4.0.16

• Release Notes for Bugzilla 4.0.16
• Security Advisory for versions before 4.0.16
• Download Bugzilla 4.0.16
• Complete changelogs since prior versions

Release Notes

Bugzilla 4.0.16 Release Notes

• Introduction
• Updates in this 4.0.x Release
• Minimum Requirements
• New Features and Improvements
• Outstanding Issues
• Notes On Upgrading From a Previous Version
• Code Changes Which May Affect Customizations and Extensions
• Release Notes for Previous Versions

Introduction

This is Bugzilla 4.0! Since 3.6 (our previous major release) we've come a long way, and we've come even further compared to 3.0 in 2007! Since Bugzilla 3.0, almost every major user interface in Bugzilla has been redesigned, the WebServices have evolved enormously, there's a great new Extensions system, and there are hundreds of other new features. With the major redesigns that come particularly in this release compared to 3.6, we felt that it was time to call this release 4.0.

It's not just major WebService and UI enhancements that are new in Bugzilla 4.0—there are many other exciting new features, including automatic duplicate detection, enhanced custom field functionality, autocomplete for users, search improvements, and much more. Overall, 4.0 is far and away the best version of Bugzilla we've ever released.

If you're upgrading, make sure to read Notes On Upgrading From a Previous Version. If you are upgrading from a release before 3.6, make sure to read the release notes for all the previous versions in between your version and this one, particularly the Upgrading section of each version's release notes.

We would like to thank ITA Software, the IBM Linux Technology Center, and Red Hat for funding the development of certain features and improvements in this release of Bugzilla.

Updates in this 4.0.x Release

4.0.16

This release fixes a couple of security issues. See the Security Advisory for details.

In addition, the following important fix has been made in this release:

• Fixing a regression caused by CVE-2014-1571 (bug 1064140), comments made while setting a flag from the attachment details page are again included in the flag notification email. (Bug 1082887)

4.0.15

This release fixes several security issues. See the Security Advisory for details.

4.0.14

This release fixes one security issue. See the Security Advisory for details.

4.0.13

This release fixes one regression introduced in Bugzilla 4.0.12 by security bug 968576: URLs in bug comments are displayed correctly again. (Bug 998323)

4.0.12

This release fixes one minor security issue. See the Security Advisory for details.

4.0.11

This release fixes two security issues. See the Security Advisory

This release fixes one regression introduced in Bugzilla 4.0.12 by security bug 968576: URLs in bug comments are displayed correctly again. (Bug 998323)

4.0.12

This release fixes one minor security issue. See the Security Advisory for details.

4.0.11

This release fixes two security issues. See the Security Advisory for details.

In addition, the following bugs have been fixed in this release:

• Bugzilla can now be installed with MySQL 5.6 as DB server. (Bug 852560)
• Internet Explorer 11 can now display buglists correctly. (Bug 902515)
• With DB servers doing case-insensitive comparisons, such as MySQL, tokens and login cookies were not correctly validated as the case was ignored. (Bug 906745 and bug 907438)
• All security headers (such as X-Frame-Options) are now returned when using XML-RPC. (Bug 787328)

4.0.10

This release fixes two security issues. See the Security Advisory for details.

In addition, the following bugs have been fixed in this release:

• Warnings thrown by Return::Value 1.666002 about this deprecated module and which are polluting the web server error log are now disabled. (Bug 826678)
• Bugzilla now works correctly with Perl 5.16. (Bug 771100)

4.0.9

This release fixes several security issues. See the Security Advisory for details.

In addition, the following bugs have been fixed in this release:

• Flag names were not properly escaped when displayed on the "confirm user match" page. An admin could unintentionally break the display of this page if a flag name contains a < or > character, because these characters were not filtered. (Bug 790215)
• Bugs with the resolution MOVED couldn't be edited anymore. (Bug 757935)
• Editing dependencies from the "Change Several Bugs at Once" page didn't work as expected. Bug IDs were incorrectly parsed. (Bug 790909)

4.0.8

This release fixes two security issues. See the Security Advisory for details.

This release also fixes a problem where an admin could unintentionally break the display of buglists if a custom field description contains a < or > character, because these characters were not filtered. (Bug 785917)

4.0.7

This release fixes one security issue. See the Security Advisory for details.

In addition, the following bugs have been fixed in this release:

• A regression introduced in Bugzilla 4.0 caused some login names to be ignored when entered in the CC list of bugs. (Bug 756314)
• Keywords are now correctly escaped in the auto-complete form to prevent any XSS abuse. (Bug 754561)
• A regression introduced in Bugzilla 4.0rc2 when fixing CVE-2011-0046 caused the "Un-forget the search" link to not work correctly anymore when restoring a deleted saved search, because this link was lacking a valid token. (Bug 768870)

4.0.6

This release fixes two security issues. See the Security Advisory for details.

In addition, the following bug has been fixed in this release:

• Due to a regression introduced when fixing CVE-2012-0453, if an XML-RPC client sets the charset as part of its Content-Type header, we were incorrectly rejecting the request. The header is now correctly parsed. (Bug 731219)

4.0.5

This release fixes one security issue. See the Security Advisory for details.

In addition, the following important change has been made in this release:

• Clickjacking could possibly occur in the attachment "View All" page if a user attached a specially formatted HTML file. To fix this potential problem, the "View All" page now always displays the source code for all attachments whose MIME type is text/html. (Bug 722161)

4.0.4

This release fixes two security issues. See the Security Advisory for details.

In addition, the following important fixes/changes have been made in this release:

• Clickjacking could possibly occur in the attachment Details page if a user attached a specially formatted HTML file. To fix this potential problem, the Details page now always displays the source code for all attachments whose MIME type is text/html, and users can see the rendered page by clicking on View. (Bug 716283)
• Previously, WebServices would only work with JSON::RPC 0.96 or older due to newer versions being incompatible. JSON::RPC 1.x is now supported as well. (Bug 706753)
• User autocompletion for the requestee and requester fields in request.cgi and the watch users field in userprefs.cgi were not working properly. (Bug 715705) (Bug 715650)

4.0.3

This release fixes two security issues. See the Security Advisory for details.

In addition, the following important fixes/changes have been made in this release:

• It was impossible to install or upgrade Bugzilla if DBD::Pg is installed and your Perl installation has version.pm 0.92 or newer, due to an incompatible change made in version.pm 0.92. (Bug 678772)
• When reporting a new bug using the Guided Form, groups configured to be selected by default were ignored and the bug was left publicly visible, unless some mandatory groups applied. Now default groups are correctly taken into account, and the bug will be restricted to these groups. New bugs reported using the standard form are not affected by this issue. (Bug 460074)
• A new parameter named 'ajax_user_autocompletion' has been added to allow administrators to disable auto-completion when typing characters in user fields. This parameter should only be disabled if your installation is unable to support the load generated by this feature. (Bug 685552)
• Account lockout notifications were not sent to the maintainer of the Bugzilla installation. (Bug 707594)
• Duplicate bug detection, simple searches and quicksearches did not work when using Oracle as the database. (Bug 654496 and bug 582209)
• If a product has no components defined, selecting a product in the Advanced Search page was displaying the wrong list of components. (Bug 622487)
• Custom field values whose visibility depends on another field value did not remain selected after editing a bug. (Bug 707428)
• importxml.pl was unable to import bugs anymore (regressed in 4.0.1). (Bug 691845)
• migrate.pl was unable to run (regressed in 4.0). (Bug 682203)
• whine.pl was failing to execute if a saved search threw an error. (Bug 277073)
• Emails sent by whine.pl had the address of the assignee either truncated or missing completely (regressed in 3.4). The full email address is now properly displayed. (Bug 550299)

4.0.2

This release fixes several security issues. See the Security Advisory for details.

In addition, the following important fixes/changes have been made in this release:

• The Bug.create WebService method now throws an error if you pass a group name which doesn't exist. In Bugzilla 4.0 and 4.0.1, this group name was silently ignored, leaving your bug unsecure if no other group applied. (Bug 653341)
• Moving several bugs at once into another product displayed the same confirmation page again and again, and changes were never committed (regressed in 4.0). (Bug 663208)
• Marking a bug as a duplicate now works in Internet Explorer 9. (Bug 656769)
• importxml.pl no longer crashes when importing keywords (regressed in 4.0). (Bug 657707)
• Data entered while reporting a new bug could be lost if you had to click the "Back" button of your web browser. (Bug 652427)
• WebServices methods will return undefined bug fields as undefined instead of as an empty string. This change is consistent with how Bugzilla 4.2 behaves. (Bug 657561)
• The XML-RPC interface now works with SOAP::Lite 0.711 and 0.712 under mod_perl. (Bug 600810)
• LWP 6.00 and newer require Perl 5.8.8 and above. When installing this module using install-module.pl on a Perl installation older than 5.8.8, LWP 5.837 will be installed instead. (Bug 655912)
• Viewing a bug report should be significantly faster when your installation has many custom fields. (Bug 634812)

4.0.1

• During installation, the CPAN module Math::Random::Secure would sometimes fail to install properly and give an error about Math::Random::Secure::irand. Now, when using install-module.pl to install Math::Random::Secure, this will no longer happen. If you are currently experiencing this bug and it prevented you from installing 4.0, remove Math::Random::Secure from your lib/ directory, like:

  rm -rf lib/Math/Random/Secure*

  (Bug 646578)

• The "Remember values as bookmarkable template" button on the bug entry page will now work even when some required fields are empty. (Bug 640719)
• Email notifications about dependencies and flags had the wrong timestamp. (Bug 643910 and bug 652165)
• You can now select "UTC" as a valid timezone in General Preferences. (Bug 646209)
• Automatic duplicate detection now works on PostgreSQL (although it is not as high-quality as on other DB platforms). (Bug 634144)
• Autcomplete for users now works even if you are using the "emailsuffix" option. (Bug 641519)
• Javascript errors during series creation in New Charts have been fixed. (Bug 644285)
• The "Show Votes" page now works, for installations using the Voting extension. (Bug 652381)

Minimum Requirements

Any requirements that are new since 3.6.3 will look like this.

• Perl
• For MySQL Users
• For PostgreSQL Users
• For Oracle Users
• Required Perl Modules
• Optional Perl Modules
• Optional Apache Modules

Perl

Perl v5.8.1

For MySQL Users

• MySQL v4.1.2
• perl module: DBD::mysql v4.00

For PostgreSQL Users

• PostgreSQL v8.00.0000
• perl module: DBD::Pg v1.45

For Oracle Users

• Oracle v10.02.0
• perl module: DBD::Oracle v1.19

Required Perl Modules

Module	Version
CGI	3.51
Digest::SHA	(Any)
Date::Format	2.21
DateTime	0.28
DateTime::TimeZone	0.71
DBI	1.41
Template	2.22
Email::Send	2.00
Email::MIME	1.904
URI	(Any)
List::MoreUtils	0.22

Optional Perl Modules

The following perl modules, if installed, enable various features of Bugzilla:

Module	Version	Enables Feature
GD	1.20	Graphical Reports, New Charts, Old Charts
Chart::Lines	2.1	New Charts, Old Charts
Template::Plugin::GD::Image	(Any)	Graphical Reports
GD::Text	(Any)	Graphical Reports
GD::Graph	(Any)	Graphical Reports
MIME::Parser	5.406	Move Bugs Between Installations
LWP::UserAgent	(Any)	Automatic Update Notifications
XML::Twig	(Any)	Move Bugs Between Installations, Automatic Update Notifications
PatchReader	0.9.4	Patch Viewer
Net::LDAP	(Any)	LDAP Authentication
Authen::SASL	(Any)	SMTP Authentication
Authen::Radius	(Any)	RADIUS Authentication
SOAP::Lite	0.712	XML-RPC Interface
JSON::RPC	(Any)	JSON-RPC Interface
JSON::XS	2.0	Make JSON-RPC Faster
Test::Taint	(Any)	JSON-RPC Interface, XML-RPC Interface
HTML::Parser	3.40	More HTML in Product/Group Descriptions
HTML::Scrubber	(Any)	More HTML in Product/Group Descriptions
Email::MIME::Attachment::Stripper	(Any)	Inbound Email
Email::Reply	(Any)	Inbound Email
TheSchwartz	(Any)	Mail Queueing
Daemon::Generic	(Any)	Mail Queueing
mod_perl2	1.999022	mod_perl
Apache2::SizeLimit	0.93	mod_perl
Math::Random::Secure	0.05	Improve cookie and token security

Optional Apache Modules

If you are using Apache as your webserver, Bugzilla can now take advantage of some Apache features if you have the below Apache modules installed and enabled. Currently, certain Bugzilla features are enabled only if you have all of the following modules installed and enabled:

• mod_headers
• mod_expires
• mod_env

On most systems (but not on Windows), checksetup.pl is able to tell whether or not you have these modules installed, and it will tell you.

New Features and Improvements

• Automatic Duplicate Detection When Filing Bugs
• New Advanced Search UI
• New Attachment Details UI
• Autocomplete for Users and Keywords
• General Usability Improvements
• New Default Status Workflow
• "Last Search" Now Remembers Multiple Searches
• Cross-Domain WebServices with JSONP
• Major WebService Enhancements
• Mandatory Custom Fields
• Voting Is Now An Extension
• Users Get New CSS and Javascript Automatically
• Many New Hooks
• New Apache Configuration
• Other Enhancements and Changes

Automatic Duplicate Detection When Filing Bugs

When filing a bug, as soon as you start typing in the summary field, Bugzilla will suggest possible duplicates of the bug you are filing.

In order for this feature to work, all pre-requisites for JSON-RPC support must be installed on your Bugzilla. It will be much faster on installations that run under mod_perl than it will be on other installations.

New Advanced Search UI

Thanks to the UI work of Guy Pyrzak, the Advanced Search UI has been completely redesigned. It is now much simpler, and far more approachable for new users, while still retaining all of the features that power users are used to.

