Blog

Want to always keep up-to-date with Bugzilla news? Subscribe to announce@bugzilla.org, a read-only mailing list where we'll post announcements about new versions of Bugzilla and security advisories.

Browse Archives »

You can also see what's going on in the project by looking at the notes of, or watching the video of, our monthly developer meetings.

Loading the upcoming event

13. October 2004

Brazilian Portuguese localization updated for 2.18rc2

by Bugzilla Team

Felipe Gaúcho has announced the availability of the 2.18rc2 version of the pt_BR localization pack. You can find it listed on the Bugzilla download page or on the Brazilian localization project site.

The localization pack is also available via Sourceforge’s CVS. Access details are on the project site.

22. September 2004

Bugzilla-Submit 0.6 Released

by Bugzilla Team

Christian Reis has released a new version of bugzilla-submit, a command-line utility to post new bugs to a Bugzilla installation. This version fixes issues with .netrc parsing of base URLs, Python version checking and processing of Operating-System and URL fields. It also include text and manpage versions of the documentation (which was only available as XML source in previous versions).

Note that bugzilla-submit requires Python 2.3. Bug reports should go to bugzilla.mozilla.org.

27. July 2004

Bugzilla 2.18rc2 Released

by Bugzilla Team

Our second release candidate for Bugzilla 2.18 is now available. There are a few major issues addressed that snuck into 2.18rc1, so if you’re already running 2.18rc1, an upgrade is strongly recommended. Information about what’s new and what’s still left to fix is on the 2.18 Release Status page.

10. July 2004

Status Update

by Zach Lipton (zach)

Introduction and Updates

Welcome to the new Bugzilla status update, covering the four months since our last update and the release of Bugzilla 2.17.7. In this update, the Bugzilla Team is pleased to announce the release of Bugzilla 2.18, Release Candidate 1 (rc1), and Bugzilla 2.16.6, the latest maintenance release in the current stable series.

We are also pleased to announce the new Bugzilla Website, thanks to the efforts of Mike Morgan and the Bugzilla Team. The new site is designed to more closely match the look and feel of the mozilla.org website and is standards-compliant.

As usual, we’d like to remind all Bugzilla administrators that to assist them in keeping up-to-date with release announcements and security advisories, we provide an ultra-low-volume administrator mailing list ([email protected]). We advise all Bugzilla administrators to subscribe so they can keep up with important Bugzilla announcements.

Those looking to get involved with Bugzilla development may want to consider joining the developers list ([email protected]). This list offers discussion on new features and issues. Developers are invited to subscribe to the list.

New Releases

2.18rc1

This release is a developers’ release and is not recommended for production use, but all existing users of the 2.17 development branch are strongly encouraged to upgrade to 2.18rc1, both for the increased stability and new features, and for the security updates described below. 2.18rc1 is the first Bugzilla release to support operation on Microsoft Windows servers with no modifications to Bugzilla itself.

2.16.5

All users of the 2.16 stable branch are encouraged to update their production installations to 2.16.6 for security reasons. More details on the security vulnerabilities fixed in this update are available in the 2.16.5 Security Advisory. See the check-in manifest at the bottom of this status update for a list of changes.

They are also requested to test their installations with 2.18rc1 using a backup copy of their database, in order to help us make the best 2.18 final release. Since 2.16 was originally released, Bugzilla has come a long way. This list shows many of the major new features that have been added to the 2.17 development branch. Those using 2.16 should take a look at this list for an indication of what will be new in 2.18.

The 2.16 branch will be retired with the release of Bugzilla 2.22, scheduled for approximately April 2005. Administrators using the 2.16 branch are encouraged to investigate migration to the 2.18 stable branch when 2.18 is released.

2.14

We would like to remind all administrators running Bugzilla instances from the old 2.14 branch that this branch has been retired, and is no longer being supported actively by the team. We strongly recommend upgrading to a stable version (either 2.16.5, or 2.18 when it is released) to ensure security and proper operation, and for the new features provided by this branch.

New Features Since the Last Status Update

Several new features are available for testing in our release candidate, 2.18rc1. The following items describe the most important of these changes since the previous status update, and the manifest at the end of this document describe the full list of changes.

  • All remaining static HTML pages (with the exception of QuickSearch) have been converted to template files processed by page.cgi. This feature allows all pages in Bugzilla to be localized (bug 170213).
  • A preference panel for the management of saved searches was added to the User Preferences page (bug 232176).
  • Buglists can now be exported as calendars in the icalendar format (bug 235459).
  • The “noresolveonopenblockers” parameter was added to allow administrators to prevent a bug being closed when it has open dependencies (bug 24496).

Major New Features Since 2.16

Users upgrading from 2.16 may be interested in a list of major new features since the 2.16 release.

Date-Based Releases and More

An update from Dave Miller, Bugzilla project leader on the new date-based release scheme:

Well, today we’re finally releasing our first release candidate for Bugzilla 2.18.

It’s been a long time coming. It’s been just shy of 2 years since Bugzilla 2.16 was released. This is a contributing factor to why this release is just now coming, even after our feature freeze on March 15th has now passed us by almost 4 months.

There are a lot of new features in 2.18. Large substantial humungous chunks (am I repeating myself?) of Bugzilla code have been reorganized and rewritten since 2.16. Bugzilla’s underpinning now features substantial amounts of well-organized object-oriented Perl code. We’re not there, yet, though. There’s still a pretty good chunk of it (post_bug, process_bug, and the administrative utilities) that are still the old code that’s had extra stuff hacked into it for years. :) And therein lies our challenge for the next few releases.

