1
Release Notes for Bugzilla version 3.0 and higher are available in HTML
2
format, either on the bugzilla.org website, or in your current installation,
3
linked from the index page.
5
bugzilla.org links for release notes
6
------------------------------------
7
3.0.2: http://www.bugzilla.org/releases/3.0.2/release-notes.html
9
***************************************
10
*** The Bugzilla 2.22 Release Notes ***
11
***************************************
17
- Important Updates In This Point Release
18
- Minimum Requirements
21
* For PostgreSQL Users
22
* Required Perl Modules
23
* Optional Perl Modules
25
* Complete PostgreSQL Support
26
* Parameters In Sections
27
* One Codebase, Multiple Databases
28
* UTF-8 for New Installations
29
* Admins Can Impersonate Users
30
* Bug Import and Moving Improvements
31
* Adding Individual Bugs to Saved Searches
33
* Optional "Strict Isolation" for Groups
34
* "editcomponents" Change
35
* "shutdownhtml" Change
36
* Miscellaneous Improvements
39
- Outstanding Issues (<======================== IMPORTANT, PLEASE READ)
40
- How to Upgrade From An Older Bugzilla
42
- Code Changes Which May Affect Customizations
45
- Security Fixes In 2.22 Releases
46
- Release Notes for Previous Versions
50
Bugzilla 2.22 is one of our most polished releases. We did a lot of
51
small cleanups to make Bugzilla easier to use and more useful in
52
many, many small ways, in addition to adding some major new features.
54
This document contains the release notes for Bugzilla 2.22.
55
In this document, recently added, changed, and removed features
56
of Bugzilla are described. If you are upgrading from an older version,
57
you will definitely want to read these release notes in detail, so that
58
you have an idea of what has changed.
60
If you are upgrading from a version before 2.20, also read the 2.20
61
release notes (lower in this file) and any previous release notes.
63
If you are installing a new Bugzilla, you will still want to look over
64
the release notes to see if there is any particularly important
65
information that affects your installation.
67
If you would like to contribute code to Bugzilla, read our
68
Contributor's Guide at:
70
http://www.bugzilla.org/docs/contributor.html
73
Important Updates In This Point Release
74
***************************************
76
This section describes bugs fixed in releases after the original 2.22
82
+ Make Bugzilla compatible with Template Toolkit 2.15 (bug 357374)
84
+ Make Bugzilla compatible with versions of MySQL higher than 5.0.25
87
+ Sanity Check can now only be run by people with the "admin" privilege.
93
+ When sending mail, Bugzilla could throw the error "Insecure dependency in
94
exec while running with -T switch" (bug 340538).
96
+ Using the public webdot server (for dependency graphs) should work
99
+ The "I'm added to or removed from this capacity" email preference
100
wasn't working for new bugs (bug 349852).
102
+ The original release of 2.22 incorrectly said it required Template-Toolkit
103
version 2.08. In actual fact, Bugzilla requires version 2.10 (bug 351478).
105
+ votes.cgi would crash if your bug was the one confirming a bug (bug 351300).
107
+ checksetup.pl now correctly reports if your Template::Plugin::GD module
108
is missing. If missing, it could lead to charts and graphs not working
111
+ The "Keyword" field on buglist.cgi was not sorted alphabetically, so
112
it wasn't very useful for sorting (bug 342828).
114
+ Sendmail will no longer complain about there being a newline in the
115
email address, when Bugzilla sends mail (bug 331365).
117
+ contrib/bzdbcopy.pl would try to insert an invalid value into the
118
database, unnecessarily (bug 335572).
120
+ Deleting a bug now correctly deletes its attachments from the database
130
Perl v5.6.1 (Non-Windows platforms)
131
ActiveState Perl v5.8.1 (Windows only)
133
Note that this is the last release of Bugzilla to support perl 5.6.x--
134
future versions will require perl 5.8.
