bug 206558 - What happened when multiple items were selected on a multi-select box wasn’t clear.
  • Bug 183898 - checksetup.pl doesn’t accepts admin passwords with dots.
  • Bug 213079 - When severity or priority are hidden, CSS class names are incomplete in buglist.
  • Bug 98147 - disables “View All Attachments” link if there are no attachments to view.
  • Bug 178935 - Eliminating the “Add another user” link on the confirmation screen after editing a user if the user doing the editing doesn’t have permission to add users.
  • Bug 213085 - importxml.pl tries to convert qa_contact from a name to an ID when it’s already an ID
  • Bug 147480 - Lack of newlines when asking for password in checksetup.pl.
  • Bug 82172 - Don’t allow empty bug summaries.
  • Bug 95759 - localconfig.js contains strings of equals signs (===).
  • Bug 207206 - doeditparams.cgi XHTML compatibility.
  • Bug 122365 - Allow installation definable LDAP filters.
  • Bug 204798 - Total in graph report is incorrect.
  • Bug 203444 - Add request for about:buildconfig to Bugzilla Helper.
  • Bug 212361 - Additional Comments date had month and day swapped in bug change emails
  • Bug 185066 - The OS “BSDI” should be “BSD/OS”… Patch changes the default in localconfig; admins will have to change existing installations manually.
  • Bug 107580 - Add space to front of “New:” designator on bugmail so it will always sort before changed mails in an alphabetical subject listing in user mailboxes.
  • Bug 211758 - checksetup.pl was trying to use params that didn’t exist yet because it was loading Bugzilla::Series at compile time (use). Now pulls in Bugzilla::Series at runtime (require) after initializing the params.
  • Bug 13540 - allow key terms, like “Bugzilla” and “bug”, to be altered without changing all the templates.
  • Bug 194347 - Updating MacOS X hints to specify that the GD patch is no longer required (when using the gd2 package) and also recommend using fink to install expat.
  • Bug 211126 - As a part of fixing bug 180642 the directions for using LDAP authentication has changed.
  • Bug 211127 - use proper path to Perl.
  • Bug 201955 - The method for specifying a charset has changed now that we use CGI.pm for header output (bug 201816).
  • Bug 206498 - Add a warning that Bugzilla upgrades are irreversible and that backups should be made.
  • Bug 210248 - Missing “my” in SMTP code for win32 instructions.
  • Bug 193575 - Internal server error from votes.cgi.
  • Bug 16009 - generic charting.
  • Bug 204631 - enhances config.cgi to generate a list of queryable fields so third-party clients can populate search forms with the list.
  • Bug 210324 - s/->err/->error/.
  • Bug 77192 - MOVED is not handled properly on queryhelp.cgi.
  • Bug 207096 - minor spelling fixes for Bugzilla/Search.pm
  • Bug 208620 - Fix return value of Bugzilla->login when user already exists.
  • Bug 208583 - Remove PerformSubsts from templates.
  • Bug 205463 - Tokens aren’t canceled after a successful login.
  • Bug 180635 - Enhance Bugzilla::User to store additional information
  • Bug 207085 - Updating a stored query shouldn’t return the same message as creating one
  • Bug 37749 - query for changes to specific field in last n days not working. Rearrange time-based query UI to be more sane.
  • Bug 84876 - Mentioned the wrong bug number, also making it a link.
  • Bug 145965 - Mention the sendmail -> SMTP change for Bugzilla on win32
  • Bug 199129 - Replace installation list w/a link to the installation list on the web page
  • Bug 191034 - Making the installation chapter a little more generic. Replaced a lot of OS Specific hints with links to the OS Specific section.
  • Bug 204724 - ExcludeSelf doesn’t work with an email containing capital letters.
  • Bug 195977 - Add ability to show alias column in buglist
  • Bug 203314 - Clean up 's, links to bugs and extra spaces in sentences.
  • Bug 204592 - invalid column name error.
  • Bug 204964 - Make attachment view work again.
  • Bug 190864 - Fix ordering of ‘ and > that I thought I had done earlier.
  • Bug 203867 - Add regular expression references to glossary.
  • Bug 201816 - use CGI.pm for header output
  • Bug 204104 - internal error in Search.pm when searching for invalid keywords/email.
  • Bug 204008 - checksetup.pl didn’t set permissions on the js directory
  • Bug 72837 - a script that generates configuration information for a Bugzilla installation.
  • Bug 200198 - user-error.html.tmpl’s use [% changedsince %] instead of $changedsince
  • Bug 195607 - Minimum width code gets it wrong.
  • Bug 197171 - report.cgi: Use of uninitialized value in numeric lt.
  • Bug 180086 - Rename ‘count’ column in votes tables.
  • Bug 203540 - RenameField doesn’t get NULL/NOT NULL correct.
  • Bug 202463 - prefill ‘assign to’ with default component owner.
  • Bug 203080 - New version of LDAP to Bugzilla account sync script.
  • Bug 203318 - 008filter.t fails to do chdir $topdir - if @Support::Templates::include_paths returns more than one path
  • Bug 203160 - mod_throttle has a new URL.