There are quite a number of new features that are almost ready to land on the trunk. Several of them have been put off for the last 4 months because they would violate our feature freeze to check them in. Those will start landing over the next few weeks, now that what will become 2.18 is living on a branch in CVS.

We announced a while back that the 2.18 Release would start us on a 6-month release cycle. Following that schedule, our feature freeze for 2.20 will be on September 15th, 2004. Yes, that’s only 2 months from now. I don’t expect the freeze to last 4 months again like it did for 2.18. For 2.18 we had 2 years worth of cleaning up to do. :) Since we only have 2 months of development time between now and the 2.20 freeze, it can’t get that bad. So we should be able to expect to see Bugzilla 2.20 in final release form by mid-October.

Even with all of that going on, we’re not done with 2.18 yet. Today’s release is just a candidate. It will evolve with your help, as you test it and point out any regressions we need to fix. There will be a second release candidate in a week or two, after we knock off any major regressions anyone reports. The second candidate will also get a week or two of testing before being declared the final release.

We have a few flags on the bugs for dealing with this. If a bug you report is something that you think is important to have fixed in 2.18, set the “blocking2.18” flag to the question mark (“?”) setting. This will send a message to me asking me to evaluate it. If I (or Myk) set it to “+”, that means we’ve agreed, and attempts will be made to get it fixed on the 2.18 branch so it can be included in the final 2.18 release. Similarly, once a patch is ready to go, it must get a “+” on the “approval2.18” flag (set by Myk or myself) before it can be checked in on the branch. Please do request that if you have something blocking 2.18 after you get it reviewed.

Before I sign off here, I want to take a moment to profusely thank Mike Morgan for the work he’s done on our website over the last couple months. This is a really wonderful new website he cooked up for us! :) If you have any feedback on the new site design, or find any dead links that need to be fixed, please post on the mozilla-webtools mailing list. (See the support page to find out where to subscribe).

Upcoming Features

This section lists major new features that are either in progress or have some amount of work toward them completed already, but have not yet landed in CVS. If you would like to help out – many of these features need either planning, coding, or testing – or just figure what the current status is on one of these items, check out the parenthesized bug links.

  • Ability to send email via SMTP instead of relying on a local installation of sendmail. (Bug 84876)
  • PostgreSQL support. (Bug 98304)
  • Oracle support. (Bug 189947)
  • Ability to add generic customized fields to bugs. (Bug 91037)
  • Customized resolutions, that allow adding, removing, deactivating and renaming of resolutions. (Bug 94534)
  • Expanding e-mail preferences to allow watching components, keywords, etc. (Bug 73665)
  • mod_perl support. (Bug 87406)
  • New makefile-based installation system. (Bug 104660, Bug 105854, Bug 105855, and Bug 105856)
  • Wiki integration. (Bug 102685)

Trunk Checkins Since the Last Status Update

The following is a list of specific bugs fixed (and their checkin messages) since the last Bugzilla status report. It is ordered by the checkin date as rendered by Bonsai. It includes checkins on the trunk from 2004/03/03 to 2004/07/8. This list was generated by filtering Bonsai’s output on that query.

Checkins that don’t refer to a specific bug number have been omitted, and were a small minority. Bold bugs are security bugs.

Checkin manifest:

  • Bug 236296 - Fix Build Identifier on guided entry form
  • Bug 236567 - Update the documentation describing the Perl modules installation on Windows using ppm
  • Bug 236019 - Make request.cgi use $cgi->param instead of %::FORM
  • Bug 236443 - Respect customization of customized words in create.html.tmpl
  • Bug 234879 - Remove %FORM from editkeywords.cgi
  • Bug 234875 - Use ->param in quips.cgi
  • Bug 220814 - Add to FAQ: How to upgrade Bugzilla from CVS
  • Bug 236634 - Move colon out of anchor text in “Target Milestone:” in show_bug
  • Bug 235278 - Eliminate %::FORM from userprefs.cgi
  • Bug 236652 - Fix libgdi typo in section 2.4.2 of the docs
  • Bug 232141 - All all saved searches to footer until linkinfooter UI returns
  • Bug 170213 - Make static HTML files into page.cgi pages. This does votehelp.html (-> id=voting.html), bug_status.html (-> id=fields.html) and bugwritinghelp.html (-> id=bug-writing.html)
  • Bug 232176 - Add a preferences panel for saved searches, to allow management all in one place
  • Bug 143490 - Eliminate unsupported calls from checksetup.pl when running in Windows
  • Bug 236322 - Trivial inaccuracy in description of “find a specific bug” search corrected (the search doesn’t really search summaries, so I’ve removed the text that says it does).
  • Bug 178162 - Move the vote checkbox to the left
  • Bug 236664 - Make checksetup.pl print good install instructions for Perl modules on win32
  • Bug 232491 - Try harder to avoid parameterless searches (either saved or otherwise)
  • Bug 237540 - Remove unused hidden field from edit-multiple
  • Bug 235459 - Add icalendar output format in buglist
  • Bug 237646 - Fix for regression in userprefs.cgi that disallowed users to change their password via this page
  • Bug 236424 - Allow showdependencies trees to collapse. Adds [optional] Javascript-enabled +/- controls that allow branches in the dependency tree to collapse.
  • Bug 232397 - .bz_obsolete shouldn’t specify “underline”. Define specific bz_obsolete/closed/inactive classes (that don’t specify underline, but line-through instead) and additional Template filters for conveniently applying them
  • Bug 237757 - Resolved bugs are no longer struck out on dependency trees. Includes a global CSS file that defines the relevant bz_* classes and adds a link to it from the global header template
  • Bug 192516 - Moving the loose .pm files into the Bugzilla directory, where they belong. These files pre-date the Bugzilla directory, and would have gone there had it existed at the time. The four files in question were copied on the CVS server to preserve CVS history in the files.
  • Bug 24496 - Adds a parameter “noresolveonopenblockers” which when enabled, prevents bugs from being closed if there are any bugs blocking it which are still open.
  • Bug 132066 - Add a note to the login page about needing cookies for a good user experience
  • Bug 237864 - Clean up leftover issues from the bug 192516 checkin (some occurances of Token got missed)
  • Bug 203869 - Update documentation to better describe group controls
  • Bug 237513 - Change password uses semi empty field
  • Bug 237514 - Confirmed email address is missing
  • Bug 237517 - Inconsistent spelling of cancelled or canceled
  • Bug 237772 - Instances of “a terms.bug” should be replaced with “terms.abug” also fix the spelling of decipher
  • Bug 234293 - Complete the conversion from “query” terminology to “search” terminology
  • Bug 238025 - Generate HTML table header in editkeywords.cgi even when there are no keywords defined
  • Bug 179351 - Improve variable scoping issues in order to fix a bug causing oddly formatted dependency emails
  • Bug 228423 - Document adjustment of MySQL 4GB default table size limit
  • Bug 232338 - Make the footer wrap cleanly, so it doesn’t over-widen the page
  • Bug 238033 - Eliminate HTML closing tags that haven’t been opened and fix an indentation issue
  • Bug 126252 - Add the gnatsparse Python script to the contrib directory
  • Bug 207039 - Add documentation explaining how to install bugzilla under regular user privileges
  • Bug 233246 - Improve documentation on enter_bug comment formatting templates.
  • Bug 224420 - Documentation for new reporting and charting systems.
  • Bug 237515 - Change ‘also’ to ‘too’ in the watching help page
  • Bug 237840 - Eliminate case sensitivity for “attachment N” linkification
  • Bug 238282 - An incorrect bugword
  • Bug 236650 - Clarify choice of install directory in docs
  • Bug 238396 - Update the README file for the gnatsparse project
  • Bug 238506 - Fix checksetup.pl so that it does not fail if an upgrading site never changed a groupset
  • Bug 218206 - Document ft_min_word_len MySQL param for indexing small words in full-text indexes and fix several typos in documentation
  • Bug 127862 - Have sanitycheck.cgi use perl to evaluate email regexp
  • Bug 238669 - Add a space between ‘entered’ and ‘(‘ in illegal_email_address error
  • Bug 238656 - Reword the “Account self-creation” error message
  • Bug 238673 - Add missing article in change email address page
  • Bug 238677 - Fix wording of the “require_new_password” message
  • Bug 238683 - Fix for usage of uninitialized value in concatenation in Bugzilla/CGI.pm
  • Bug 238693 - Replace depreciated v-strings with calls to the pack() function
  • Bug 177224 - Update installation docs to note XUL and RDF MIME types
  • Bug 181589 - Add mass-remove to editgroups
  • Bug 232097 - Use an entity reference for the landfill base URL in the demos, to make it easy to change each release.
  • Bug 237369 - Implement relatively simple changes from %FORM to $cgi->param variable
  • Bug 226764 - Move InvalidateLogins into Bugzilla::Auth::CGI. Consolidates the logout code into Bugzilla::Auth::CGI, and provides simple front-end wrappers in Bugzilla.pm for use in the CGIs we have. Adds a set of constants to the logout() API which allow specifying “how much” we should log out – all sessions, the current session, or all sessions but the current one. Fixes callsites to use this new API; cleans and documents things a bit while we’re at it. Part I in the great COOKIE apocalypse.
  • Bug 226754 - Move InvalidateLogins into Bugzilla::Auth::CGI. Consolidates the logout code into Bugzilla::Auth::CGI, and provides simple front-end wrappers in Bugzilla.pm for use in the CGIs we have. Adds a set of constants to the logout() API which allow specifying “how much” we should log out – all sessions, the current session, or all sessions but the current one. Fixes callsites to use this new API; cleans and documents things a bit while we’re at it. Part I in the great COOKIE apocalypse.
  • Bug 234175 - Remove deprecated ConnectToDatabase() and quietly_check_login()/confirm_login() calls. Cleans up callsites (consisting of most of our CGIs), swapping (where appropriate) for calls to Bugzilla->login
  • Bug 235265 - Getting rid of some unwanted form value dumps.
  • Bug 233962 - UserInGroup() should not accept a second parameter any longer
  • Bug 238860 - Remove %FORM from editversions.cgi
  • Bug 237778 - Update filter list in t/004template
  • Bug 238867 - Remove one last %FORM from quips.cgi
  • Bug 238650 - Reword duplicate of self error message
  • Bug 237508 - Have checksetup.pl specify which perl to use (the same one it’s running under) when giving instructions how to use CPAN to install needed modules.
  • Bug 189156 - Explain quip moderation in documentation.
  • Bug 146087 - Set the default of the sendmailnow param to ON on the trunk as well
  • Bug 236926 - Supply a missing a $cgi-header in buglist.cgi
  • Bug 232554 - Fix SQL queries in Flag.pm in order to fix a bug that causes flags to remain set but inaccessible when product changes.
  • Bug 220817 - Add to FAQ documentation for ‘Why do I have to log in every time I access a page?’.