139
MySQL v4.0.14 (changed from 2.20)
140
perl module: DBD::mysql v2.9003 (changed from 2.18)
146
perl module: DBD::Pg 1.31 (1.41 required for PostgreSQL 8+)
148
WARNING: DBD::Pg 1.43 has a bug which causes checksetup.pl to fail
149
and corrupt the database. If you are using DBD::Pg 1.43, either downgrade
150
to 1.41 or upgrade to 1.45 (1.42 and 1.44 seem broken somehow too).
152
Note that this is the last release of Bugzilla to support PostgreSQL 7.x.
153
Future versions will require PostgreSQL 8.0 and DBD::Pg 1.45.
155
Required Perl Modules
156
---------------------
165
Template Toolkit v2.10 (changed from 2.20)
166
Text::Wrap v2001.0131
167
Mail::Mailer v1.67 (changed from 2.20)
168
MIME::Base64 v3.01 (new in 2.22)
169
MIME::Parser v5.406 (new in 2.22)
172
Note: The SMTP support in Mail::Mailer 1.73 (the most recent version)
173
is broken. The last known working version is 1.67.
175
Optional Perl Modules
176
---------------------
181
GD::Text::Align (any)
184
XML::Twig (any) (new in 2.22)
185
Image::Magick (new in 2.22)
191
Complete PostgreSQL Support
192
---------------------------
193
Bugzilla 2.20 contained experimental support for PostgreSQL.
194
In Bugzilla 2.22, PostgreSQL support is fully complete and stable. Using
195
PostgreSQL with Bugzilla should be as stable as using MySQL, and if
196
you experience any problems they will be taken as seriously as if you
199
There are no known remaining major problems with Bugzilla on PostgreSQL.
200
All features of Bugzilla have been tested and work.
203
Parameters In Sections
204
----------------------
205
Long-time users of Bugzilla know that over time the parameter list has
206
grown quite large. It has now been split into sections to make it easier
210
One Codebase, Multiple Databases
211
--------------------------------
212
There is now limited support for having multiple projects use the
213
same Bugzilla codebase, but all have separate databases.
215
The different projects can have their own templates and their own
216
bug database, but all use the same set of Bugzilla code in the same
219
To enable this, set an environment variable called PROJECT when
220
calling the Bugzilla CGIs. Then for each project, you can have
221
a localconfig.PROJECT (where "PROJECT" is the value of the PROJECT
222
environment variable) file for the database parameters, and a
223
template/en/PROJECT directory (where "PROJECT" is the value of the
224
PROJECT environment variable)
226
This feature isn't documented yet, but we hope to have documentation for
230
UTF-8 For New Installations
231
---------------------------
232
If this is the first time you're installing Bugzilla, it will now use
233
UTF-8 encoding for all pages, automatically. It will also send emails
234
in UTF-8. This eliminates most of the internationalization problems
235
users have experienced, as one Bugzilla page may now contain any number
236
of languages simultaneously.
238
If you are upgrading and you want to use UTF-8, just turn on the "utf8"
239
Parameter. However, realize that if you have non-UTF-8 data in your
240
Bugzilla, it will appear unreadable. (If you just have ASCII in your
241
database, you're safe to turn on the "utf8" parameter, definitely.)
244
Admins Can Impersonate Users
245
----------------------------
246
User impersonation (think of the su/sudo command on Unix) allows you
247
to view pages and perform actions as if you are logged in as someone else,
248
without having to know their password.
250
A user in the new "bz_sudoers" group has the option of "becoming"
251
any user in Bugzilla. Once they "become" that user, they *are* that user
252
for the rest of the session, until they decide to switch back to being
255
However, they cannot "become" any user in the "bz_sudo_protect" group.
256
This group includes everybody in the "admin" and "bz_sudoers" groups by
259
Any time a user is impersonated, they will get an email notifying them
260
who has impersonated them.
263
Bug Import and Moving Improvements
264
----------------------------------
265
The XML Import script, importxml.pl, has been completely re-written.
269
* Correctly imports the "priority" field
270
* Understands when the "Reporter" or "CC List" security boxes
271
are unchecked on the bug.