New Attachment Details UI

The UI used for editing attachment details has been completely redesigned, allowing for a normally-size comment box to be used when commenting on attachments, and allowing nearly the entire screen width to be used when doing code reviews or editing an attachment as a comment.

Thanks to Guy Pyrzak for his excellent work on this UI redesign.

Autocomplete for Users and Keywords

Once you type at least three characters in any field that can contain a user (including the CC, QA Contact, or Assignee fields), a list will appear containing all of the users whose real names or usernames match what you are typing. Your Bugzilla must have all of the optional Perl modules required for JSON-RPC support installed, though, in order for this feature to work. Also, this feature will be much faster on installations that run under mod_perl than it will be on other installations.

There is also a similar autocomplete for the Keywords field. The Keywords autocomplete does not require JSON-RPC.

General Usability Improvements

In addition to the enhancements listed above, there have been many improvements made across the Bugzilla user interface. For a list of specific enhancements that were significant, see the Other Enhancements and Changes section.

New Default Status Workflow

For new installations of Bugzilla, the default set of statuses will now be:

• UNCONFIRMED
• CONFIRMED
• IN_PROGRESS
• RESOLVED
• VERIFIED

And the UNCONFIRMED status will be enabled by default in all products.

On upgrade, existing installations will not be affected--you will retain your existing status workflow. However, we strongly recommend that you update your existing workflow to the new one, using a special tool we've included, contrib/convert-workflow.pl, which you can run after you use checksetup.pl to upgrade. The whineatnews.pl and bugzilla-submit scripts will probably not work properly if you continue to use the old workflow (though most other parts of Bugzilla will still function normally).

For more information about the workflow and our rationale for changing it, see the blog post about it and the bug where the change was made.

"Last Search" Now Remembers Multiple Searches

At the top of every bug in Bugzilla, there are links that look like: "First", "Last", "Prev", "Next", and "Show last search results". In earlier versions of Bugzilla, if you did two separate searches in separate windows, these links would only work for the last search you did. Now, Bugzilla will "remember" which search result you came from and give you the right "last search results" or "next bug" from that list, instead of always using your most recent search.

There are still some situations where Bugzilla will have to "guess" which search you are trying to navigate through, but it does its best to get it right.

Cross-Domain WebServices with JSONP

Bugzilla now supports making WebService calls from another domain, inside of a web browser, thanks to support for JSONP. This will allow for web "mash-ups" to use Bugzilla data. When using JSONP, you may only call functions that get data, you may not call functions that change data.

For more details, see the JSONP section of the JSON-RPC WebService documentation.

Major WebService Enhancements

The WebService has been expanded considerably. The WebService should now be able to do everything with bugs that you can do via the web interface, including updating bugs, adding attachments, and getting attachment data. For specifics, see the WebService Changes section of these release notes.

Mandatory Custom Fields

You can now specify that certain custom fields are "mandatory", meaning that they must have a value when a bug is filed, and they can never be empty after that.

Voting Is Now An Extension

All of the code for voting in Bugzilla has been moved into an extension, called "Voting", in the extensions/Voting/ directory. To enable it, you must remove the disabled file from that directory, and run checksetup.pl.

In a future version of Bugzilla, the Voting extension will be moved outside of the Bugzilla core code, so we are looking for somebody who has an interest in the Voting system and would like to maintain it as a separate extension. There are many enhancement requests that have been made against the Voting system, and the best way for those to get addressed is for somebody to step up and offer to maintain the system outside of Bugzilla's core code.

Users Get New CSS and Javascript Automatically

In past versions of Bugzilla, if you changed Bugzilla's CSS or Javascript files, then every user of Bugzilla would have to clear their cache in order to get the updated files. Now, if you are using Apache as your webserver and you have the optional Apache modules installed and enabled, users will automatically get every new version of Bugzilla's Javascript and CSS without having to clear their caches.

This feature also gives a slight performance speedup to Bugzilla in some cases, and so we recommend that all administrators install and enable the optional Apache modules if possible.

Many New Hooks

Many new code hooks have been added for use by Extensions, in Bugzilla 4.0. Now Extensions can access and modify nearly every part of Bugzilla.

New Apache Configuration

If you run Bugzilla under Apache (as most people do), you most likely require a new Apache configuration for this version of Bugzilla. See the Notes On Upgrading From a Previous Version section for details.

Other Enhancements and Changes

Enhancements for Users

• Now, everywhere in Bugzilla where you can enter a date, there is a Calendar widget where you can select the date on a calendar.
• The big icons on the front page have been replaced with much nicer icons, thanks to Jon Pink of J. Pink Design!
• Bugs: When filing bugs, you will now be warned if you forgot to fill in any mandatory fields, before the page is submitted.
• Bugs: When filing a bug, you can hover your mouse over any of the field labels on the page to get a brief description of what that field is and what its purpose is.
• Bugs: When adding Hours Worked to a bug, you are no longer required to comment.
• Bugs: There is now a user preference for whether the comment box appears above or below the existing comments.
• Bugs: Bugzilla will now send an email for every comment that you mark or un-mark as being private. (Previous versions of Bugzilla did not send emails to users about this change.) The state of comments being made private is also now stored in a bug's history.
• Bugs: The box to "Add Bug URLs" in the See Also field is now hidden behind an "(add)" link that you have to click to see the box.
• Searches: You can now properly search for field values that have commas in their name, when using the Advanced Search form.
• Searches: The "URL" field can now be shown as a column in search results.
• Searches: When viewing a search result, you can now click on the Summary of the bug in order to go to the bug-view page, in addition to being able to click on the bug ID.
• Searches: When doing a search using the "quicksearch" box in the header or footer, the box will still contain what you searched for when viewing the search results page.
• Searches: Multi-select custom fields can now be shown as columns in the search results.
• Searches: When using the Boolean Charts (now called "Custom Search"), if you specify both a criterion for an attachment and a criteron for a flag, then only bugs that have attachments with that flag will be found.
• Searches: If you hover your mouse over the field labels on the Advanced Search page, you will get a description of what that field is.
• Searches: When searching via a saved search, if you accidentally click on "Forget Search", there is a link to undo it.
• Searches: When using the Boolean Charts (now called "Custom Search"), you can search for values "greater than or equal to" or "less than or equal to" some value.
• Flags: If you hover your mouse over the name of a flag setter when viewing a bug, you can see that flag setter's full name and complete username.
• Flags: When setting a flag on a bug, the box for entering a requestee does not appear until you set the flag to "?", now.
• Flags: On the "My Requests" page, bugs that are restricted to certain groups now properly have the "padlock" icon shown next to them to indicate that they may contain confidential information.
• When using the Reports interface, you can now choose many more fields as the X, Y, or Z axis of a report, including custom fields.
• Bugzilla now prevents Internet Explorer 8 and later from attempting to render text/plain attachments as HTML.
• If you receive a Whine mail that is empty, there will now be a brief message explaining that your search found no results.
• The Field Help Page now contains a description of every single field that can be on a bug in Bugzilla.

Enhancements for Administrators and Developers

• The system for moving bugs between installations has been moved into an extension called OldBugMove. This system was used by very few Bugzilla installations--if you aren't certain whether or not you are using it, you're not using it. To enable the system, you have to remove the file extensions/OldBugMove/disabled and then run checksetup.pl. In a future version of Bugzilla, this extension may be moved outside of the core Bugzilla code, so if you are interested in maintaining it, please let us know.
• Custom Fields: "Bug ID" custom fields can now represent relationships between bugs, similarly to how the Blocks and Depends on fields work now.
• Custom Fields: You can now restrict the visibility of custom fields and their values to a specific Component or Classification.
• The "keyword cache" has been removed. When you edit keywords, you no longer will have to "rebuild the keyword cache" after you are done.
• Running ./collectstats.pl --regenerate will now take minutes or hours, instead of days.
• When using email_in.pl, there are two new switches, --default and --override, which allow you to specify certain default values or override specified values for @field values sent in emails. (This also allows you to specify defaults for everything so that people do not have to specify any field values when filing a bug via email.)
• Installation: If you are using a localized version of Bugzilla and your terminal does not understand Unicode, checksetup.pl will now attempt to output its messages in your terminal's character set.
• Installation: Bugzilla no longer needs empty "placeholder" CSS in the skins/custom directory and other directories. When you update, checksetup.pl will remove these. This also significantly reduces the number of HTTP requests required to load a page for the first time in Bugzilla.
• Installation: For Windows users, Bugzilla now supports Strawberry Perl fully.
• Installation: Now, whenever checksetup.pl throws an error, it will be printed in the color red, to make it obvious that something is wrong.
• Installation: Some actions of checksetup.pl were silent, in the past. Now, checksetup.pl will print a message for almost anything it does.
• Installation: The process of adding foreign keys to a table is now much faster. This will particularly improve the speed of upgrading from Bugzilla 3.4 or earlier.
• If you are using jobqueue.pl and email gets heavily delayed for some reason, those emails will now have a Date header reflecting the time they were supposed to be sent, instead of when they actually were sent.
• ./jobqueue.pl install now works on SUSE Linux.
• Bugzilla now runs much better in Apache's suexec mode than it used to. As part of this, checksetup.pl sets much stricter permissions on all the files in Bugzilla than it used to. In particular, any files that Bugzilla does not know about will not be readable by the webserver.
• The sendmailnow parameter has been removed, as it was not necessary for any modern version of Sendmail or other Mail Transfer Agent.
• When editing a user via the Users administration panel, you can now see if they are a Default CC on any component.
• For new installations of Bugzilla, all users will be able to see and use the Whining system by default.
• When you are using SSL with Bugzilla, you can now turn on the strict_transport_security parameter to send the Strict-Transport-Security header with every HTTPS connection, for additional security.
• New code hooks (see their documentation in Bugzilla::Hook): bug_check_can_change_field, search_operator_field_override, bugmail_relationships, object_columns, object_update_columns, and object_validators. The colchange_columns hook has been removed, as it is no longer necessary (buglist_columns will be used for data about which columns can be on the bug list).
• When Bugzilla throws certain types of errors, it will now include a "traceback" of where exactly the error occurred in the code, to help administrators and developers debug problems.
• There is now a test, xt/search.t, that assures that all of the functionality of Bugzilla::Search is working properly. If you customize the search functionality of Bugzilla, you may wish to run this test to assure that your changes are correct. You can see more information about running this test by doing perldoc xt/search.t at the command line.
• Bugzilla now sends the X-Frame-Options: SAMEORIGIN header with every page request in order to prevent "clickjacking" attacks. Note that this prevents other domains from displaying Bugzilla in an HTML frame.

WebService Changes

• You can now call some JSON-RPC methods using HTTP GET, in addition to using HTTP POST. See the JSON-RPC documentation for details.
• You can now update existing bugs using the Bug.update function.
• You can now add attachments to bugs using the Bug.add_attachment function.
• The Bug.get function now returns all of a bug's information other than comments and attachments.
• Bug.get no longer returns the internals hash.
• The Bug.attachments function now also returns attachment data.
• The following functions now support the include_fields and exclude_fields arguments: Bug.get, Bug.search, and Bug.attachments. Also, server-side performance of the WebService is actually increased when using these arguments, now, as Bugzilla will no longer get data from the database for fields you haven't asked for.
• You can now mark the initial description of a bug as private when filing a bug via the Bug.create function.
• You can now specify groups to put a bug in, in the Bug.create function. (This also means that you can specify groups when filing a bug via email_in.pl.)
• The User.get function now accepts groups and group_ids arguments, to limit the returned values to only users in the specified groups.
• There is a new, undocumented Bug.possible_duplicates function that helps implement the automatic duplicate detection system. Because this function is not documented, its API may change between releases of Bugzilla.
• You can no longer search using the votes argument in Bug.search.
• Bug.attachments now returns the attachment's description using the name "summary" instead of the name "description", to be consistent with the fact that bug summaries are called "summary". The value is still also returned as "description", for backwards compatibility, but this backwards compatibility will go away in Bugzilla 5.0.
• In the return values of various Bug functions, the author of comments, bugs, and attachments is now called "creator", instead of sometimes being called "reporter", "author", or "attacher". The old names are retained for backwards-compatibility, and will stay around until Bugzilla 5.0.

Outstanding Issues

• Bug 423439: Tabs in comments will be converted to four spaces, due to a bug in Perl as of Perl 5.8.8.
• Bug 89822: When changing multiple bugs at the same time, there is no "mid-air collision" protection.
• Bug 276230: The support for restricting access to particular Categories of New Charts is not complete. You should treat the 'chartgroup' Param as the only access mechanism available.
  However, charts migrated from Old Charts will be restricted to the groups that are marked MANDATORY for the corresponding Product. There is currently no way to change this restriction, and the groupings will not be updated if the group configuration for the Product changes.

Notes On Upgrading From a Previous Version

IMPORTANT: Apache Configuration Change

mod_cgi

If you run Bugzilla under mod_cgi (this is the most common configuration, involving a <Directory> block in your Apache config file), you will need to update the configuration of Apache for Bugzilla. In particular, this line in the Bugzilla <Directory> block:

AllowOverride Limit

needs to become:

AllowOverride Limit FileInfo Indexes

For full details on how to configure Apache for Bugzilla, see the Configuration section of the Bugzilla Guide.

mod_perl

If your Bugzilla runs under mod_perl, the required Apache configuration is now simpler. The line that used to look like:

PerlSwitches -w -T -I/var/www/html/bugzilla -I/var/www/html/bugzilla/lib

Now should be only:

PerlSwitches -w -T

The PerlConfigRequire line should stay the same, however.

New .htaccess file

In previous versions of Bugzilla, there was a file in Bugzilla's root directory called ".htaccess" that was generated by checksetup.pl. This file is now shipped with Bugzilla instead of being generated during installation.