Stable (2.16) Branch Checkins Since the Last Status Update

The following is a list of specific bugs fixed (and their checkin messages) since the last Bugzilla status report. It is ordered by the checkin date as rendered by Bonsai. It includes checkins on the branch from 2003/04/25 to 2003/10/30. This list was generated by filtering Bonsai’s output on that query (with some manual adjustments).

Very few checkins were made without reference to any specific bugs, mainly test bustage fixes and documentation updates. Bold italic bugs are security-sensitive bugs.

Checkin manifest:

  • Bug 219690 - When deleting products and usebuggroups is set, blessgroupset is not updated
  • Bug 219044 - MySQL injection vulnerability in editkeywords.cgi
  • Bug 209376 - Can access summary for secure bug if its been voted on.
  • Bug 214290 - collectstats.pl does not add 's to SQL queries for quotes”.
  • Bug 123565 - Add to FAQ: Why can’t I close bugs from “Change Several Bugs at Once” ?
  • Bug 223937 - web site error while updating email address
  • Bug 178624 - checksetup.pl needs to be run after copying a template to the custom directory.
  • Bug 220332 - Insecure dependency in exec while running with -T switch at process_bug.cgi line 1267
  • Bug 221626 - Fix for Mozilla-specific report template.
  • Bug 219724 - typo in URL in section 4.2.5 of the guide.
  • Bug 213384 - shutdownhtml login bypass via editparams.cgi is broken under suexec.
  • Bug 219508 - processmail rescanall would not send e-mails about more than one bug to the same address
  • Bug 217422 - “0” is missing in “votes: 0” (MySQL 4 Compatibility)
  • Bug 160422 - If versioncache isn’t readable, pretend it doesn’t exist and recreate it. This tends to happen after cron jobs run as a user other than the webserver.
  • Bug 177828 - Fixes taint warning from post_bug with perl 5.8
  • Bug 212095 - DBD::mysql versions after 2.1026 return the table list quoted, which broke the existing “table exists” check.
  • Bug 146087 - ‘sendmailnow’ should be on by default.
  • Bug 190864 - Fix the ordering of the ‘ and >.
  • Bug 203318 - 008filter.t fails to do chdir $topdir - if @Support::Templates::include_paths returns more than one path
  • Bug 203160 - mod_throttle has a new URL

Conclusion and Credits

Well, that’s it for this status update. We’d like to thank everybody who submitted a patch, helpful comment or bug to Bugzilla – it’s very much appreciated, even when everybody’s too busy to stop and say “great work”; we always mean it! Let’s work together to make 2.18 the killer release we all want it to be.

[Christian: I should also really mention Paul Reed, who (apart from preparing many of our previous status updates) provided the bug manifests for this one – no, actually, I stole them!]