272
* Places bugs in the appropriate groups
273
* Allows attachments to be imported
274
* Is much more forgiving about small problems in the XML
277
Adding Individual Bugs to Saved Searches (Tagging)
278
--------------------------------------------------
279
Users now have the option of adding an individual bug to any
280
particular Saved Search. Individual users that disagree with the site
281
default can add or remove this feature (which appears as an entry box
282
visible in the footer) by changing the General Preferences setting
283
called "Enable tags for bugs".
288
Instead of attaching a file, you can now also attach a URL to a bug.
289
This will show up just like an attachment on show_bug.cgi, but when
290
you click on it, it will take you to the URL.
292
To enable this, turn on the "allow_attach_url" parameter.
295
Optional "Strict Isolation" for Groups
296
--------------------------------------
297
If you turn on the "strict_isolation" parameter in Bugzilla, you
298
will *not* be able to add any user to the CC field (or set them
299
as an Assignee or QA Contact) unless that user could normally see
300
the bug. That is, you will no longer be able to "accidentally"
301
(or intentionally) give somebody access to a bug that they
302
otherwise couldn't see.
305
"editcomponents" Change
306
-----------------------
307
Previously, all users who had "editcomponents" could see every Product,
308
using the editcomponents.cgi script. Now, users with "editcomponents"
309
can only see Products that they normally have access to.
311
This restriction also affects editversions.cgi, editmilestones.cgi and
315
"shutdownhtml" Change
316
---------------------
317
All of Bugzilla is now affected by the "shutdownhtml" parameter,
318
including command-line scripts. checksetup.pl is exempt. Many scripts
319
(such as collectstats.pl and whine.pl) will just exit silently when
320
"shutdownhtml" is turned on.
323
Miscellaneous Improvements
324
--------------------------
326
- Added a frequently-requested user preference for whether or not to go
327
to the next bug in your list after submitting changes to a bug.
329
- The ability to do relative date searches (like "1d" for "1 day" or "1w"
330
for "1 week") by hour now, in addition to days and other units of time.
332
- "Alias" added to the New Bug form, for users with editbugs.
334
- Users can now actually see the descriptions of flags that you enter
335
in editflagtypes.cgi. The description will appear as a tooltip
336
when a user places their mouse over the flag name on show_bug.cgi.
338
- Bugzilla will optionally convert BMP attachments into PNGs for you.
339
See the "convert_uncompressed_images" in the "Attachments" section
342
- You can now edit the Status Whiteboard when you are changing multiple
345
- The way that groups work in the database has changed, and large-scale
346
Bugzilla use with many concurrent users should be much faster, as a
347
result. (Technical Details: The need for Bugzilla to "derive groups"
348
has gone away pretty much entirely.)
350
- Performance improvements on searching attachment information that's not
351
the actual content of the attachment (such as searching the Attachment
352
Description or the Attachment MIME Type)
354
- You can now specify multiple email addresses, comma-separated, when
355
setting the requestee of a flag, and it will set the flag once for each
356
of those email addresses
358
- "Bug Creation Time" is now searchable in the Boolean Charts.
360
- When you mark a comment on a bug as private, the background color
361
of the comment will change immediately. However, in order for
362
Bugzilla to register that the comment is now private, you still
363
have to "submit" the changes.
365
- Emails sent from Bugzilla now have "X-Bugzilla-Keywords" and
366
"X-Bugzilla-Severity" by default, containing the information
367
from the related Bugzilla fields.
369
- You can now change the assignee and QA contact on multiple bugs at
370
once even when those bugs are in different products.
372
- contrib/merge-users.pl allows you to merge two user accounts. This is
373
particulary useful when a user opened several accounts and only one should
374
be kept. It also lets you merge a deleted account with an existing one.
379
If you'd like to see all the changes between Bugzilla 2.20 and Bugzilla
382
http://tinyurl.com/9p2tm
388
- This is the last release of Bugzilla to support perl 5.6.x. All future
389
versions of Bugzilla will require at least perl 5.8.