If you update via CVS or bzr, you will get a message that your existing .htaccess file conflicts with the new one. You must remove your existing .htaccess file and use the new one instead. Continuing to use your old .htaccess file will cause certain new features of Bugzilla to not work properly, and may also lead to security issues for your system in the future.

Code Changes Which May Affect Customizations and Extensions

• In Extensions, if you want to serve files to the user via the web, they must now be in a web/ subdirectory of your Extension. (For example, extensions/Foo/web/). checksetup.pl sets permissions on extensions much more strictly now, and files in other locations (such as your base extensions/Foo/ directory) will no longer be available to Bugzilla users via the web under certain configurations.
• Previous versions of Bugzilla used to allow putting a single file into the "skins" directory and having that be an entire skin. That is no longer allowed, and on upgrade, checksetup.pl will convert any such skins into a directory with a single global.css file in them.
• When updating bugs, you should now use $bug->set_all instead of using the individual set_ methods. In particular, set_all is now the only way to set the product of a bug. See process_bug.cgi for an example of how set_all should be used.
• You should not insert <script> tags and <link> CSS tags into HTML anymore, in Extensions or in your customizations. Instead, you should push new values into the style_urls or javascript_urls parameters. If you have to insert manual tags for some reason, be sure to call "FILTER mtime" on the URL. (Search for other uses of "FILTER mtime" in the templates to see how it is used.)
• When calling Bugzilla::BugMail::Send, the "changer" argument must now be a Bugzilla::User object, not just a login name. The "owner" and "qacontact" arguments are still just login names.
• When creating a new subclass of Bugzilla::Object, you should no longer use UPDATE_VALIDATORS. Also, in most cases you will no longer need to override run_create_validators. Instead, there is a new constant called VALIDATOR_DEPENDENCIES, that specifies that certain fields have to be validated before other fields. Then, all validators receive each already-validated value in a hash as their fourth argument, so each validator can know the other values that were passed in, while an object is being created. For an example of how to use VALIDATOR_DEPENDENCIES, see Bugzilla/Field.pm.
• In previous versions of Bugzilla, you had to call Bugzilla->template_inner("") after any time that you called template_inner for a specific language. It is no longer necessary to do this second template_inner call.
• post_bug.cgi and Bugzilla::Bug->create now take the names of groups instead of group ids.
• Bugzilla::Bugmail now uses Bugzilla::Bug objects internally instead of a lot of direct SQL.
• For sending changes about bugs, there is now a method called send_changes that you can call on Bugzilla::Bug objects. For an example of its use, see process_bug.cgi.
• The Bugzilla::Search class has been refactored, and should now be easier to customize.
• The Bugzilla::Util::lsearch function is gone. Use firstidx from List::MoreUtils, instead.
• Bugzilla now includes YUI 2.8.2.
• long_list.cgi, showattachment.cgi and xml.cgi are deprecated scripts which are no longer actively used since Bugzilla 2.19. These scripts will be removed in Bugzilla 4.2.

Bugzilla 3.6 Release Notes

• Introduction
• Updates in this 3.6.x Release
• Minimum Requirements
• New Features and Improvements
• Outstanding Issues
• Notes On Upgrading From a Previous Version
• Code Changes Which May Affect Customizations
• Release Notes for Previous Versions

Introduction

Welcome to Bugzilla 3.6! The focus of the 3.6 release is on improving usability and "polishing up" all our features (by adding some pieces that were "missing" or always wanted), although we also have a few great new features for you, as well!

If you're upgrading, make sure to read Notes On Upgrading From a Previous Version. If you are upgrading from a release before 3.4, make sure to read the release notes for all the previous versions in between your version and this one, particularly the Upgrading section of each version's release notes.

We would like to thank Canonical Ltd., ITA Software, the IBM Linux Technology Center, Red Hat, and Novell for funding the development of various features and improvements in this release of Bugzilla.

Updates in this 3.6.x Release

3.6.2

This release fixes various security issues. See the Security Advisory for details.

In addition, the following important fixes/changes have been made in this release:

• Bugzilla installations running on older versions of IIS will no longer experience the "Undef to trick_taint" errors that would sometimes occur. (Bug 521416)
• Email notifications were missing the dates that comments were made. (Bug 578003)
• Putting a phrase in quotes in the Quicksearch box now works properly, again. (Bug 578494 and Bug 553884)
• Quicksearch was usually (incorrectly) being limited to 200 results. (Bug 581622)
• On Windows, install-module.pl can now properly install DateTime and certain other Perl modules that didn't install properly before. (Bug 576105)
• Searching "keywords" for "contains none of the words" or "does not match regular expression" now works properly. (Bug 562014)
• Doing collectstats.pl --regenerate now works on installations using PostgreSQL. (Bug 577058)
• The "Field Values" administrative control panel was sometimes denying admins the ability to delete field values when there was no reason to deny the deletion. (Bug 577054)
• Eliminate the "uninitialized value" warnings that would happen when editing a product's components. (Bug 576911)
• The updating of bugs_fulltext that happens during checksetup.pl for upgrades to 3.6 should now be MUCH faster. (Bug 577754)
• email_in.pl was not allowing the setting of time-tracking fields via inbound emails. (Bug 583622)

3.6.1

This release fixes two security issues. See the Security Advisory for details.

In addition, the following important fixes/changes have been made in this release:

• Using the "Change Columns" page would sometimes result in a plain-text page instead of HTML. (Bug 376044)
• Extensions that have only templates and no code are now working. (Bug 562551)
• install-module.pl has been fixed so that it installs modules properly on both new and old versions of Perl. (Bug 560318 and Bug 560330)
• It is now possible to upgrade from 3.4 to 3.6 when using Oracle. (Bug 561379)
• Editing a field value's name (using the Field Values admin control panel) wasn't working if the value was set as the default for that field. (Bug 561296)
• If you had the noresolveonopenblockers parameter set, bugs couldn't be edited at all if they were marked FIXED and had any open blockers. (The parameter is only supposed to prevent changing bugs to FIXED, not modifying already-FIXED bugs.) (Bug 565314)
• Some minor issues with Perl 5.12 were fixed (mostly warnings that Perl 5.12 was throwing). Bugzilla now supports Perl 5.12.

Minimum Requirements

Any requirements that are new since 3.4.5 will look like this.

• Perl
• For MySQL Users
• For PostgreSQL Users
• For Oracle Users
• Required Perl Modules
• Optional Perl Modules

Perl

Perl v5.8.1

For MySQL Users

• MySQL v4.1.2
• perl module: DBD::mysql v4.00

For PostgreSQL Users

• PostgreSQL v8.00.0000
• perl module: DBD::Pg v1.45

For Oracle Users

• Oracle v10.02.0
• perl module: DBD::Oracle v1.19

Required Perl Modules

Module	Version
CGI	3.21
Digest::SHA	(Any)
Date::Format	2.21
DateTime	0.28
DateTime::TimeZone	0.71
DBI	1.41
Template	2.22
Email::Send	2.00
Email::MIME	1.861
Email::MIME::Encodings	1.313
Email::MIME::Modifier	1.442
URI	(Any)

Optional Perl Modules

The following perl modules, if installed, enable various features of Bugzilla:

Module	Version	Enables Feature
GD	1.20	Graphical Reports, New Charts, Old Charts
Chart::Lines	2.1	New Charts, Old Charts
Template::Plugin::GD::Image	(Any)	Graphical Reports
GD::Text	(Any)	Graphical Reports
GD::Graph	(Any)	Graphical Reports
XML::Twig	(Any)	Move Bugs Between Installations, Automatic Update Notifications
MIME::Parser	5.406	Move Bugs Between Installations
LWP::UserAgent	(Any)	Automatic Update Notifications
PatchReader	0.9.4	Patch Viewer
Net::LDAP	(Any)	LDAP Authentication
Authen::SASL	(Any)	SMTP Authentication
Authen::Radius	(Any)	RADIUS Authentication
SOAP::Lite	0.710.06	XML-RPC Interface
JSON::RPC	(Any)	JSON-RPC Interface
Test::Taint	(Any)	JSON-RPC Interface, XML-RPC Interface
HTML::Parser	3.40	More HTML in Product/Group Descriptions
HTML::Scrubber	(Any)	More HTML in Product/Group Descriptions
Email::MIME::Attachment::Stripper	(Any)	Inbound Email
Email::Reply	(Any)	Inbound Email
TheSchwartz	(Any)	Mail Queueing
Daemon::Generic	(Any)	Mail Queueing
mod_perl2	1.999022	mod_perl

New Features and Improvements

• General Usability Improvements
• New Extensions System
• Improved Quicksearch
• Simple "Browse" Interface
• SUExec Support
• Experimental mod_perl Support on Windows
• Send Attachments by Email
• JSON-RPC Interface
• Migration From Other Bug-Trackers
• Other Enhancements and Changes

General Usability Improvements

A scientific usability study was done on Bugzilla by researchers from Carnegie-Mellon University. As a result of this study, several usability issues were prioritized to be fixed, based on specific data from the study.

As a result, you will see many small improvements in Bugzilla's usability, such as using Javascript to validate certain forms before they are submitted, standardizing the words that we use in the user interface, being clearer about what Bugzilla needs from the user, and other changes, all of which are also listed individually in this New Features section.

Work continues on improving usability for the next release of Bugzilla, but the results of the research have already had an impact on this 3.6 release.

New Extensions System

Bugzilla has a brand-new Extensions system. The system is consistent, fast, and fully documented. It makes it possible to easily extend Bugzilla's code and user interface to add new features or change existing features. There's even a script that will create the basic layout of an extension for you, to help you get started. For more information about the new system, see the Extensions documentation.

If you had written any extensions using Bugzilla's previous extensions system, there is a script to help convert old extensions into the new format.

Improved Quicksearch

The "quicksearch" box that appears on the front page of Bugzilla and in the header/footer of every page is now simplified and made more powerful. There is a [?] link next to the box that will take you to the simplified Quicksearch Help, which describes every single feature of the system in a simple layout, including new features such as the ability to use partial field names when searching.

Quicksearch should also be much faster than it was before, particularly on large installations.

Note that in order to implement the new quicksearch, certain old and rarely-used features had to be removed:

• + as a prefix to mean "search additional resolutions", and + as a prefix to mean "search just the summary". You can instead use summary: to explicitly search summaries.
• Searching the Severity field if you type something that matches the first few characters of a severity. You can explicitly search the Severity field if you want to find bugs by severity.
• Searching the Priority field if you typed something that exactly matched the name of a priority. You can explicitly search the Priority field if you want to find bugs by priority.
• Searching the Platform and OS fields if you typed in one of a certain hard-coded list of strings (like "pc", "windows", etc.). You can explicitly search these fields, instead, if you want to find bugs with a specific Platform or OS set.

Simple "Browse" Interface

There is now a "Browse" link in the header of each Bugzilla page that presents a very basic interface that allows users to simply browse through all open bugs in particular components.

SUExec Support

Bugzilla can now be run in Apache's "SUExec" mode, which is what control panel software like cPanel and Plesk use (so Bugzilla should now be much easier to install on shared hosting). SUExec support shows up as an option in the localconfig file during installation.

Experimental mod_perl Support on Windows

There is now experimental support for running Bugzilla under mod_perl on Windows, for a significant performance enhancement (in exchange for using more memory).

Send Attachments by Email

The email_in script now supports attaching multiple attachments to a bug by email, both when filing and when updating a bug.

JSON-RPC Interface

Bugzilla now has support for the JSON-RPC WebServices protocol via jsonrpc.cgi. The JSON-RPC interface is experimental in this release--if you want any fundamental changes in how it works, let us know, for the next release of Bugzilla.

Migration From Other Bug-Trackers

Bugzilla 3.6 comes with a new script, migrate.pl, which allows migration from other bug-tracking systems. Among the various features of the migration system are:

• It is non-destructive--you can migrate into an existing Bugzilla installation without destroying any data in the installation.
• It has a "dry-run" mode so you can test your migration before actually running it.
• It is relatively easy to write new migrators for new systems, if you know Perl. The basic migration framework does most of the work for you, you just have to provide it with the data from your bug-tracker. See the Bugzilla::Migrate documentation and see our current migrator, Bugzilla/Migrate/GNATS.pm for information on how to make your own migrator.

The first migrator that has been implemented is for the GNATS bug-tracking system. We'd love to see migrators for other systems! If you want to contribute a new migrator, see our development process for details on how to get code into Bugzilla.

Thanks to Lambda Research for funding the initial development of this feature.