  • Bug 238874 - Remove %FORM and %COOKIE from colchange.cgi. Does precisely that, swapping them for references to cgi->param/cookie.
  • Bug 233295 - Document terminology customization feature
  • Bug 238352 - Remove alphabetical sorting from some fields in reports (e.g. priority) and keep them in a sensible order instead
  • Bug 239346 - Add hook at end of comments
  • Bug 239255 - Update docs in order to specify that $webservergroup is the group of the webserver, not the user
  • Bug 14887 - Put
  • Bug 239576 - Make sure detaint_natural is always called with a defined value in editkeywords.cgi
  • Bug 230293 - Send CSV buglists with “Content-Disposition: attachment”
  • Bug 237176 - Allows power users to display relevance values as a column in the search results for a fulltext search
  • Bug 238862 - Remove %FORM and %COOKIE from enter_bug.cgi
  • Bug 238864 - Remove %FORM and %COOKIE from move.pl
  • Bug 192775 - Rearrange parameter order in token URLs to make them always fully linked in some MUAs
  • Bug 233245 - Update documentation of formats to include ctypes as well
  • Bug 239885 - Don’t display the sendmail message if the current platform is Windows
  • Bug 239912 - Make bug_email.pl work with useqacontact
  • Bug 239826 - Support closing resolved bugs when changing multiple bugs
  • Bug 224698 - Remove localconfig variable mysqlpath
  • Bug 87770 - Make attachment.cgi work with no parameters
  • Bug 240228 - Improve the format of the error message displayed by checksetup.pl when the MySQL requirements are not satisfied
  • Bug 238865 - Remove %FORM from page.cgi. Does so, fixing the linked page template and adding a code error for the “bad id provided” case
  • Bug 194332 - Fix spelling that caused error message mismatch for the “invalid_maxrows” error message
  • Bug 233245 - Replace “variable” with “constant” since there is no contenttypes variable in Constants.pm.
  • Bug 240219 - Display valid PPM commands when using PPM version 2
  • Bug 240060 - Stop yelling at people about the minimum sendmail version
  • Bug 224477 - Make webservergroup default to apache on new installs
  • Bug 238869 - Remove %FORM from votes.cgi.
  • Bug 240439 - “Edit user again” link didn’t work if the user had a + in their email address
  • Bug 240434 - Replace increased with improved on the login page
  • Bug 237638 - Make bugzilla_email_append.pl work with BugMail.pm instead of processmail
  • Bug 192571 - Empty default owner (assignee or QA) causes “Reassign bug to owner and QA contact of selected component to NOOP
  • Bug 240004 - Limit the password generation subroutine to nice characters only
  • Bug 241516 - Remove possible namespace conflicts in the additional CSS classes for bugid, component, and status on show_bug
  • Bug 234540 - “Take bug” on create attachment screen missed an API change to BugMail which caused it not to mail the previous bug owner about the change.
  • Bug 237838 - Make sure CheckCanChangeField() always gets correct resolution
  • Bug 241259 - Add a CSS tag for ‘Additional Comments’
  • Bug 242740 - URL to Bug Writing Help document changed
  • Bug 204042 - Taint issues in perl 5.6.0 that were causing an Internal Error to ocurr after adding an attachment.
  • Bug 240486 - Makes the banner template CSS friendly
  • Bug 231975 - Avoid naming new product groups the same as existing groups and do not rename product groups on product rename.
  • Bug 240036 - Unlock tables after address error before attempting to process footer
  • Bug 227785 - Add navigation/summary/last-modified after modifying a bug
  • Bug 232861 - Prevent references to bugs or comments from being expanded in attachment links
  • Bug 226477 - Fix undefined method call in Bugzilla::User->in_group
  • Bug 226411 - Make DiffStrings handle fields with duplicate values
  • Bug 238675 - Improved wording for the reassign-to-entry error message
  • Bug 239263 - User.pm should always use the main database to avoid a potential error
  • Bug 244053 - Improve grammar in checksetup.pl
  • Bug 244045 - –no-silent option for checksetup.pl
  • Bug 217627 - Fixes error that occured with bug aliases starting with zero
  • Bug 208847 - Fixes taint errors in editgroups.cgi
  • Bug 141006 - Runs all edit* cgi scripts in taint mode
  • Bug 244650 - Fix searches on commentatators when searching for other email addresses
  • Bug 227172 - Fixes a potential race codition when users change their email address
  • Bug 243351 - Prevents an issue of MySQL version sensitivity in case sensitive searches
  • Bug 183753 - Make collectstats.cgi work on Win32
  • Bug 179671 - Fix boolean charts
  • Bug 223541 - Make flags appear correctly in “view all attachments” mode
  • Bug 240079 - Improved wording in README file
  • Bug 242161 - Adds a patchviewer(“diff”) link to process_bug.cgi
  • Bug 240252 - Improved wording in editproducts.cgi
  • Bug 245976 - Fixes an error that occured when trying to add a milestone
  • Bug 240325 - Update regexp-based groups
  • Bug 160210 - Fixes Mac OS X detection and adds 10.1 and 10.2 to the OS list
  • Bug 246599 - Adds Mac OS 10.3 (Panther) to the OS list
  • Bug 142744 - Makes the test suite work on Win32
  • Bug 246328 - Make editmilestone.cgi check for invalid sortkeys
  • Bug 246778 - Fixes an error that occured with ThrowUserError and timetracking
  • Bug 247209 - Improves OS detection for Solaris
  • Bug 247192 - Improves OS detection for StarOffice on Solaris SPARC
  • Bug 225359 - Allows dependency graphs to work on Win32
  • Bug 245924 - Uses HTML 4 and CSS formatting for the Bugzilla footer
  • Bug 248685 - Fixes the lack of terms in the header of showdependencytree.cgi
  • Bug 248001 - Converts boolean conditions in SQL statements to improve database independence
  • Bug 245101 - Fixes warnings that occured from upgrades from 2.14.x without going through a 2.16.x version
  • Bug 239343 - Adds the sendbugmail.pl script to contrib/ for external scripts that need processmail’s functionality
  • Bug 243463 - Use a param to prevent charts from leaking secure information
  • Bug 223878 - Avoids problems that occur when changing a deleted flag
  • Bug 249802 - Document granting of permissions to a MySQL user for MySQL 4
  • Bug 245077 - The “find a specific bug” tab is now the default when loading query.cgi, the script will remember the previously selected tab and display it when query.cgi is loaded again.
  • Bug 248988 - Prevents a possible error with attachments on Win32
  • Bug 249863 - Fix invalid HTML in create.html.tmpl
  • Bug 190432 - Avoids using non-ANSI SQL when saving a named query
  • Bug 250265 - Fix taint errors with vote fields when editing products
  • Bug 227191 - Prevents the database password from being disclosed when the SQL server is halted and the webserver is left running in 2.17.x releases.
  • Bug 233486 - Fixes a privilege escalation in 2.17.x releases where a user with privileges to grant membership to one or more individual groups (i.e. usually an administrator) can trick the administrative controls into granting membership in groups other than the ones he has privileges for.
  • Bug 234825 - Prevents an information leak in all versions of Bugzilla where duplicates.cgi can disclose the names of products to which the user does not have access.
  • Bug 234855 - Prevents an information leak in all versions of Bugzilla where the form for mass-editing bugs can list products to which the user does not have access.
  • Bug 235265 - Prevents a Cross-Site Scripting vulnerability in several administrative scripts.
  • Bug 235510 - Avoids a potential user password compromise in versions 2.17.5 through 2.17.7 where the user password could be visible in web server logs when accessing a chart.
  • Bug 244272 - Fixes an issue where a user with permission to grant membership to any group (i.e. usually an administrator) could cause editusers.cgi to execute arbitrary SQL.