391
This is the last release of Bugzilla to support PostgreSQL 7.x. Future
392
releases using PostgreSQL will require PostgreSQL 8.0 and DBD::Pg 1.45.
397
- bug 305836: PostgreSQL users: do not use DBD::Pg version 1.43 with
398
Bugzilla. It has a bug which can corrupt the database. Version 1.41
399
is fine. Version 1.45 or higher is fine too.
401
- (No Bug Number) VERY IMPORTANT: If you have customized the values in
402
your Status/Resolution field, you must edit checksetup.pl BEFORE YOU
403
RUN IT. Find the line that starts like this:
405
bug_status => ["UNCONFIRMED",
407
That's where you set the values for the Status field.
409
resolution => ["","FIXED",
411
And that's where you set values for the Resolution field.
413
Those are both near line 1826 in checksetup.pl.
415
If you forget to do this, you will have to manually edit the "bug_status"
416
and "resolution" tables in the database to contain the correct values.
418
- bug 276230: The support for restricting access to particular Categories of
419
New Charts is not complete. You should treat the 'chartgroup' Param as the
420
only access mechanism available. However, additionally, charts migrated from
421
Old Charts will be restricted to the groups that are marked MANDATORY for
422
the corresponding Product. There is currently no way to change this
423
restriction, and the groupings will not be updated if the group configuration
424
for the Product changes.
426
- bug 37765: If you use the "sendmail" support of Bugzilla,
427
and you use an MTA which is *not* Sendmail (such as Postfix, Exim, etc.)
428
make sure the "sendmailnow" parameter is ON or Bugzilla will not send
431
- bug 69621: If you rename or remove a keyword that is in use on bugs, you will
432
need to rebuild the "keyword cache" by running sanitycheck.cgi and choosing
433
the option to rebuild the cache when it asks. Otherwise keywords may not show
434
up properly in search results.
436
- (No Bug Number) If you have a lot of non-ASCII data in your Bugzilla (for
437
example, if you use a translation of Bugzilla), don't enable the XS::Stash
438
option when you install the Template Toolkit, or your Bugzilla installation
439
may become slow. This problem is fixed in a not-yet-released version of the
440
Template Toolkit (after 2.14).
442
- Bug 99215: Flags are not protected by "mid-air collision" detection.
443
Nor are any attachment changes.
445
- Bug 89822: When changing multiple bugs at the same time, there is no
446
"mid-air collision" protection.
448
- bug 322955: The email interface (bug_mail.pl) in the contrib/ directory
449
has not been maintained (as it has no maintainer), and does not work
450
properly. We hope to have this fixed in our next major release of
451
Bugzilla; however, any help or contributions in this area are very
455
How to Upgrade From An Older Bugzilla
456
*************************************
458
NOTE: Upgrading from a large installation (over 10,000 bugs) running 2.18
459
or before may take a significant amount of time. checksetup will
460
try to let you know how long it will take, but expect downtime
461
of an hour or more if you have many bugs, many attachments,
467
1) Read these entire Release Notes, particularly the "Outstanding Issues"
468
and "Security Fixes" sections.
470
2) View the Sanity Check (sanitycheck.cgi) page on your installation before
471
upgrading. Attempt to fix all warnings that the page produces before
472
you go any further, or you may experience problems during your upgrade.
474
3) Make a backup of the Bugzilla database before you upgrade, perhaps
475
by using mysqldump. THIS IS VERY IMPORTANT. If anything goes wrong
476
during the upgrade, your installation can be corrupted beyond
477
recovery. Having a backup keeps you safe.
481
mysqldump -u root -p bugs > bugs-db.sql
483
4) Replace the files in your installation with the new version of Bugzilla,
484
or you can try to use CVS to upgrade. The bugzilla.org website has
485
instructions on how to do the actual installation.
487
You can also use a brand-new Bugzilla directory, as long as you
488
copy over the old data/ directory and the "localconfig" file to the
491
5) Run checksetup.pl after you install the new version.