Other Enhancements and Changes

Enhancements for Users

• Bug Filing: When filing a bug, Bugzilla now visually indicates which fields are mandatory.
• Bug Filing: "Bookmarkable templates" now support the "alias" and "estimated hours" fields.
• Bug Editing: In previous versions of Bugzilla, if you added a private comment to a bug, then none of the changes that you made at that time were sent to users who couldn't see the private comment. Now, for users who can't see private comments, public changes are sent, but the private comment is excluded from their email notification.
• Bug Editing: The controls for groups now appear to the right of the attachment and time-tracking tables, when editing a bug.
• Bug Editing: The "Collapse All Comments" and "Expand All Comments" links now appear to the right of the comment list instead of above it.
• Bug Editing: The See Also field now supports URLs for Google Code Issues and the Debian Bug-Tracking System.
• Bug Editing: There have been significant performance improvements in show_bug.cgi (the script that displays thebug-editing form), particularly for bugs that have lots of comments or attachments.
• Attachments: The "Details" page of an attachment now displays itself as uneditable if you can't edit the fields there.
• Attachments: We now make sure that there is a Description specified for an attachment, using JavaScript, before the form is submitted.
• Attachments: There is now a link back to the bug at the bottom of the "Details" page for an attachment.
• Attachments: When you click on an "attachment 12345" link in a comment, if the attachment is a patch, you will now see the formatted "Diff" view instead of the raw patch.
• Attachments: For text attachments, we now let the browser auto-detect the character encoding, instead of forcing the browser to always assume the attachment is in UTF-8.
• Search: You can now display bug flags as a column in search results.
• Search: When viewing search results, you can see which columns are being sorted on, and which direction the sort is on, as indicated by arrows next to the column headers.
• Search: You can now search the Deadline field using relative dates (like "1d", "2w", etc.).
• Search: The iCalendar format of search results now includes a PRIORITY field.
• Search: It is no longer an error to enter an invalid search order in a search URL--Bugzilla will simply warn you that some of your order options are invalid.
• Search: When there are no search results, some helpful links are displayed, offering actions you might want to take.
• Search: For those who like to make their own buglist.cgi URLs (and for people working on customizations), buglist.cgi now accepts nearly every valid field in Bugzilla as a direct URL parameter, like &field=value.
• Requests: When viewing the "My Requests" page, you can now see the lists as a normal search result by clicking a link at the bottom of each table.
• Requests: When viewing the "My Requests" page, if you are using Classifications, the Product drop-down will be grouped by Classification.
• Inbound Email: When filing a bug by email, if the product that you are filing the bug into has some groups set as Default for you, the bug will now be placed into those groups automatically.
• Inbound Email: The field names that can be used when creating bugs by email now exactly matches the set of valid parameters to the Bug.create WebService function. You can still use most of the old field names that 3.4 and earlier used for inbound emails, though, for backwards-compatibility.
• If there are multiple languages available for your Bugzilla, you can now select what language you want Bugzilla displayed in using links at the top of every page.
• When creating a new account, you will be automatically logged in after setting your password.
• There is no longer a maximum password length for accounts.
• In the Dusk skin, it's now easier to see links.
• In the Whining system, you can now choose to receive emails even if there are no bugs that match your searches.
• The arrows in dependency graphs now point the other way, so that bugs point at their dependencies.
• New Charts: You can now convert an existing Saved Search into a data series for New Charts.
• New Charts: There is now an interface that allows you to delete data series.
• New Charts: When deleting a product, you now have the option to delete the data series that are associated with that product.

Enhancements for Administrators and Developers

• Depending on how your workflow is set up, it is now possible to have both UNCONFIRMED and REOPENED show up as status choices for a closed bug. If you only want one or the other to show up, you should edit your status workflow appropriately (possibly by removing or disabling the REOPENED status).
• You can now "disable" field values so that they don't show up as choices on a bug unless they are already set as the value for that bug. This doesn't work for the per-product field values (component, target_milestone, and version) yet, though.
• Users are now locked out of their accounts for 30 minutes after trying five bad passwords in a row during login. Every time a user is locked out like this, the user in the "maintainer" parameter will get an email.
• The minimum length allowed for a password is now 6 characters.
• The UNCONFIRMED status being enabled in a product is now unrelated to the voting parameters. Instead, there is a checkbox to enable the UNCONFIRMED status in a product.
• Information about duplicates is now stored in the database instead of being stored in the data/ directory. On large installations this could save several hundred megabytes of disk space.
• Installation: When installing Bugzilla, the "maintainer" parameter will be automatically set to the administrator that was created by checksetup.pl.
• Installation: checksetup.pl now prints out certain errors in a special color so that you know that something needs to be done.
• Installation: checksetup.pl is now much faster at upgrading installations, particularly older installations. Also, it's been made faster to run for the case where it's not doing an upgrade.
• Installation: If you install Bugzilla using the tarball, the CGI.pm module from CPAN is now included in the lib/ dir. If you would rather use the CGI.pm from your global Perl installation, you can delete CGI.pm and the CGI directory from the lib/ directory.
• When editing a group, you can now specify that members of a group are allowed to grant others membership in that group itself.
• The ability to compress BMP attachments to PNGs is now an Extension. To enable the feature, remove the file extensions/BmpConvert/disabled and then run checksetup.pl.
• The default list of values for the Priority field are now clear English words instead of P1, P2, etc.
• There is now a system in place so that all field values can be localized. See the value_descs variable in template/en/default/global/field-descs.none.tmpl.
• config.cgi now returns an ETag header and understands the If-None-Match header in HTTP requests.
• The XML format of show_bug.cgi now returns more information: the numeric id of each comment, whether an attachment is a URL, the modification time of an attachment, the numeric id of a flag, and the numeric id of a flag's type.
• Parameters: Parameters that aren't actually required are no longer in the "Required" section of the Parameters page. Instead, some are in the new "General" section, and some are in the new "Advanced" section.
• Parameters: The old ssl parameter has been changed to ssl_redirect, and can only be turned "on" or "off". If "on", then all users will be forcibly redirected to SSL whenever they access Bugzilla. When the parameter is off, no SSL-related redirects will occur (even if the user directly accesses Bugzilla via SSL, they will not be redirected to a non-SSL page).
• Parameters: In the Advanced parameters, there is a new parameter, inbound_proxies. If your Bugzilla is behind a proxy, you should set this parameter to the IP address of that proxy. Then, Bugzilla will "believe" any "X-Forwarded-For" header sent from that proxy, and correctly use the X-Forwarded-For as the end user's IP, instead of believing that all traffic is coming from the proxy.
• Removed Parameter: The loginnetmask parameter has been removed. Since Bugzilla sends secure cookies, it's no longer necessary to always restrict logins to a specific IP or block of addresses.
• Removed Parameter: The quicksearch_comment_cutoff parameter is gone. Quicksearch now always searches comments; however, it uses a much faster algorithm to do it.
• Removed Parameter: The usermatchmode parameter has been removed. User-matching is now always done.
• Removed Parameter: The useentrygroupdefault parameter has been removed. Bugzilla now always behaves as though that parameter were off.
• The t/001compile.t test should now always pass, no matter what configuration of optional modules you do or don't have installed.
• New script: contrib/console.pl, which allows you to have a "command line" into Bugzilla by inputting Perl code or using a few custom commands.

WebService Changes

• The WebService now returns all dates and times in the UTC timezone. Bugzilla.time now acts as though the Bugzilla server were in the UTC timezone, always. If you want to write clients that are compatible across all Bugzilla versions, check the timezone from Bugzilla.timezone or Bugzilla.time, and always input times in that timezone and expect times to be returned in that format.
• You can now log in by passing Bugzilla_login and Bugzilla_password as arguments to any WebService function. See the Bugzilla::WebService documentation for details.
• New Method: Bug.attachments which allows getting information about attachments.
• New Method: Bug.fields, which gets information about all the fields that a bug can have in Bugzilla, include custom fields and legal values for all fields. The Bug.legal_values method is now deprecated.
• In the Bug.add_comment method, the "private" parameter has been renamed to "is_private" (for consistency with other methods). You can still use "private", though, for backwards-compatibility.
• The WebService now has Perl's "taint mode" turned on. This means that it validates all data passed in before sending it to the database. Also, all parameter names are validated, and if you pass in a parameter whose name contains anything other than letters, numbers, or underscores, that parameter will be ignored. Mostly this just affects customizers--Bugzilla's WebService is not functionally affected by these changes.
• In previous versions of Bugzilla, error messages were sent word-wrapped to the client, from the WebService. Error messages are now sent as one unbroken line.

Outstanding Issues

• Bug 423439: Tabs in comments will be converted to four spaces, due to a bug in Perl as of Perl 5.8.8.
• Bug 69621: If you rename or remove a keyword that is in use on bugs, you will need to rebuild the "keyword cache" by running sanitycheck.cgi and choosing the option to rebuild the cache when it asks. Otherwise keywords may not show up properly in search results.
• Bug 89822: When changing multiple bugs at the same time, there is no "mid-air collision" protection.
• Bug 276230: The support for restricting access to particular Categories of New Charts is not complete. You should treat the 'chartgroup' Param as the only access mechanism available.
  However, charts migrated from Old Charts will be restricted to the groups that are marked MANDATORY for the corresponding Product. There is currently no way to change this restriction, and the groupings will not be updated if the group configuration for the Product changes.

Notes On Upgrading From a Previous Version

When upgrading to 3.6, checksetup.pl will create foreign keys for many columns in the database. Before doing this, it will check the database for consistency. If there are an unresolvable consistency problems, it will tell you what table and column in the database contain the bad values, and which values are bad. If you don't know what else to do, you can always delete the database records which contain the bad values by logging in to your database and running the following command:

DELETE FROM table WHERE column IN (1, 2, 3, 4)

Just replace "table" and "column" with the name of the table and column that checksetup.pl mentions, and "1, 2, 3, 4" with the invalid values that checksetup.pl prints out.

Remember that you should always back up your database before doing an upgrade.

Code Changes Which May Affect Customizations

• There is no longer a SendBugMail method in the templates, and bugmail is no longer sent by processing a template. Instead, it is sent by using Bugzilla::BugMail::Send.
• Comments are now represented as a Bugzilla::Comment object instead of just being hashes.
• In previous versions of Bugzilla, the template for displaying a bug required a lot of extra variables that are now global template variables instead.
• You can now check if optional modules are installed by using Bugzilla->feature in Perl code or feature_enabled in template code.
• All of the various template header information required to display the bug form is now in one template, template/en/default/bug/show-header.html.tmpl.
• You should now use display_value instead of get_status or get_resolution in templates. display_value should be used anywhere that a <select>-type field has its values displayed.

Bugzilla 3.4 Release Notes

• Introduction
• Updates in this 3.4.x Release
• Minimum Requirements
• New Features and Improvements
• Outstanding Issues
• Notes On Upgrading From a Previous Version
• Code Changes Which May Affect Customizations
• Release Notes for Previous Versions

Introduction

This is Bugzilla 3.4! Bugzilla 3.4 brings a lot of great enhancements for Bugzilla over previous versions, with various improvements to the user interface, lots of interesting new features, and many long-standing requests finally being addressed.

If you're upgrading, make sure to read Notes On Upgrading From a Previous Version. If you are upgrading from a release before 3.2, make sure to read the release notes for all the previous versions in between your version and this one, particularly the Upgrading section of each version's release notes.

We would like to thank Canonical Ltd. for funding development of one new feature, and NASA for funding development of several new features through the San Jose State University Foundation.

Updates In This 3.4.x Release

3.4.6

• When doing a search that involves "not equals" or "does not contain the string" or similar "negative" search types, the search description that appears at the top of the resulting bug list will indicate that the search was of that type. (Bug 474738)
• In Internet Explorer, users couldn't easily mark a RESOLVED DUPLICATE bug as REOPENED, due to a JavaScript error. (Bug 546719)
• If you use a "bookmarkable template" to pre-fill forms on the bug-filing page, and you have custom fields that are only supposed to appear (or only supposed to have certain values) based on the values of other fields, those custom fields will now work properly. (Bug 538211)
• If you have a custom field that's only supposed to appear when a bug's resolution is FIXED, it will now behave properly on the bug-editing form when a user sets the bug's status to RESOLVED. (Bug 520993)
• If you are logged-out and using request.cgi, the Requester and Requestee fields no longer respect the usermatching parameter--they always require full usernames. (Bug 533018)
• If you tried to do a search with too many terms (resulting in a URL that was longer than about 7000 characters), Apache would return a 500 error instead of your search results. (Bug 513989)
• Bugzilla would sometimes lose fields from your sort order when you added new fields to your sort order. (Bug 470214)
• The Atom format of search results would sometimes be missing the Reporter or Assignee field for some bugs. (Bug 537834)

3.4.5

This release contains fixes for multiple security issues. See the Security Advisory for details.

In addition, the following important fixes/changes have been made in this release:

• Whining was failing if jobqueue.pl was enabled. (Bug 530270)
• The Assignee field was empty in Whine mails. (Bug 511216)
• Administrators can now successfully create user accounts using editusers.cgi when using the "Env" authentication method. (Bug 483987)
• Bugmail now uses the timezone of the recipient of the email, when displaying the time a comment was made, instead of the timezone of the person who made the change. (Bug 534587)
• "bug 1234" in comments sometimes would not become a link if word-wrapping happened between "bug" and the number. (Bug 514703)
• Running checksetup.pl on Windows will no longer pop up an error box about OCI.dll. (Bug 480968)

3.4.4

This release contains a fix for a security issue. See the Security Advisory for details.

Additionally, this release fixes a few minor bugs.

3.4.3

• Bugzilla installations running under mod_perl were leaking about 512K of RAM per page load. (Bug 517793)
• Attachments with Unicode characters in their names were being downloaded with mangled names. (Bug 328628)
• Creating custom fields with Unicode in their database column name is now no longer allowed, as it would break Bugzilla. If you created such a custom field, you should delete it by first marking it obsolete and then clicking "Delete" in the custom field list, using editfields.cgi. (Bug 525025)
• Clicking "submit only my comment" on the "mid-air collisions" page was leading to a "Suspicious Action" warning. (Bug 514378)
• The XML format of a bug accidentally contained the word-wrapped content of comments instead of the unwrapped content. (Bug 509152)
• You can now do ./install-module.pl --shell to get a CPAN shell using the configuration of install-module.pl, which allows you to do more advanced Perl module installation tasks. (Bug 445875)

3.4.2

This release contains fixes for multiple security issues, one of which is highly critical. See the Security Advisory for details.

In addition, the following important fixes/changes have been made in this release:

• Upgrades from older releases were sometimes failing during UTF-8 conversion with a foreign key error. (Bug 508181)
• Sorting bug lists on certain fields would result in an error. (Bug 510944)
• Bug update emails had two or three blank lines at the top and between the various sections of the email. There is now only one blank line in each of those places, making these emails more compact. (Bug 73330)
• Bug email notifications for new bugs incorrectly had a line saying that the description was "Comment 0". (Bug 510798)
• Running ./collectstats.pl --regenerate is now much faster, on the order of 20x or 100x faster. (Bug 286625)
• For users of RHEL, CentOS, Fedora, etc. jobqueue.pl can now automatically be installed as a daemon by running ./jobqueue.pl install as root. (Bug 475403)
• XML-RPC interface responses had an incorrect Content-Length header and would sometimes be truncated, if they contained certain UTF-8 characters. (Bug 486306)
• Users who didn't have access to the time-tracking fields would get an empty bug update email when the time-tracking fields were changed. (Bug 509035)
• In the New Charts, non-public series now no longer show up as selectable if you cannot access them. (Bug 389396)

3.4.1

This release contains an important security fix. See the Security Advisory for details.