Stable (2.16) Branch Checkins Since the Last Status Update

The following is a list of specific bugs fixed (and their checkin messages) since the last Bugzilla status report. It is ordered by the checkin date as rendered by Bonsai. It includes checkins on the branch from 2004/03/03 to 2004/07/08. This list was written from Bonsai’s output on that query.

Bold bugs are security bugs.

Checkin manifest:

  • Bug 236567 - Update the documentation for installing perl modules with PPM
  • Bug 220814 - Update the FAQ to explain how to update Bugzilla from CVS
  • Bug 207039 - Improve documentation on installing Bugzilla with regular user privlieges
  • Bug 237591 - Allows XML import to function when there are regexp metacharacters in product names
  • Bug 220817 - Update the FAQ to include information on why Bugzilla may request a username and password every time a page is accessed
  • Bug 238628 - Adjust the database schema chart to fit on an 8.5X11 inch page
  • Bug 239912 - Allows the bug_email.pl contrib script to work with useqacontact
  • Bug 240228 - Improves the error message used by checksetup.pl when the MySQL requirements are not met
  • Bug 240060 - Elimnates a warning in checksetup.pl about the minimum sendmail version
  • Bug 224477 - Makes webservergroup default to group ‘apache’ in new installations
  • Bug 117297 - Fixes an error where a bugmail message could be sent twice to a user on the CC list
  • Bug 240079 - Improves the wording in the README
  • Bug 249802 - Document how to create a MySQL user with permissions using MySQL 4
  • Bug 234825 - Prevents an information leak in all versions of Bugzilla where duplicates.cgi can disclose the names of products to which the user does not have access.
  • Bug 234855 - Prevents an information leak in all versions of Bugzilla where the form for mass-editing bugs can list products to which the user does not have access.
  • Bug 235265 - Prevents a Cross-Site Scripting vulnerability in several administrative scripts.
  • Bug 244272 - Fixes an issue where a user with permission to grant membership to any group (i.e. usually an administrator) could cause editusers.cgi to execute arbitrary SQL.

Conclusion and Credits

Thank you very much to everyone who has helped to bring us so much closer to the 2.18 release. A special thank you to those who helped to edit this status update and those who have assisted in other parts of the the release process. Lastly and as always, a big thank you to Bugzilla’s users and testers for their feedback.

10. July 2004

Bugzilla 2.16.6 and 2.18rc1 Released

by Bugzilla Team

The Bugzilla Team is please to announce the release of our first release candidate for Bugzilla 2.18. This release will be shaped by your feedback over the next few weeks.

Also released is version 2.16.6. Both releases fix a number of security issues.

The 2.18rc1 release is also the first to offer installation on Windows without modification of Bugzilla itself. See the download page for details.

We have also posted a new status update to help keep everyone informed of where the project is heading.