493
7) View the Sanity Check page again after you run checksetup.pl.
495
8) It is recommended that, if possible, you fix any problems you find
496
immediately. Failure to do this may mean that Bugzilla will not work
497
correctly. Be aware that if the sanity check page contains more errors after
498
an upgrade, it doesn't necessarily mean there are more errors in your
499
database, as additional tests are added to the sanity check over time, and
500
it is possible that those errors weren't being checked for in the old
503
9) This version of Bugzilla contains improvements to the email that
504
Bugzilla sends when a bug is changed. The template for that email
505
is contained in the "newchangedmail" parameter. If you would like
506
to take advantage of the email enhancements in this version of
507
Bugzilla, reset that parameter to its default. (You can customize
508
it after that again, if you want.)
511
Code Changes Which May Affect Customizations
512
********************************************
516
The CGI.pl file, which used to contain many global functions, and which
517
also contained initialization code for every CGI, is gone. The functions
518
have been moved to various places and sometimes renamed.
520
The initialization code that used to happen inside CGI.pl is now inside
521
of Bugzilla.pm. All CGIs must "use Bugzilla" in one way or another. (Some
522
CGIs "use Bugzilla" by doing "require globals.pl".)
525
Deriving Groups No Longer Happens
526
---------------------------------
527
Bugzilla no longer needs to "derive groups" in advance. That is, previously
528
Bugzilla used to flatten the group heirarchy into the user_group_map
529
table. (That is, show that a user was in every group they were in,
530
even if they were only in that group because they belonged to *another*
531
group.) Now the table only contains groups that the user is in directly,
532
and groups that they are in because of a regexp.
534
Instead, The Bugzilla::User->group function determines the groups a user
537
We did this because the group derivation was causing a lot of complexity
538
in the code, and also deriving the groups was a slow process that
539
frequently had to happen inside of a database lock while sending mail
540
or viewing a bug list.
542
See https://bugzilla.mozilla.org/show_bug.cgi?id=304583 for details.
548
- The move.pl script's functionality has been merged into process_bug.cgi.
550
- $::template and $::vars are gone from globals.pl. Instead of $::template,
551
use Bugzilla->template. Every script creates the $vars variable by itself
552
instead of using a global $::vars variable.
554
- $::userid is gone. Instead use Bugzilla->user->id.
556
- QuickSearch is now in perl instead of in JavaScript. The code is in
557
Bugzilla/Search/QuickSearch.pm. This makes it much easier to customize,
558
and it also fixes some long-standing issues that QuickSearch had.
560
- Attachment data is now in the attach_data table. Other information
561
about attachments is still in the "attachments" table.
563
- Much like the 2.20 release, many functions have been removed from
564
globals.pl and CGI.pl. They were moved elsewhere and renamed.
565
Search RESOLVED bugs in bugzilla.mozilla.org for the old
566
version of the function name, and that will usually show you
567
the bug where we moved the function, allowing you to find out
568
what the new name and location is.
570
- This is the last release that contains the deprecated
571
SendSQL, SqlQuote, FetchSqlData, MoreSqlData, and FetchOneColumn
572
functions. Instead, you should use DBI functions. For a very brief
575
http://www.bugzilla.org/docs/developer.html#sql-sendreceive
578
Security Fixes in 2.22 Releases
579
*******************************
581
A long-standing, well-known security issue is finally resolved in Bugzilla
582
2.22: Previously, the "Session ID" of each user could be easily guessed,
583
given enough time. This could have allowed an attacker to take over a
584
user's account, in certain circumstances. Now, the "Session ID" is totally
585
random, resolving this issue. See bug 119524 in bugzilla.mozilla.org for
588
If you are very concerned about the security of your Bugzilla installation,
589
it would be a very good idea to run the following command on your
590
database immediately after upgrading:
592
TRUNCATE TABLE logincookies;
594
This is actually safe to do at any time--it just forces a logout of
595
every single user, even those with saved sessions. (It invalidates
596
every login cookie Bugzilla has ever given out.)