Minimum Requirements

Any requirements that are new since 3.2.3 will look like this.

• Perl
• For MySQL Users
• For PostgreSQL Users
• For Oracle Users
• Required Perl Modules
• Optional Perl Modules

Perl

Perl v5.8.1

For MySQL Users

• MySQL v4.1.2
• perl module: DBD::mysql v4.00

For PostgreSQL Users

• PostgreSQL v8.00.0000
• perl module: DBD::Pg v1.45

For Oracle Users

• Oracle v10.02.0
• perl module: DBD::Oracle v1.19

Required Perl Modules

Module	Version
CGI	3.21
Digest::SHA	(Any)
Date::Format	2.21
DateTime	0.28
DateTime::TimeZone	0.71
DBI	1.41
Template	2.22
Email::Send	2.00
Email::MIME	1.861
Email::MIME::Encodings	1.313
Email::MIME::Modifier	1.442
URI	(Any)

Optional Perl Modules

The following perl modules, if installed, enable various features of Bugzilla:

Module	Version	Enables Feature
LWP::UserAgent	(Any)	Automatic Update Notifications
Template::Plugin::GD::Image	(Any)	Graphical Reports
GD::Text	(Any)	Graphical Reports
GD::Graph	(Any)	Graphical Reports
GD	1.20	Graphical Reports, New Charts, Old Charts
Email::MIME::Attachment::Stripper	(Any)	Inbound Email
Email::Reply	(Any)	Inbound Email
Net::LDAP	(Any)	LDAP Authentication
TheSchwartz	(Any)	Mail Queueing
Daemon::Generic	(Any)	Mail Queueing
HTML::Parser	3.40	More HTML in Product/Group Descriptions
HTML::Scrubber	(Any)	More HTML in Product/Group Descriptions
XML::Twig	(Any)	Move Bugs Between Installations
MIME::Parser	5.406	Move Bugs Between Installations
Chart::Base	1.0	New Charts, Old Charts
Image::Magick	(Any)	Optionally Convert BMP Attachments to PNGs
PatchReader	0.9.4	Patch Viewer
Authen::Radius	(Any)	RADIUS Authentication
Authen::SASL	(Any)	SMTP Authentication
SOAP::Lite	0.710.06	XML-RPC Interface
mod_perl2	1.999022	mod_perl

New Features and Improvements

• Simple Bug Filing
• New Home Page
• Email Addresses Hidden From Logged-Out Users
• Shorter Search URLs
• Asynchronous Email Sending
• Dates and Times Displayed In User's Time Zone
• Custom Fields That Only Appear When Another Field Has a Particular Value
• Custom Fields Whose List of Values Change Depending on the Value of Another Field
• New Custom Field Type: Bug ID
• "See Also" Field
• Re-order Columns in Search Results
• Search Descriptions
• Other Enhancements and Changes

Simple Bug Filing

When entering a new bug, the vast majority of fields are now hidden by default, which enormously simplifies the bug-filing form. You can click "Show Advanced Fields" to show all the fields, if you want them. Bugzilla remembers whether you last used the "Advanced" or "Simple" version of the bug-entry form, and will display the same version to you again next time you file a bug.

New Home Page

Bugzilla's front page has been redesigned to be better at guiding new users into the activities that they most commonly want to do. Further enhancements to the home page are coming in future versions of Bugzilla.

Email Addresses Hidden From Logged-Out Users

To help prevent spam to Bugzilla users, all email addresses stored in Bugzilla are now displayed only if you are logged in. If you are logged out, only the part before the "@" of the email address is displayed. This includes bug lists, viewing bugs, the XML format of a bug, and any other place in the web interface that an email address could appear.

Email addresses are not filtered out of bug comments. The WebService still returns full email addresses, even if you are logged out.

Shorter Search URLs

When submitting a search, all the unused fields are now stripped from the URL, so search URLs are much more meaningful, and much shorter.

Asynchronous Email Sending

The largest performance problem in former versions of Bugzilla was that when updating bugs, email would be sent immediately to every user who needed to be notified, and process_bug.cgi would wait for the emails to be sent before continuing.

Now Bugzilla is capable of queueing emails to be sent while a bug is being updated, and sending them in the background. This requires the administrator to run a daemon that comes with Bugzilla, named jobqueue.pl, and to enable the use_mailer_queue parameter.

Using the background email-sending daemon instead of sending mail directly should result in a very large speed-up for updating bugs, particularly on larger installations.

Dates and Times Displayed In User's Time Zone

Users can now select what time zone they are in and Bugzilla will adjust displayed times to be correct for their time zone. However, times the user inputs are unfortunately still in Bugzilla's time zone.

Custom Fields That Only Appear When Another Field Has a Particular Value

When creating a new custom field (or updating the definition of an existing custom field), you can now say that "this field only appears when field X has value Y". (In the future, you will be able to select multiple values for "Y", so a field will appear when any one of those values is selected.)

This feature only hides fields--it doesn't make their values go away. So bugs will still show up in searches for that field's value, but the field won't appear in the user interface.

This is a good way of making Product-specific fields.

Custom Fields Whose List of Values Change Depending on the Value of Another Field

When creating a drop-down or multiple-selection custom field, you can now specify that another field "controls the values" of this field. Then, when adding values to this field, you can say that a particular value only appears when the other field is set to a particular value.

Here's an example: Let's say that we create a field called "Colors", and we make the Product field "control the values" for Colors. Then we add Blue, Red, Black, and Yellow as legal values for the "Colors" field. Now we can say that "Blue" and "Red" only appear as valid choices in Product A, "Yellow" only appears in Product B, but "Black" always appears.

One thing to note is that this feature only controls what values appear in the user interface. Bugzilla itself will still accept any combination of values as valid, in the backend.

New Custom Field Type: Bug ID

You can now create a custom field that holds a reference to a single valid bug ID. In the future this will be enhanced to allow bugs to refer to each other via this field.

"See Also" Field

We have added a new standard field called "See Also" to Bugzilla. In this field, you can put URLs to multiple bugs in any Bugzilla installation, to indicate that those bugs are related to this one. It also supports adding URLs to bugs in Launchpad.

Right now, the field just validates the URLs and then displays them, but in the future, it will grab information from the other installation about the bug and display it here, and possibly even update the other installation.

If your installation does not need this field, you can hide it by disabling the use_see_also parameter.

Re-order Columns in Search Results

There is a new interface for choosing what columns appear in search results, which allows you to change the order in which columns appear from left to right when viewing the bug list.

Search Descriptions

When displaying search results, Bugzilla will now show a brief description of what you searched for, at the top of the bug list.

Other Enhancements and Changes

Enhancements for Users

• You can now log in from every page, using the login form that appears in the header or footer when you click "Log In".
• When viewing a bug, obsolete attachments are now hidden from the attachment list by default. You can show them by clicking "Show Obsolete" at the bottom of the attachment list.
• In the Email Preferences, you can now choose to get email when a new bug report is filed and you have a particular role on it.
• When resolving a mid-air collision, you can now choose to submit only your comment.
• You can now set the Blocks and Depends On field on the "Change Several Bugs At Once" page.
• If your installation uses the "insidergroup" feature, you can now add private comments on the "Change Several Bugs At Once" page.
• When viewing a search result, you can now hover over any abbreviated field to see its full value.
• When logging out, users are now redirected to the main page of Bugzilla instead of an empty page.
• When editing a bug, text fields (except the comment box) now grow longer when you widen your browser window.
• When viewing a bug, the Depends On and Blocks list will display a bug's alias if it has one, instead of its id. Also, closed bugs will be sorted to the end of the list.
• If you use the time-tracking features of Bugzilla, and you enable the time-tracking related columns in a search result, then you will see a summary of the time-tracking data at the bottom of the search result.
• For users of time-tracking, the summarize_time.cgi page now contains more data.
• When viewing an attachment's details page while you are logged-out, flags are no longer shown as editable.
• Cloning a bug will now retain the "Blocks" and "Depends On" fields from the bug being cloned.
• Bugmail for new bugs will now indicate what security groups the bug has been restricted to.
• You can now use any custom drop-down field as an axis for a tabular or graphical report.
• The X-Bugzilla-Type header in emails sent by Bugzilla is now "new" for bugmail sent for newly-filed bugs, and "changed" for emails having to do with updated bugs.
• Mails sent by the "Whining" system now contain the header X-Bugzilla-Type: whine.
• bugmail now contains a X-Bugzilla-URL header to uniquely identify which Bugzilla installation the email came from.
• If you input an invalid regular expression anywhere in Bugzilla, it will now tell you explicitly instead of failing cryptically.
• The duplicates.xul page (which wasn't used by very many people) is now gone.

Enhancements for Administrators and Developers

• Bugzilla now uses the SHA-256 algorithm (a variant of SHA-2) to encrypt passwords in the database, instead of using Unix's "crypt" function. This allows passwords longer than eight characters to actually be effective. Each user's password will be converted to SHA-256 the first time they log in after you upgrade to Bugzilla 3.4 or later.
• If you are using database replication with Bugzilla, many more scripts now take advantage of the read-only slave (the "shadowdb"). It may be safe to open up show_bug.cgi to search-engine indexing by editing your robots.txt file, now, if your Bugzilla is on fast-enough hardware.
• The database now uses foreign keys to enforce the validity of relationships between tables. Not every single table has all its foreign keys yet, but most do.
• Various parameters have been removed, in an effort to de-clutter the parameter interface and simplify Bugzilla's code. The parameters that were removed were: timezone, supportwatchers, maxpatchsize, commentonclearresolution, commentonreassignbycomponent, showallproducts. They have all been replaced with sensible default behaviors. (For example, user watching is now always enabled.)
• When adding &debug=1 to the end of a buglist.cgi URL, Bugzilla will now also do an EXPLAIN on the query, to help debug performance issues.
• When editing flag types in the administrative interface, you can now see how many flags of each type have been set.

WebService Changes

• Various functions have been added to the WebService: Bug.history, Bug.search, Bug.comments, Bug.update_see_also, User.get, and Bugzilla.time (Bugzilla.timezone is now deprecated).
• For network efficiency, you can now limit which fields are returned from certain WebService functions, like User.get.
• There is now a "permissive" argument for the Bug.get WebService function, which causes it not to throw an error when you ask for bugs you can't see.
• The Bug.get method now returns many more fields.
• The Bug.add_comment method now returns the ID of the comment that was just added.
• The Bug.add_comment method will now throw an error if you try to add a private comment but do not have the correct permissions. (In previous versions, it would just silently ignore the private argument if you didn't have the correct permissions.)
• Many WebService function parameters now take individual values in addition to arrays.
• The WebService now validates input types--it makes sure that dates are in the right format, that ints are actually ints, etc. It will throw an error if you send it invalid data. It also accepts empty ints, doubles, and dateTimes, and translates them to undef.

Outstanding Issues

• Bug 423439: Tabs in comments will be converted to four spaces, due to a bug in Perl as of Perl 5.8.8.
• Bug 69621: If you rename or remove a keyword that is in use on bugs, you will need to rebuild the "keyword cache" by running sanitycheck.cgi and choosing the option to rebuild the cache when it asks. Otherwise keywords may not show up properly in search results.
• Bug 89822: When changing multiple bugs at the same time, there is no "mid-air collision" protection.
• Bug 276230: The support for restricting access to particular Categories of New Charts is not complete. You should treat the 'chartgroup' Param as the only access mechanism available.
  However, charts migrated from Old Charts will be restricted to the groups that are marked MANDATORY for the corresponding Product. There is currently no way to change this restriction, and the groupings will not be updated if the group configuration for the Product changes.
• Bug 370370: mod_perl support is currently not working on Windows machines.

Notes On Upgrading From a Previous Version

When upgrading to 3.4, checksetup.pl will create foreign keys for many columns in the database. Before doing this, it will check the database for consistency. If there are an unresolvable consistency problems, it will tell you what table and column in the database contain the bad values, and which values are bad. If you don't know what else to do, you can always delete the database records which contain the bad values by logging in to your database and running the following command:

DELETE FROM table WHERE column IN (1, 2, 3, 4)

Just replace "table" and "column" with the name of the table and column that checksetup.pl mentions, and "1, 2, 3, 4" with the invalid values that checksetup.pl prints out.

Remember that you should always back up your database before doing an upgrade.

Code Changes Which May Affect Customizations

• checksetup.pl now re-writes the localconfig file every time it runs, keeping the current values set (if there are any), but moving any unexpected variables into a file called localconfig.old. If you want to continue having custom varibles in localconfig, you will have to add them to the LOCALCONFIG_VARS constant in Bugzilla::Install::Localconfig.
• Bugzilla::Object->update() now returns something different in list context than it does in scalar context.
• Bugzilla::Object->check() now can take object ids in addition to names. Just pass in { id => $some_value }.
• Instead of being defined in buglist.cgi, columns for search results are now defined in a subroutine called COLUMNS in Bugzilla::Search. The data now mostly comes from the fielddefs table in the database. Search.pm now takes a list of column names from fielddefs for its fields argument instead of literal SQL columns.
• Bugzilla::Field->legal_values now returns an array of Bugzilla::Field::Choice objects instead of an array of strings. Bugzilla::Field::Choice will be used in more places, in the future.
• We now use Bugzilla::Bug->check() instead of ValidateBugId.
• The groups and bless_groups methods in Bugzilla::User now return an arrayref of Bugzilla::Group objects instead of a hashref with group ids and group names.
• Standard Bugzilla drop-down fields now have their type set to FIELD_TYPE_SINGLE_SELECT in the fielddefs table.
• Bugzilla->usage_mode now defaults to USAGE_MODE_CMDLINE if we are not running inside a web server.
• We no longer delete environment variables like $ENV{PATH} automatically unless we're actually running in taint mode.
• We are now using YUI 2.6.0.
• In the RDF format of config.cgi, the "resource" attribute for flags now contains "flag.cgi" instead of "flags.cgi".