21. March 2004

Bugzilla 2.16.x documentation now available as PDF

by Bugzilla Team

A long-standing bug in the 2.16 branch documentation sources has been knocked out, and we’re now pleased to offer the 2.16 documentation in PDF format on the documentation page. The 2.17.x documentation has been available this way for a while now.

03. March 2004

Status Update

by Dave Miller (justdave)

Introduction

This status update covers the four months that have gone by since our last update. At the time of our last status update, we released version 2.17.5 of Bugzilla. It was followed a week later by version 2.17.6, which was released to seal a small security hole discovered in one of the new features that was introduced in 2.17.5.

As of this status update, we are also releasing 2.17.7 and 2.16.5. For the first time in a while, there’s no security advisory to go with it, which feels pretty good! So, if there’s no security advisory, why are we releasing a new stable release? Well, 2.16.5 had a few regressions from 2.16.4 that we had to fix. The most major of which was that xml.cgi was completely busted. We also fixed some compatibility problems with older versions of DBI, fixed a MySQL 4 compatibility issue which we thought we’d fixed in 2.16.4, but it turns out we really hadn’t, and several other minor bugfixes that we hope will improve the overall stability of the 2.16 series.

Note that (in tradition with previous updates, which have included a bit on this subject) Windows support (which implies being able to run a Bugzilla instance on a Windows web server) is still to be completed and integrated! We would really appreciate community assistance in fixing the remaining issues for Windows support. So far, very few people have been contributing towards the Win32 effort.

We’d also like to remind all Bugzilla administrators that to assist them in keeping up-to-date with release announcements and security advisories, we provide an ultra-low-volume administrator mailing list ([email protected]). We advise all Bugzilla administrators to subscribe so they can keep up with important Bugzilla news.

New Releases

The Bugzilla Team is pleased to announce the 2.16.5 and 2.17.7 releases of Bugzilla.

  • The stable (2.16.5) release provides a number of bug fixes, as mentioned above. See the check-in manifest at the bottom of this status update for details.
  • The development (2.17.7) release provides a large number of feature enhancements and bug fixes. This release is a developers’ release and is not intended for production use.

We would like to remind all administrators running Bugzilla instances from the old 2.14 branch that this branch has been retired, and is no longer being supported actively by the team. We strongly recommend upgrading to the latest stable version to ensure security and proper operation.

New Features (on the Trunk)

A few new features are available for testing on our latest development release. The following items describe the most important of them, and the manifests towards the end of this document describe the full list of changes committed.

  • CSS Customization: A CSS id signature unique to each Bugzilla installation is now added to the <body> tag on Bugzilla pages to allow custom end-user CSS to explicitly affect Bugzilla. (224242)
  • Template Hooks: A mechanism for third party extensions to plug into existing templates without having to patch or replace distributed templates has been added. More information on this can be found in the Documentation. (232903)
  • ‘commentoncreate’ Parameter: A parameter has been added which allows the administrator to prevent users from submitting new bugs with an empty description. (213679)

The Road to 2.18

An update from Dave Miller, Bugzilla project leader, and Matthew Tuck, QA lead

After a long discussion on the mozilla-webtools mailing list, we’ve decided to cave in to popular demand and move to date-based releases for 2.20 and beyond, in response to the enormously long periods for the feature-based releases 2.16 and 2.18. The current plan is as follows:

The releases will be approximately six-monthly to start with. This should be an upper limit, and we could perhaps consider to go to four-monthly later if things runs smoothly. More releases means code gets out faster and developers have less pain missing a release, and I don’t think there’s much overhead from extra releases, given pretty much all work before and after a release will be proportionately smaller.

There will be no promises of features appearing in releases, on behalf of the Bugzilla project. We have no way of guaranteeing features in a given or reasonable time frame. If you want to make an individual promise to someone, it’s on your head. =)

The date-based part of the release process will be the feature freeze. All other aspects of development will stay “when they’re ready”. This in particular means the releases will only be approximately six months apart. This means that although the freeze will happen on a set date, the release itself will not happen until the release branch passes release candidate testing.

When the tree opens for 2.19, there will be a little less than six months of development time (so that the freezes themselves can happen every six months). Once this elapses, a feature freeze will be declared, at which point the tree will be closed to anything that is not a user or administrator-visible bug fix, docs updates or an otherwise freeze-approved checkin.

This will continue until the tree is declared fit for Release Candidate (RC) 1. At this point, the tree will branch, and HEAD will reopen for development. The branch will continue the RC cycle until it’s ready for release.

Note that the tree closed time will be deducted from the development time for the next release, which will mean the feature freezes will stay exactly every six months. One would not expect this to be greater than 1-2 weeks, if which case the development time would be about 5 months and 2-3 weeks.

Upcoming Features

This section lists major new features that are either in progress or have some amount of work toward them completed already, but have not yet landed in CVS. If you would like to help out – many of these features need either planning, coding, or testing – or just figure what the current status is on one of these items, check out the parenthesized bug links.

  • Ability to send email via SMTP instead of relying on a local installation of sendmail. (Bug 84876)
  • PostgreSQL support. (Bug 98304)
  • Sybase support. (Bug 173130)
  • Ability to add generic customized fields to bugs. (Bug 91037)
  • Customised resolutions, that allow adding, removing, deactivating and renaming of resolutions. (Bug 94534)
  • Expanding e-mail preferences to allow watching components, keywords, etc. (Bug 73665)
  • mod_perl support. (Bug 87406)
  • New makefile-based installation system. (Bug 104660, Bug 105854, Bug 105855, and Bug 105856)
  • Wiki integration. (Bug 102685)

Apart from work on Bugzilla itself, Mike Morgan has started work on redesigning the Bugzilla website to a standards-compliant version that matches mozilla.org’s new look-and-feel. This is already underway, and will be rolled out with the Bugzilla 2.18 release.