601
A Cross-Site Scripting vulnerability is fixed in Bugzilla 2.22.2. You can
602
read the details of the fix at:
604
http://www.bugzilla.org/security/2.20.3/
609
The Bugzilla team fixed two Information Leaks and three Cross-Site
610
Scripting vulnerabilities that existed in versions of Bugzilla
611
prior to 2.22.1. We strongly recommend that you update any 2.22
612
installation to 2.22.1, to be protected from these vulnerabilities.
614
In addition, we have made an enhancement to security in this version
615
of Bugzilla. In previous versions, it was possible for malicious
616
users to exploit administrators in certain ways. Although this has
617
never happened (to our knowledge) in the real world, we thought it
618
was important that we protect administrators from this sort of attack.
620
You can see details on all the vulnerabilities and enhancements at:
622
http://www.bugzilla.org/security/2.18.5/
625
Release Notes For Previous Versions
626
************************************
628
***************************************
629
*** The Bugzilla 2.20 Release Notes ***
630
***************************************
636
- Important Updates in this Point Release
639
- Minimum Requirements
642
* For PostgreSQL Users
643
* Required Perl Modules
644
* Optional Perl Modules
646
* Experimental PostgreSQL Support
647
* New User-Interface Color/Style
648
* Higher-Level Categorization of Bugs (above "Product")
649
* Regular Reports by Email of Complex Queries ("Whining")
650
* "Environment Variable" Authentication Method
651
* User-List Drop-Down Menus
652
* Server-Side Comment Wrapping
653
* UI for Editing Priority, OS, Platform, and Severity
654
* Bugzilla Queries as RSS
655
* Choice of E-Mail Sending Methods
657
* "Large Attachment" Storage
658
* "User Visibility" Controls
659
* Miscellaneous Improvements
661
- Deprecated Features
662
- Outstanding Issues (<======================== IMPORTANT, PLEASE READ)
663
- How to Upgrade From An Older Bugzilla
664
* Steps for Upgrading
665
- Code Changes Which May Affect Customizations
666
* The New Database-Compatibility Layer
667
* If You Customize Your Database...
668
* Many Functions Renamed
671
- Security Fixes In 2.20 Releases
672
- Release Notes for Previous Versions
678
This document contains the release notes for Bugzilla 2.20.
679
In this document, recently added, changed, and removed features
680
of Bugzilla are described. If you are upgrading from an older version,
681
you will definitely want to read these release notes in detail, so that
682
you have an idea of what has changed.
684
If you are upgrading from a version before 2.18, also read the 2.18 release
685
notes (lower in this file) and any previous release notes.
687
If you are installing a new Bugzilla, you will still want to look over
688
the release notes to see if there is any particularly important information
689
that affects your installation.
691
The 2.20 release has had about nine months of development since 2.18, but
692
they were nearly the most active nine months in Bugzilla's history. We hope
693
that users will appreciate our many external changes, and that Bugzilla
694
administators will find that our internal changes make their lives easier.
696
If you would like to contribute code to Bugzilla, read our
697
Contributor's Guide at:
699
http://www.bugzilla.org/docs/contributor.html
702
Important Updates In This Point Release
703
***************************************
708
+ Many PostgreSQL fixes, including fixing whine.pl on Pg 8
709
(bug 301062) and fixing the --regenerate option of collectstats.pl
710
for all versions of Pg (bug 316971). However, users who want full
711
PostgreSQL support are encouraged to use the 2.22 series, as
712
certain PostgreSQL bugs were discovered that will not be fixed
713
in 2.20 (their fixes were too complex).
715
+ In Bugzilla 2.20, the "administrator" user created by checksetup.pl
716
would not ever be sent email, because their email preferences were
717
left blank. This has been fixed for 2.20.1. However, if you created
718
this administrative user with Bugzilla 2.20, make sure to go back
719
and enable their Email Preferences. (bug 317489)
721
+ The bzdbcopy.pl script mentioned in these release notes
722
has now actually been checked-in to the 2.20 branch, and so
723
it's included in this release. (bug 291776)
725
+ When there's only one Classification, you now won't be required
726
to pick a Classification on bug entry. (bug 311489)
728
+ You can no longer add dependencies on bugs you can't see.