Bugzilla 3.2 Release Notes

Table of Contents

• Introduction
• Updates In This 3.2.x Release
• Security Fixes In This 3.2.x Release
• Minimum Requirements
• New Features and Improvements
• Outstanding Issues
• How to Upgrade From An Older Version
• Code Changes Which May Affect Customizations
• Release Notes for Previous Versions

Introduction

Welcome to Bugzilla 3.2! This is our first major feature release since Bugzilla 3.0, and it brings a lot of great improvements and polish to the Bugzilla experience.

If you're upgrading, make sure to read How to Upgrade From An Older Version. If you are upgrading from a release before 3.0, make sure to read the release notes for all the previous versions in between your version and this one, particularly the "Notes For Upgraders" section of each version's release notes.

Updates in this 3.2.x Release

This section describes what's changed in the most recent bug-fix releases of Bugzilla after 3.2. We only list the most important fixes in each release. If you want a detailed list of everything that's changed in each version, you should use our Change Log Page.

3.2.3

• Bugzilla is now compatible with MySQL 5.1.x versions 5.1.31 and greater. (Bug 480001)
• On Windows, Bugzilla sometimes would send mangled emails (that would often fail to send). (Bug 467920)
• recode.pl would sometimes crash when trying to convert databases from older versions of Bugzilla. (Bug 431201)
• Running a saved search with Unicode characters in its name would cause Bugzilla to crash. (Bug 477513)
• Bugzilla clients like Mylyn can now update bugs again (the bug XML format now contains a "token" element that can be used when updating a bug). (Bug 476678)
• For installations using the shadowdb parameter, Bugzilla was accidentally writing to the "tokens" table in the shadow database (instead of the master database) when using the "Change Several Bugs at Once" page. (Bug 476943)

This release also contains a security fix. See the Security Fixes Section for details.

3.2.2

This release fixes one security issue that is critical for installations running 3.2.1 under mod_perl. See the Security Advisory for details.

3.2.1

• Attachments, charts, and graphs would sometimes be garbled on Windows. (Bug 464992)
• Saving changes to parameters would sometimes fail silently (particularly on Windows when the web server didn't have the right permissions to update the params file). Bugzilla will now throw an error in this case, telling you what is wrong. (Bug 347707)
• If you were using the usemenuforusers parameter, and a bug was assigned to (or had a QA Contact of) a disabled user, that field would be reset to the first user in the list when updating a bug. (Bug 465589)
• If you were using the PROJECT environment variable to have multiple Bugzilla installations using one codebase, project-specific templates were being ignored. (Bug 467324)
• Some versions of the SOAP::Lite Perl module had a bug that caused Bugzilla's XML-RPC service to break. checksetup.pl now checks for these bad versions and will reject them. (Bug 468009)
• The font sizes in various places were too small, when using the Classic skin. (Bug 469136)

Security Fixes In This 3.2.x Release

3.2.3

This release fixes one security issue related to attachments. See the Security Advisory for details.

3.2.2

This release fixes one security issue that is critical for installations running 3.2.1 under mod_perl. See the Security Advisory for details.

3.2.1

This release contains several security fixes. One fix may break any automated scripts you have that are loading process_bug.cgi directly. We recommend that you read the entire Security Advisory for this release.

Minimum Requirements

Any requirements that are new since 3.0.5 will look like this.

• Perl
• For MySQL Users
• For PostgreSQL Users
• For Oracle Users
• Required Perl Modules
• Optional Perl Modules

Perl

Perl v5.8.1

For MySQL Users

• MySQL v4.1.2
• perl module: DBD::mysql v4.00

For PostgreSQL Users

• PostgreSQL v8.00.0000
• perl module: DBD::Pg v1.45

Email Addresses Hidden From Logged-Out Users For Oracle Users

• Oracle v10.02.0
• perl module: DBD::Oracle v1.19

Required Perl Modules

Module	Version
CGI	3.21 (on Perl 5.8.x) or 3.33 (on Perl 5.10.x)
Date::Format	2.21
File::Spec	0.84
DBI	1.41
Template	2.15
Email::Send	2.00
Email::MIME	1.861
Email::MIME::Encodings	1.313
Email::MIME::Modifier	1.442

Optional Perl Modules

The following perl modules, if installed, enable various features of Bugzilla:

Module	Version	Enables Feature
LWP::UserAgent	(Any)	Automatic Update Notifications
Template::Plugin::GD::Image	(Any)	Graphical Reports
GD::Text	(Any)	Graphical Reports
GD::Graph	(Any)	Graphical Reports
GD	1.20	Graphical Reports, New Charts, Old Charts
Email::MIME::Attachment::Stripper	(Any)	Inbound Email
Email::Reply	(Any)	Inbound Email
Net::LDAP	(Any)	LDAP Authentication
HTML::Parser	3.40	More HTML in Product/Group Descriptions
HTML::Scrubber	(Any)	More HTML in Product/Group Descriptions
XML::Twig	(Any)	Move Bugs Between Installations
MIME::Parser	5.406	Move Bugs Between Installations
Chart::Base	1.0	New Charts, Old Charts
Image::Magick	(Any)	Optionally Convert BMP Attachments to PNGs
PatchReader	0.9.4	Patch Viewer
Authen::Radius	(Any)	RADIUS Authentication
Authen::SASL	(Any)	SMTP Authentication
SOAP::Lite	(Any)	XML-RPC Interface
mod_perl2	1.999022	mod_perl

New Features and Improvements

• Major UI Improvements
• New Default Skin: Dusk
• Custom Status Workflow
• New Custom Field Types
• Easier Installation
• Experimental Oracle Support
• Improved UTF-8 Support
• Group Icons
• Other Enhancements and Changes

Major UI Improvements

Bugzilla 3.2 has had some UI assistance from the NASA Human-Computer Interaction department and the new Bugzilla User Interface Team.

In particular, you will notice a massively redesigned bug editing form, in addition to our new skin.

New Default Skin: Dusk

Bugzilla 3.2 now ships with a skin called "Dusk" that is a bit more colorful than old default "Classic" skin.

Upgrading installations will still default to the "Classic" skin--administrators can change the default in the Default Preferences control panel. Users can also choose to use the old skin in their Preferences (or using the View :: Page Style menu in Firefox).

The changes that Bugzilla required for Dusk made Bugzilla much easier to skin. See the Addons page for additional skins, or try making your own!

Custom Status Workflow

You can now customize the list of statuses in Bugzilla, and transitions between them.

You can also specify that a comment must be made on certain transitions.

New Custom Field Types

Bugzilla 3.2 has support for three new types of custom fields:

• Large Text: Adds a multi-line textbox to your bugs.
• Multiple Selection Box: Adds a box that allows you to choose multiple items from a list.
• Date/Time: Displays a date and time, along with a JavaScript calendar popup to make picking a date easier.

Easier Installation

Bugzilla now comes with a script called install-module.pl that can automatically download and install all of the required Perl modules for Bugzilla. It stores them in a directory inside your Bugzilla installation, so you can use it even if you don't have administrator-level access to your machine, and without modifying your main Perl install.

checksetup.pl will print out instructions for using install-module.pl, or you can read its documentation.

Experimental Oracle Support

Bugzilla 3.2 contains experimental support for using Oracle as its database. Some features of Bugzilla are known to be broken on Oracle, but hopefully will be working by our next major release.

The Bugzilla Project, as an open-source project, of course does not recommend the use of proprietary database solutions. However, if your organization requires that you use Oracle, this will allow you to use Bugzilla!

The Bugzilla Project thanks Oracle Corp. for their extensive development contributions to Bugzilla which allowed this to happen!

Improved UTF-8 Support

Bugzilla 3.2 now has advanced UTF-8 support in its code, including correct handling for truncating and wrapping multi-byte languages. Major issues with multi-byte or unusual languages are now resolved, and Bugzilla should now be usable by users in every country with little (or at least much less) customization.

Group Icons

Administrators can now specify that users who are in certain groups should have an icon appear next to their name whenever they comment. This is particularly useful for distinguishing developers from bug reporters.

Other Enhancements and Changes

These are either minor enhancements, or enhancements that have very short descriptions. Some of these are very useful, though!

Enhancements For Users

• Bugs: You can now reassign a bug at the same time as you are changing its status.
• Bugs: When entering a bug, you will now see the description of a component when you select it.
• Bugs: The bug view now contains some Microformats, most notably for users' names and email addresses.
• Bugs: You can now remove a QA Contact from a bug simply by clearing the QA Contact field.
• Bugs: There is now a user preference that will allow you to exclude the quoted text when replying to comments.
• Bugs: You can now expand or collapse individual comments in the bug view.
• Attachments: There is now "mid-air collision" protection when editing attachments.
• Attachments: Patches in the Diff Viewer now show line numbers (Example).
• Attachments: After creating or updating an attachment, you will be immediately shown the bug that the attachment is on.
• Search: You can now reverse the sort of a bug list by clicking on a column header again.
• Search: Atom feeds of bug lists now contain more fields.
• Search: QuickSearch now supports searching flags and groups. It also now includes the OS field in the list of fields it searches by default.
• Search: "Help" text can now appear on query.cgi for Internet Explorer and other non-Firefox browsers. (It always could appear for Firefox.)
• Bugzilla now ships with an icon that will show up next to the URL in most browsers. If you want to replace it, it's in images/favicon.ico.
• You can now set the Deadline when using "Change Several Bugs At Once"
• Saved Searches now save their column list, so if you customize the list of columns and save your search, it will always contain those columns.
• Saved Searches: When you share a search, you can now see how many users have subscribed to it, on userprefs.cgi.
• Saved Searches: You can now see what group a shared search was shared to, on the list of available shared searches in userprefs.cgi.
• Flags: If your installation uses drop-down user lists, the flag requestee box will now contain only users who are actually allowed to take requests.
• Flags: If somebody makes a request to you, and you change the requestee to somebody else, the requester is no longer set to you. In other words, you can "redirect" requests and maintain the original requester.
• Flags: Emails about flags now will thread properly in email clients to be a part of a bug's thread.
• When using email_in.pl, you can now add users to the CC list by just using @cc as the field name.
• Many pages (particularly administrative pages) now contain links to the relevant section of the Bugzilla Guide, so you can read the documentation for that page.
• Dependency Graphs should render more quickly, as they now (by default) only include the same bugs that you'd see in the dependency tree.

Enhancements For Administrators

• Admin UI: Instead of having the Administration Control Panel links in the footer, there is now just one link called "Administration" that takes you to a page that links to all the administrative controls for Bugzilla.
• Admin UI: Administrative pages no longer display confirmation pages, instead they redirect you to some useful page and display a message about what changed.
• Admin UI: The interface for editing group inheritance in editgroups.cgi is much clearer now.
• Admin UI: When editing a user, you can now see all the components where that user is the Default Assignee or Default QA Contact.
• Email: For installations that use SMTP to send mail (as opposed to Sendmail), Bugzilla now supports SMTP Authentication, so that it can log in to your mail server before sending messages.
• Email: Using the "Test" mail delivery method now creates a valid mbox file to make testing easier.
• Authentication: Bugzilla now correctly handles LDAP records which contain multiple email addresses. (The first email address in the list that is a valid Bugzilla account will be used, or if this is a new user, the first email address in the list will be used.)
• Authentication: Bugzilla can now take a list of LDAP servers to try in order until it gets a successful connection.
• Authentication: Bugzilla now supports RADIUS authentication.
• Security: The login cookie is now created as "HTTPOnly" so that it can't be read by possibly malicious scripts. Also, if SSL is enabled on your installation, the login cookie is now only sent over SSL connections.
• Security: The ssl parameter now protects every page a logged-in user accesses, when set to "authenticated sessions." Also, SSL is now enforced appropriately in the WebServices interface when the parameter is set.
• Database: Bugzilla now uses transactions in the database instead of table locks. This should generally improve performance with many concurrent users. It also means if there is an unexpected error in the middle of a page, all database changes made during that page will be rolled back.
• Database: You no longer have to set max_packet_size in MySQL to add large attachments. However, you may need to set it manually if you restore a mysqldump into your database.
• New WebService functions: Bug.add_comment and Bugzilla.extensions.
• You can now delete custom fields, but only if they have never been set on any bug.
• There is now a --reset-password argument to checksetup.pl that allows you to reset a user's password from the command line.
• There is now a script called sanitycheck.pl that you can run from the command line. It works just like sanitycheck.cgi. By default, it only outputs anything if there's an error, so it's ideal for administrators who want to run it nightly in a cron job.
• The strict_isolation parameter now prevents you from setting users who cannot see a bug as a CC, Assignee, or QA Contact. Previously it only prevented you from adding users who could not edit the bug.
• Extensions can now add their own headers to the HTML <head> for things like custom CSS and so on.
• sanitycheck.cgi has been templatized, meaning that the entire Bugzilla UI is now contained in templates.
• When setting the sslbase parameter, you can now specify a port number in the URL.
• When importing bugs using importxml.pl, attachments will have their actual creator set as their creator, instead of the person who exported the bug from the other system.
• The voting system is off by default in new installs. This is to prepare for the fact that it will be moved into an extension at some point in the future.
• The shutdownhtml parameter now works even when Bugzilla's database server is down.