Trunk Checkins Since the Last Status Update

The following is a list of specific bugs fixed (and their checkin messages) since the last Bugzilla status report. It is ordered by the checkin date as rendered by Bonsai. It includes checkins on the trunk from 2003/11/03 to 2004/03/03. This list was generated by filtering Bonsai’s output on that query.

Checkins that don’t refer to a specific bug number have been omitted, and were a significant minority. Bold italic bugs are security-sensitive bugs.

Checkin manifest:

  • Bug 123077 - improve the ValidatePassword sub so that a password change is no longer accepted with a blank second field
  • Bug 234898 - start to use $cgi->param in queryhelp.cgi.
  • Bug 234896 - makes sanitycheck.cgi use $cgi->param instead of ::FORM.
  • Bug 234876 - removes %FORM from token.cgi.
  • Bug 192247 - make Bugzilla quips truly random.
  • Bug 235268 - Convert show_activity.cgi to get rid of %FORM
  • Bug 235287 - improve a whineatnews.pl comment
  • Bug 65313 - improves the email regexp in order to detect better invalid email addresses
  • Bug 235175 - replaces ::FORM from createaccount.cgi with CGI based methods that are mod_perl compatible
  • Bug 234264 - eliminates a double escaping issue by removing filtering of searchname in title.
  • Bug 226251 - (internal error when server push is enabled): Due to randomization of perl hash table functionality since 5.8.1 the ‘hack’ to unset the nph parameter for multipart messages is not working reliable, instead a modified clone of the original multipart_init function is setting this parameter to ‘0’ and is ignoring the given nph parameter from buglist.cgi.
  • [SCHEMA CHANGE] Bug 220232: short_desc field in the bugs table is no longer allowed to be NULL. Null summaries would cause BugMail.pm to crash. (Normally this would only be caused by third party touching of the bugs table, such as bugs manually migrated from another system or inserted by a script - such scripts will now break if they don’t set a short_desc)
  • Bug 234171 - removes \%COOKIE from index.cgi.
  • Bug 233645 - fix a number of ‘undef’ warnings which were killing performance for multiple bug change.
  • Bug 234100 - removes redundant longdescs table join criterion
  • Bug 232749 - fix various charting problems revealed by b.m.o. upgrade, including editing, subscribe buttons and terminology.
  • Bug 232897 - make collectstats.pl work with shadow databases, by reading from shadow and writing to master.
  • Bug 232441 - Suggest solution in the error message in case admin forgets to rerun checksetup.pl
  • Bug 158527 - Fix up description for the editbugs group so it is closer to the reality
  • Bug 127995 - shows the size of attachments in the show bug and attachment interfaces.
  • Bug 218401 - add in some places templatization support for the bug term in query.cgi.
  • Bug 194472 - link to the product’s component editor when displaying error regarding lack of components.
  • Bug 232993 - Quote the filenames in the Content-disposition header when downloading attachments. This allows spaces to be used in filenames, and fixes compliance with RFCs 2183, 2045, and 822.
  • Bug 232830 - use url_quote instead of html filtering to make sure we can delete queries which contain a “+”.
  • Bug 224242 - Add a CSS id signature to the <body> attribute on Bugzilla pages to allow user CSS to explicitly affect Bugzilla.
  • Bug 220998 - Allows blocks, dependson, and keywords values to be part of a bug entry template (i.e. a URL that presets those fields to specific values). Original
  • Bug 232903 - hook to allow addition of extra administration links in the footer.
  • Bug 232804 - add a “–check-modules” switch to checksetup.pl to get it to only do the Perl module checks. This makes installation easier to explain.
  • Bug 232413 - remove occurrences of   in favour of [%+ construct to prevent whitespace chomping.
  • Bug 228917 - Makes some flag SQL work with PostgreSQL by using the semantically equivalent INNER JOIN over a comma (,).
  • Bug 213679 - Implement a parameter that allows administrators to control whether blank comments are allowed when filling new bugs.
  • Bug 232485 - fix missing space between words.
  • Bug 232494 - fix missing space between words.
  • Bug 232508 - adds back missing space between “tell” and “[% terms.Bugzilla %]”.
  • Bug 232447 - Warns user about missing bug number instead of dying in GetBugLink().
  • Bug 232161 - add ability to forget or edit saved searches when the search throws an error.
  • Bug 225043 - enhance chart migration code to populate ‘All Open’ charts from historical data.
  • Bug 232164 - Adds backwards-compatibility hack for changedin queries for newly created bugs and simplifies the code.
  • Bug 232160 - adds the header back in to the “verify component, etc.” page that appears when a user changes the product to which a bug belongs.
  • Bug 232154 - Make old column lists work again by correctly translating old -> new column names.
  • Bug 232140 - makes tests work on b.m.o by making BugMail.pm use Bugzilla::Util, which contains the trim() function BugMail.pm needs.
  • Bug 232150 - Corrects “field changed” queries including [Bug creation] as one of the fields so that they actually work instead of taking forever. The query was structured as “[Bug creation] clause OR (bugs_activity JOIN clause OR (other field clauses))” when it should have been “bugs_activity JOIN CLAUSE AND ([Bug creation] clause OR other field clauses)”
  • Bug 183774 - makes duplicates.xul compute a correct base URL when jarred so that links to bugs work.
  • Bug 232055 - add more colours to line graphs (default is 7; we now have 16 - .)
  • Bug 227155 - make sure running collectstats.pl twice in a day, or migrating data from old charts to new charts where there are duplicate entries, doesn’t cause an SQL error.
  • Bug 231391 - make “cumulate” option work on new charts, together with a few UI tweaks.
  • Bug 225075 - Fix exact case search so it only selects bugs with matching case strings.
  • Bug 231026 - improve the appearance of the buglist options at the bottom of the buglist.
  • Bug 36379 - adds command-line switches for default product, component, and version to bug_email.pl
  • Bug 227026 - remove obsolete MacsBug information from guided template (we no longer support OS 9.)
  • Backing out bug 230293, we decided this was the wrong approach.
  • Backing out code change that was accidentally left in the patch on bug 228894 (see comment 9)
  • Bug 228894 - Change HTML comments to template-toolkit ones for template version numbers.
  • Bug 224420 - fix test bustage caused by accidental use of the word “bugs”. Oops.
  • Bug 224420 - add a warning that only public bugs are counted by the new charting system at the moment.
  • Bug 90468 - Bugzilla does not log out automatically when closing the session.
  • Bug 229998 - bugzilla-submit ‘Operating-System’ and ‘URL’ fields are rejected. Minor fixes to bugzilla-submit’s argument parsing.
  • Bug 231037 - remove JS popup from bug entry page.