Enhancements for Localizers (or Localized Installations)

• The documentation can now be localized--in other words, you can have documentation installed for multiple languages at once and Bugzilla will link to the correct language in its internal documentation links.
• Bugzilla no longer uses the languages parameter. Instead it reads the template/ directory to see which languages are available.
• Some of the messages printed by checksetup.pl can now be localized. See template/en/default/setup/strings.txt.pl.

Outstanding Issues

• Bug 423439: Tabs in comments will be converted to four spaces, due to a bug in Perl as of Perl 5.8.8.
• Bug 69621: If you rename or remove a keyword that is in use on bugs, you will need to rebuild the "keyword cache" by running sanitycheck.cgi and choosing the option to rebuild the cache when it asks. Otherwise keywords may not show up properly in search results.
• Bug 89822: When changing multiple bugs at the same time, there is no "mid-air collision" protection.
• Bug 276230: The support for restricting access to particular Categories of New Charts is not complete. You should treat the 'chartgroup' Param as the only access mechanism available.
  However, charts migrated from Old Charts will be restricted to the groups that are marked MANDATORY for the corresponding Product. There is currently no way to change this restriction, and the groupings will not be updated if the group configuration for the Product changes.
• Bug 370370: mod_perl support is currently not working on Windows machines.

How to Upgrade From An Older Version

Notes For Upgraders

• If you upgrade by CVS, the extensions and skins/contrib directories are now in CVS instead of being created by checksetup.pl If you do a cvs update from 3.0, you will be told that your directories are "in the way" and you should delete (or move) them and then do cvs update again. Also, the docs directory has been restructured and after you cvs update you can delete the docs/html, docs/pdf, docs/txt, and docs/xml directories.
• If you are using MySQL, you should know that Bugzilla now uses InnoDB for all tables. checksetup.pl will convert your tables automatically, but if you have InnoDB disabled, the upgrade will not be able to complete (and checksetup.pl will tell you so).
• You should also read the Bugzilla 3.0 Notes For Upgraders section of the previous release notes if you are upgrading from a version before 3.0.

Steps For Upgrading

Once you have read the notes above, see the Upgrading documentation for instructions on how to upgrade.

Code Changes Which May Affect Customizations

• More Hooks!
• Search.pm Rearchitecture
• lib Directory
• Other Changes

More Hooks!

There are more code hooks in 3.2 than there were in 3.0. See the documentation of Bugzilla::Hook for more details.

Search.pm Rearchitecture

Bugzilla/Search.pm has been heavily modified, to be much easier to read and use. It contains mostly the same code as it did in 3.0, but it has been moved around and reorganized significantly.

lib Directory

As part of implementing install-module.pl, Bugzilla was given a local lib directory which it searches for modules, in addition to the standard system path.

This means that all Bugzilla scripts now start with use lib qw(. lib); as one of the first lines.

Other Changes

• You should now be using get_status('NEW') instead of status_descs.NEW in templates.
• The [%# version = 1.0 %] comment at the top of every template file has been removed.

Bugzilla 3.0.x Release Notes

Table of Contents

• Introduction
• Updates In This 3.0.x Release
• Minimum Requirements
• New Features and Improvements
• Outstanding Issues
• Security Fixes In This Release
• How to Upgrade From An Older Version
• Code Changes Which May Affect Customizations
• Release Notes for Previous Versions

Introduction

Welcome to Bugzilla 3.0! It's been over eight years since we released Bugzilla 2.0, and everything has changed since then. Even just since our previous release, Bugzilla 2.22, we've added a lot of new features. So enjoy the release, we're happy to bring it to you.

If you're upgrading, make sure to read How to Upgrade From An Older Version. If you are upgrading from a release before 2.22, make sure to read the release notes for all the previous versions in between your version and this one.

Updates in this 3.0.x Release

This section describes what's changed in the most recent bug-fix releases of Bugzilla after 3.0. We only list the most important fixes in each release. If you want a detailed list of everything that's changed in each version, you should use our Change Log Page.

3.0.6

• Before 3.0.6, unexpected fatal WebService errors would result in a faultCode that was a string instead of a number. (Bug 446327)
• If you created a product or component with the same name as one you previously deleted, it would fail with an error about the series table. (Bug 247936)

See also the Security Advisory section for information about a security issue fixed in this release.

3.0.5

• If you don't have permission to set a flag, it will now appear unchangeable in the UI. (Bug 433851)
• If you were running mod_perl, Bugzilla was not correctly closing its connections to the database since 3.0.3, and so sometimes the DB would run out of connections. (Bug 441592)
• The installation script is now clear about exactly which Email:: modules are required in Perl, thus avoiding the problem where emails show up with a body like SCALAR(0xBF126795). (Bug 441541)
• email_in.pl is no longer case-sensitive for values of @product. (Bug 365697)

See also the Security Advisory section for information about security issues fixed in this release.

3.0.4

• Bugzilla administrators were not being correctly notified about new releases. (Bug 414726)
• There could be extra whitespace in email subject lines. (Bug 411544)
• The priority, severity, OS, and platform fields were always required by the Bug.create WebService function, even if they had defaults specified. (Bug 384009)
• Better threading of bugmail in some email clients. (Bug 376453)
• There were many fixes to the Inbound Email Interface (email_in.pl). (Bug 92274, Bug 377025, Bug 412943, Bug 413672, and Bug 431721)
• checksetup.pl now handles UTF-8 conversion more reliably during upgrades. (Bug 374951)
• Comments written in CJK languages are now correctly word-wrapped. (Bug 388723)
• All emails will now be sent in the correct language, when the user has chosen a language for emails. (Bug 405946)
• On Windows, temporary files created when uploading attachments are now correctly deleted when the upload is complete. (Bug 414002)
• checksetup.pl now prints correct installation instructions for Windows users using Perl 5.10. (Bug 414430)

See also the Security Advisory section for information about security issues fixed in this release.

3.0.3

• mod_perl no longer compiles Bugzilla's code for each Apache process individually. It now compiles code only once and shares it among each Apache process. This greatly improves performance and highly decreases the memory footprint. (Bug 398241)
• You can now search for '---' (without quotes) in versions and milestones. (Bug 362436)
• Bugzilla should no longer break lines unnecessarily in email subjects. This was causing trouble with some email clients. (Bug 374424)
• If you had selected "I'm added to or removed from this capacity" option for the "CC" role in your email preferences, you wouldn't get mail when more than one person was added to the CC list at once. (Bug 394796)
• Deleting a user account no longer deletes whines from another user who has the deleted account as addressee. The schedule is simply removed, but the whine itself is left intact. (Bug 395924)
• contrib/merge-users.pl now correctly merges all required fields when merging two user accounts. (Bug 400160)
• Bugzilla no longer requires Apache::DBI to run under mod_perl. It caused troubles such as lost connections with the DB and didn't give any important performance gain. (Bug 408766)

3.0.2

• Bugzilla should now work on Perl 5.9.5 (and thus the upcoming Perl 5.10.0). (Bug 390442)

See also the Security Advisory section for information about an important security issue fixed in this release.

3.0.1

• For users of Firefox 2, the show_bug.cgi user interface should no longer "collapse" after you modify a bug. (Bug 370739)
• If you can bless a group, and you share a saved search with that group, it will no longer automatically appear in all of that group's footers unless you specifically request that it automatically appear in their footers. (Bug 365890)
• There is now a parameter to allow users to perform searches without any search terms. (In other words, to search for just a Product and Status on the Simple Search page.) The parameter is called specific_search_allow_empty_words. (Bug 385910)
• If you attach a file that has a MIME-type of text/x-patch or text/x-diff, it will automatically be treated as a patch by Bugzilla. (Bug 365756)
• Dependency Graphs now work correctly on all mod_perl installations. There should now be no remaining signficant problems with running Bugzilla under mod_perl. (Bug 370398)
• If moving a bug between products would remove groups from the bug, you are now warned. (Bug 303183)
• On IIS, whenever Bugzilla threw a warning, it would actually appear on the web page. Now warnings are suppressed, unless you have a file in the data directory called errorlog, in which case warnings will be printed there. (Bug 390148)
• If you used email_in.pl to edit a bug that was protected by groups, all of the groups would be cleared. (Bug 385453)
• PostgreSQL users: New Charts were failing to collect data over time. They will now start collecting data correctly. (Bug 257351)
• Some flag mails didn't specify who the requestee was. (Bug 379787)
• Instead of throwing real errors, collectstats.pl would just say that it couldn't find ThrowUserError. (Bug 380709)
• Logging into Bugzilla from the home page works again with IIS5. (Bug 364008)
• If you were using SMTP for sending email, sometimes emails would be missing the Date header. (Bug 304999).
• In the XML-RPC WebService, Bug.legal_values now correctly returns values for custom fields if you request values for custom fields. (Bug 381737)
• The "Bug-Writing Guidelines" page has been shortened and re-written. (Bug 378590)
• If your urlbase parameter included a port number, like www.domain.com:8080, SMTP might have failed. (Bug 384501)
• For SMTP users, there is a new parameter, smtp_debug. Turning on this parameter will log the full information about every SMTP session to your web server's error log, to help with debugging issues with SMTP. (Bug 384497)
• If you are a "global watcher" (you get all mails from every bug), you can now see that in your Email Preferences. (Bug 365302)
• The Status and Resolution of bugs are now correctly localized in CSV search results. (Bug 389517)
• The "Subject" line of an email was being mangled if it contained non-Latin characters. (Bug 387860)
• Editing the "languages" parameter using editparams.cgi would sometimes fail, causing Bugzilla to throw an error. (Bug 335354)

Minimum Requirements

Any requirements that are new since 2.22 will look like this.

• Perl
• For MySQL Users
• For PostgreSQL Users
• Required Perl Modules
• Optional Perl Modules

Perl

• Perl v5.8.0 (non-Windows platforms)
• Perl v5.8.1 (Windows platforms)

For MySQL Users

• MySQL v4.1.2
• perl module: DBD::mysql v2.9003

For PostgreSQL Users

• PostgreSQL v8.00.0000
• perl module: DBD::Pg v1.45

Required Perl Modules

Module	Version
CGI	2.93
Date::Format	2.21
DBI	1.41
File::Spec	0.84
Template	2.12
Email::Send	2.00
Email::MIME	1.861
Email::MIME::Modifier	1.442

Optional Perl Modules

The following perl modules, if installed, enable various features of Bugzilla:

Module	Version	Enables Feature
LWP::UserAgent	(Any)	Automatic Update Notifications
Template::Plugin::GD::Image	(Any)	Graphical Reports
GD::Graph	(Any)	Graphical Reports
GD::Text	(Any)	Graphical Reports
GD	1.20	Graphical Reports, New Charts, Old Charts
Email::MIME::Attachment::Stripper	(Any)	Inbound Email
Email::Reply	(Any)	Inbound Email
Net::LDAP	(Any)	LDAP Authentication
HTML::Parser	3.40	More HTML in Product/Group Descriptions
HTML::Scrubber	(Any)	More HTML in Product/Group Descriptions
XML::Twig	(Any)	Move Bugs Between Installations
MIME::Parser	5.406	Move Bugs Between Installations
Chart::Base	1.0	New Charts, Old Charts
Image::Magick	(Any)	Optionally Convert BMP Attachments to PNGs
PatchReader	0.9.4	Patch Viewer
SOAP::Lite	(Any)	XML-RPC Interface
mod_perl2	1.999022	mod_perl
CGI	3.11	mod_perl

New Features and Improvements

• Custom Fields
• mod_perl Support
• Shared Saved Searches
• Attachments and Flags on New Bugs
• Custom Resolutions
• Per-Product Permissions
• User Interface Improvements
• XML-RPC Interface
• Skins
• Unchangeable Fields Appear Unchangeable
• All Emails in Templates
• No More Double-Filed Bugs
• Default CC List for Components
• File/Modify Bugs By Email
• Users Who Get All Bug Notifications
• Improved UTF-8 Support
• Automatic Update Notification
• Welcome Page for New Installs
• Other Enhancements and Changes

Custom Fields

Bugzilla now includes very basic support for custom fields.

Users in the admin group can add plain-text or drop-down custom fields. You can edit the values available for drop-down fields using the "Field Values" control panel.

Don't add too many custom fields! It can make Bugzilla very difficult to use. Try your best to get along with the default fields, and then if you find that you can't live without custom fields after a few weeks of using Bugzilla, only then should you start your custom fields.

mod_perl Support

Bugzilla 3.0 supports mod_perl, which allows for extremely enhanced page-load performance. mod_perl trades memory usage for performance, allowing near-instantaneous page loads, but using much more memory.

If you want to enable mod_perl for your Bugzilla, we recommend a minimum of 1.5GB of RAM, and for a site with heavy traffic, 4GB to 8GB.

If performance isn't that critical on your installation, you don't have the memory, or you are running some other web server than Apache, Bugzilla still runs perfectly as a normal CGI application, as well.

Shared Saved Searches

Users can now choose to "share" their saved searches with a certain group. That group will then be able to "subscribe" to those searches, and have them appear in their footer.

If the sharer can "bless" the group he's sharing to, (that is, if he can add users to that group), it's considered that he's a manager of that group, and his queries show up automatically in that group's footer (although they can unsubscribe from any particular search, if they want.)

In order to allow a user to share their queries, they also have to be a member of the group specified in the querysharegroup parameter.

Users can control their shared and subscribed queries from the "Preferences" screen.

Attachments and Flags on New Bugs

You can now add an attachment while you are filing a new bug.

You can also set flags on the bug and on attachments, while filing a new bug.

Custom Resolutions

You can now customize the list of resolutions available in Bugzilla, including renaming the default resolutions.

The resolutions FIXED, DUPLICATE and MOVED have a special meaning to Bugzilla, though, and cannot be renamed or deleted.

Per-Product Permissions

You can now grant users editbugs and canconfirm for only certain products. You can also grant users editcomponents on a product, which means they will be able to edit that product including adding/removing components and other product-specific controls.

User Interface Improvements

There has been some work on the user interface for Bugzilla 3.0, including:

• There is now navigation and a search box a the top of each page, in addition to the bar at the bottom of the page.
• A re-designed "Format for Printing" page for bugs.
• The layout of show_bug.cgi (the bug editing page) has been changed, and the attachment table has been redesigned.

XML-RPC Interface

Bugzilla now has a Web Services interface using the XML-RPC protocol. It can be accessed by external applications by going to the xmlrpc.cgi on your installation.

Documentation can be found in the Bugzilla API Docs, in the various Bugzilla::WebService modules.

Skins

Bugzilla can have multiple "skins" installed, and users can pick between them. To write a skin, you just have to write several CSS files. See the Custom Skins Documentation for more details.

We currently don't have any alternate skins shipping with Bugzilla. If you write an alternate skin, please let us know!

Unchangeable Fields Appear Unchangeable

As long as you are logged in, when viewing a bug, if you cannot change a field, it will not look like you can change it. That is, the value will just appear as plain text.

All Emails in Templates

All outbound emails are now controlled by the templating system. What used to be the passwordmail, whinemail, newchangedmail and voteremovedmail parameters are now all templates in the template/ directory.

This means that it's now much easier to customize your outbound emails, and it's also possible for localizers to have more localized emails as part of their language packs, if they want.

We also added a mailfrom parameter to let you set who shows up in the From field on all emails that Bugzilla sends.

No More Double-Filed Bugs

Users of Bugzilla will sometimes accidentally submit a bug twice, either by going back in their web browser, or just by refreshing a page. In the past, this could file the same bug twice (or even three times) in a row, irritating developers and confusing users.

Now, if you try to submit a bug twice from the same screen (by going back or by refreshing the page), Bugzilla will warn you about what you're doing, before it actually submits the duplicate bug.

Default CC List for Components

You can specify a list of users who will always be added to the CC list of new bugs in a component.

File/Modify Bugs By Email

You can now file or modify bugs via email. Previous versions of Bugzilla included this feature only as an unsupported add-on, but it is now an official interface to Bugzilla.

For more details see the documentation for email_in.pl.

Users Who Get All Bug Notifications

There is now a parameter called globalwatchers. This is a comma-separated list of Bugzilla users who will get all bug notifications generated by Bugzilla.

Group controls still apply, though, so users who can't see a bug still won't get notifications about that bug.

Improved UTF-8 Support

Bugzilla users running MySQL should now have excellent UTF-8 support if they turn on the utf8 parameter. (New installs have this parameter on by default.) Bugzilla now correctly supports searching and sorting in non-English languages, including multi-bytes languages such as Chinese.

Automatic Update Notification

If you belong to the admin group, you will be notified when you log in if there is a new release of Bugzilla available to download.

You can control these notifications by changing the upgrade_notification parameter.

If your Bugzilla installation is on a machine that needs to go through a proxy to access the web, you may also have to set the proxy_url parameter.

Welcome Page for New Installs

When you log in for the first time on a brand-new Bugzilla installation, you will be presented with a page that describes where you should go from here, and what parameters you should set.

QuickSearch Plugin for IE7 and Firefox 2

Firefox 2 users and Internet Explorer 7 users will be presented with the option to add Bugzilla to their search bar. This uses the QuickSearch syntax.

Other Enhancements and Changes

These are either minor enhancements, or enhancements that have very short descriptions. Some of these are very useful, though!

Enhancements That Affect Bugzilla Users

• In comments, quoted text (lines that start with >) will be a different color from normal text.
• There is now a user preference that will add you to the CC list of any bug you modify. Note that it's on by default.
• Bugs can now be filed with an initial state of ASSIGNED, if you are in the editbugs group.
• By default, comment fields will zoom large when you are typing in them, and become small when you move out of them. You can disable this in your user preferences.
• You can hide obsolete attachments on a bug by clicking "Hide Obsolete" at the bottom of the attachment table.
• If a bug has flags set, and you move it to a different product that has flags with the same name, the flags will be preserved.
• You now can't request a flag to be set by somebody who can't set it (Bugzilla will throw an error if you try).
• Many new headers have been added to outbound Bugzilla bug emails: X-Bugzilla-Status, X-Bugzilla-Priority, X-Bugzilla-Assigned-To, X-Bugzilla-Target-Milestone, and X-Bugzilla-Changed-Fields, X-Bugzilla-Who. You can look at an email to get an idea of what they contain.
• In addition to the old X-Bugzilla-Reason email header which tells you why you got an email, if you got an email because you were watching somebody, there is now an X-Bugzilla-Watch-Reason header that tells you who you were watching and what role they had.
• If you hover your mouse over a full URL (like http://bugs.mycompany.com/show_bug.cgi?id=1212) that links to a bug, you will see the title of the bug. Of course, this only works for bugs in your Bugzilla installation.
• If your installation has user watching enabled, you will now see the users that you can remove from your watch-list as a multi-select box, much like the current CC list. (Previously it was just a text box.)
• When a user creates their own account in Bugzilla, the account is now not actually created until they verify their email address by clicking on a link that is emailed to them.
• You can change a bug's resolution without reopening it.
• When you view the dependency tree on a bug, resolved bugs will be hidden by default. (In previous versions, resolved bugs were shown by default.)
• When viewing bug activity, fields that hold bug numbers (such as "Blocks") will have the bug numbers displayed as links to those bugs.
• When viewing the "Keywords" field in a bug list, it will be sorted alphabetically, so you can sanely sort a list on that field.
• In most places, the Version field is now sorted using a version-sort (so 1.10 is greater than 1.2) instead of an alphabetical sort.
• Options for flags will only appear if you can set them. So, for example, if you can't grant + on a flag, that option won't appear for you.
• You can limit the product-related output of config.cgi by specifying a product= URL argument, containing the name of a product. You can specify the argument more than once for multiple products.
• You can now search the boolean charts on whether or not a comment is private.

Enhancements For Administrators

• Administrators can now delete attachments, making them disappear entirely from Bugzilla.
• sanitycheck.cgi can now only be accessed by users in the editcomponents group.
• The "Field Values" control panel can now only be accessed by users in the admin group. (Previously it was accessible to anybody in the editcomponents group.)
• There is a new parameter announcehtml, that will allow you to enter some HTML that will be displayed at the top of every page, as an announcement.
• The loginnetmask parameter now defaults to 0 for new installations, meaning that as long as somebody has the right login cookie, they can log in from any IP address. This makes life a lot easier for dial-up users or other users whose IP changes a lot. This could be done because the login cookie is now very random, and thus secure.
• Classifications now have sortkeys, so they can be sorted in an order that isn't alphabetical.
• Authentication now supports LDAP over SSL (LDAPS) or TLS (using the STARTLS command) in addition to plain LDAP.
• LDAP users can have their LDAP username be their email address, instead of having the LDAP mail attribute be their email address. You may wish to set the emailsuffix parameter if you do this.
• Administrators can now see what has changed in a user account, when using the "Users" control panel.
• REMIND and LATER are no longer part of the default list of resolutions. Upgrading installations will not be affected--they will still have these resolutions.
• editbugs is now the default for the timetrackinggroup parameter, meaning that time-tracking will be on by default in a new installation.

Outstanding Issues

• Bug 69621: If you rename or remove a keyword that is in use on bugs, you will need to rebuild the "keyword cache" by running sanitycheck.cgi and choosing the option to rebuild the cache when it asks. Otherwise keywords may not show up properly in search results.
• Bug 99215: Flags are not protected by "mid-air collision" detection. Nor are any attachment changes.
• Bug 89822: When changing multiple bugs at the same time, there is no "mid-air collision" protection.
• Bug 276230: The support for restricting access to particular Categories of New Charts is not complete. You should treat the 'chartgroup' Param as the only access mechanism available.
  However, charts migrated from Old Charts will be restricted to the groups that are marked MANDATORY for the corresponding Product. There is currently no way to change this restriction, and the groupings will not be updated if the group configuration for the Product changes.
• Bug 370370: mod_perl support is currently not working on Windows machines.
• Bug 361149: If you are using Perl 5.8.0, you may get a lot of warnings in your Apache error_log about "deprecated pseudo-hashes." These are harmless--they are a bug in Perl 5.8.0. Perl 5.8.1 and later do not have this problem.
• Bugzilla 3.0rc1 allowed custom field column names in the database to be mixed-case. Bugzilla 3.0 only allows lowercase column names. It will fix any column names that you have made mixed-case, but if you have custom fields that previously were mixed-case in any Saved Search, you will have to re-create that Saved Search yourself.

Security Updates in This Release

3.0.6

Bugzilla contains a minor security fix. For details, see the Security Advisory.

3.0.5

Bugzilla contains one security fix for importxml.pl. For details, see the Security Advisory.

3.0.4

Bugzilla 3.0.4 contains three security fixes. For details, see the Security Advisory.

3.0.3

No security fixes in this release.

3.0.2

Bugzilla 3.0.1 had an important security fix that is critical for public installations with "requirelogin" turned on. For details, see the Security Advisory

3.0.1

Bugzilla 3.0 had three security issues that have been fixed in this release: one minor information leak, one hole only exploitable by an admin or using email_in.pl, and one in an uncommonly-used template. For details, see the Security Advisory.

How to Upgrade From An Older Version

Notes For Upgraders

• If you upgrade by CVS, there are several .cvsignore files that are now in CVS instead of being locally created by checksetup.pl. This means that you will have to delete those files when CVS tells you there's a conflict, and then run cvs update again.
• In this version of Bugzilla, the Summary field is now limited to 255 characters. When you upgrade, any Summary longer than that will be truncated, and the old summary will be preserved in a comment.
• If you have the utf8 parameter turned on, at some point you will have to convert your database. checksetup.pl will tell you when this is, and it will give you certain instructions at that time, that you have to follow before you can complete the upgrade. Don't do the conversion yourself manually--follow the instructions of checksetup.pl.
• If you ever ran 2.23.3, 2.23.4, or 3.0rc1, you will have to run ./collectstats.pl --regenerate at the command line, because the data for your Old Charts is corrupted. This can take several days, so you may only want to run it if you use Old Charts.
• You should also read the Outstanding Issues sections of older release notes if you are upgrading from a version lower than 2.22.

Steps For Upgrading

Once you have read the notes above, see the Upgrading documentation for instructions on how to upgrade.

Code Changes Which May Affect Customizations

• Packagers: Location Variables Have Moved
• Hooks!
• API Documentation
• Elimination of globals.pl
• Cleaned Up Variable Scoping Issues
• No More SendSQL
• Auth Re-write
• Bugzilla::Object
• Bugzilla->request_cache
• Other Changes

Packagers: Location Variables Have Moved

In previous versions of Bugzilla, Bugzilla::Config held all the paths for different things, such as the path to localconfig and the path to the data/ directory.

Now, all of this data is stored in a subroutine, Bugzilla::Constants::bz_locations.

Also, note that for mod_perl, bz_locations must return absolute (not relative) paths. There is already code in that subroutine to help you with this.

Hooks!

Bugzilla now supports a code hook mechanism. See the documentation for Bugzilla::Hook for more details.

This gives Bugzilla very advanced plugin support. You can hook templates, hook code, add new parameters, and use the XML-RPC interface. So we'd like to see some Bugzilla plugins written! Let us know on the developers@bugzilla.org mailing list if you write a plugin.

If you need more hooks, please File a bug!

API Documentation

Bugzilla now ships with all of its perldoc built as HTML. Go ahead and read the API Documentation for all of the Bugzilla modules now! Even scripts like checksetup.pl have HTML documentation.

Elimination of globals.pl

The old file globals.pl has been eliminated. Its code is now in various modules. Each function went to the module that was appropriate for it.

Usually we filed a bug in bugzilla.mozilla.org for each function we moved. You can search there for the old name of the function, and that should get you the information about what it's called now and where it lives.

Cleaned Up Variable Scoping Issues

In normal perl, you can have code like this:

my $var = 0;
sub y { $var++ }

However, under mod_perl that doesn't work. So variables are no longer "shared" with subroutines--instead all variables that a subroutine needs must be declared inside the subroutine itself.

No More SendSQL

The old SendSQL function and all of its companions are gone. Instead, we now use DBI for all database interaction.

For more information about how to use DBI with Bugzilla, see the Developer's Guide Section About DBI

Auth Re-write

The Bugzilla::Auth family of modules have been completely re-written. For details on how the new structure of authentication, read the Bugzilla::Auth API docs.

It should be very easy to write new authentication plugins, now.

Bugzilla::Object

There is a new base class for most of our objects, Bugzilla::Object. It makes it really easy to create new objects based on things that are in the database.

Bugzilla->request-cache

Bugzilla.pm used to cache things like the database connection in package-global variables (like $_dbh). That doesn't work in mod_perl, so instead now there's a hash that can be accessed through Bugzilla->request_cache to store things for the rest of the current page request.

You shouldn't access Bugzilla->request_cache directly, but you should use it inside of Bugzilla.pm if you modify that. The only time you should be accessing it directly is if you need to reset one of the caches. Hash keys are always named after the function that they cache, so to reset the template object, you'd do: delete Bugzilla->request_cache->{template};.

Other Changes

• checksetup.pl has been completely re-written, and most of its code moved into modules in the Bugzilla::Install namespace. See the checksetup documentation and Bugzilla bug 277502 for details.
• Instead of UserInGroup(), all of Bugzilla now uses Bugzilla->user->in_group
• mod_perl doesn't like dependency loops in modules, so we now have a test for that detects dependency loops in modules when you run runtests.pl.
and is now a method of a bug object.
• The code that used to be in the global/banner.html.tmpl template is now in global/header.html.tmpl. The banner still exists, but the file is empty.

Release Notes For Previous Versions

Release notes for versions of Bugzilla for versions prior to 3.0 are only available in text format: Release Notes for Bugzilla 2.22 and Earlier.