Stable (2.16) Branch Checkins Since the Last Status Update

The following is a list of specific bugs fixed (and their checkin messages) since the last Bugzilla status report. It is ordered by the checkin date as rendered by Bonsai. It includes checkins on the branch from 2003/11/03 to 2004/03/03. This list was generated by filtering Bonsai’s output on that query (with some manual adjustments).

Checkin manifest:

  • Bug 123077 - improve the ValidatePassword sub so that a password change is no longer accepted with a blank second field
  • Bug 166755 - improve checksetup.pl’s error message when asking for administrator’s password
  • Bug 137121 - modify the way in which headers are printed in order to avoid printing them twice when reporting an error in createaccount.cgi
  • Bug 181106 - edit-multiple.html.tmpl uses &apos which Internet Explorer cannot use. Changed the entity in the template to a literal apostrophe.
  • Bug 231691 - fix used only once error in Perl 5.00503
  • Bug 224815 - The check-in for bug 212095 (which fixed a forward-compatibility problem with DBD::mysql) created a backward compatibility issue with DBI (unintentionally bumped the required minimum DBI version). This checkin puts the proper code in place to allow the minimum stated DBI according to the Bugzilla 2.16 documentation as well as the current DBI version as of this writing.
  • Bug 228706 - Fixes invalid expiration dates on almost all of the cookies. Amazingly it mostly worked before. It’ll work better now. :)
  • Bug 227513 - Add text to shadowdb param description to indicate that the privileges to access the shadowdb must be granted from MySQL prior to entering the shadowdb name in the param.
  • Bug 227510 - The shadowdb parameter wasn’t getting detainted before using it to create the shadowdb.
  • Bug 121419 - Use the most-specific cookie if more than one exists with different cookiepaths. Should help ease login troubles related to the cookiepath setting.
  • Bug 188712 - Safari thinks it’s Gecko, but it doesn’t support server-push. Look for it and don’t give it server-push.
  • Bug 225474 - Fixing regression from bug 217422, xml.cgi got busted, and the patch from bug 217422 (MySQL 4 compatibility for show_bug) didn’t accomplish what it was supposed to anyway. This checkin fixes both.
  • Bug 95430 - Reopening bugs from the “change several bugs at once” page did not work.

Conclusion and Credits

Well, that’s it for this status update. We’d like to thank everybody who submitted a patch, helpful comment or bug to Bugzilla – it’s very much appreciated, even when everybody’s too busy to stop and say “great work”; we always mean it! Let’s work together to make 2.18 the killer release we all want it to be.

03. March 2004

bugzilla-submit 0.5 posted

by Bugzilla Team

Christian Reis and Eric S. Raymond have released an initial version of bugzilla-submit, a command-line utility to post new bugs to a Bugzilla installation. We’d like to invite testing and feedback on the tool and its functionality; note that it requires Python 2.3. Post bug reports as usual to bugzilla.mozilla.org.

03. March 2004

Bugzilla 2.17.7 and 2.16.5 Released

by Bugzilla Team

The Bugzilla Team is pleased to announce the release of the Bugzilla 2.17.7 developer snapshot. For details on the newest features and bugfixes, see the new status update.

Also released today is Bugzilla 2.16.5. Version 2.16.5 is the latest stable Bugzilla release, and contains fixes to a regression and some compatibility issues in Bugzilla 2.16.4.

09. November 2003

Bugzilla 2.17.6 Released

by Bugzilla Team

We had a small “oops” with the 2.17.5 release, whereas one of the new features that was introduced also introduced a new security hole. For the full details, read the security advisory. Note that this affects version 2.17.5 only and the current stable version 2.16.4 is not affected. Since this is the development branch, there have been other checkins besides the security fix. For a complete list, click the “2.17.5 → 2.17.6” link on the changelog page. Version 2.17.6 is available on the download page.