731
+ The CC list is included in "New" bug emails, again. (bug 313661)
733
+ In the original 2.20, certain scripts were not correctly using
734
the "shadow database," if it was specified. This has been fixed
735
in 2.20.1. (bug 313695)
737
+ "Saved Searches" that were saved before Bugzilla 2.20, would throw
738
an error if they contained "Days Since Bug Changed." as part of their
739
criteria. This has been fixed in Bugzilla 2.20.1. (bug 302599)
741
+ You can now successfully delete a product even when Target Milestones
742
are turned off. (bug 317025)
744
+ checksetup.pl now correctly pre-compiles templates for languages other
745
than English. (bug 304417)
747
+ The "All Closed" chart that is created by default in New Charts
748
now actually represents all closed bugs, and not all bugs in the
749
product. (bug 300473)
751
+ CSV bug lists with more than 1000 dates now work properly. (bug 257813)
753
+ Various bugs with upgrading from previous versions of Bugzilla
754
have been fixed. (bug 307662, bug 311047, bug 310108)
756
+ Many, many other bug fixes. See http://www.bugzilla.org/status/changes.html
757
for details on what was fixed between 2.20 and 2.20.1.
763
+ Adding a new attachment and taking the bug at the same time does not
764
create a referential integrity problem anymore if the bug was marked as
765
a duplicate (bug 332705).
767
+ Some additional admin links have been added to the sidebar (bug 282613).
769
+ A new test has been added to our test suite, named 012throwables.t.
770
It will now make sure that all tags used in ThrowUserError() and
771
ThrowCodeError() are defined, and that there are no unused tags (bug 312042).
773
+ whine.pl now works correctly on MySQL 4.0. MySQL 4.1 is not affected
776
+ contrib/merge-users.pl allows you to merge two user accounts. This is
777
especially useful when a user opened several accounts and only one
778
should be kept (bug 188264).
780
+ The login form on index.cgi again works correctly on a fresh installation
783
+ Email preferences are now set correctly when creating a new user account
784
using the ENV method (bug 327355).
793
Perl v5.6.1 (changed from 2.18) (Non-Windows platforms)
794
ActiveState Perl v5.8.1 (Windows only)
799
MySQL v3.23.41 (Note: 2.22 will require MySQL 4.x)
800
perl module: DBD::mysql v2.9003 (changed from 2.18)
802
For PostgreSQL Users (new in 2.20)
805
PostgreSQL 7.3.x (8.x has received less testing)
806
perl module: DBD::Pg 1.31 (1.41 required for PostgreSQL 8+)
808
Required Perl Modules
809
---------------------
815
DBI v1.38 (changed from 2.18)
816
File::Spec v0.84 (changed from 2.18)
818
Template Toolkit v2.08
819
Text::Wrap v2001.0131
820
Mail::Mailer 1.65 (new in 2.20)
821
Storable (any) (new in 2.20)
823
Optional Perl Modules
824
---------------------
829
GD::Text::Align (any)
838
Experimental PostgreSQL Support
839
-------------------------------
841
In addition to MySQL, Bugzilla now also supports PostgreSQL. PostgreSQL
842
support is still somewhat experimental. Although most major features of
843
Bugzilla work on PostgreSQL in 2.20, there are probably still a few bugs
844
that need to be worked out.
846
PostgreSQL support in 2.20 is acceptable for smaller production
847
environments that don't mind running into a bug or two now and then.
850
New User-Interface Color/Style
851
------------------------------
853
You'll notice that Bugzilla looks a bit nicer, now! We've made a few
854
color and style changes to update the overall "feel" of Bugzilla's
855
User Inteface. We plan to do even more work on the UI for 2.22.
858
Higher-Level Categorization of Bugs (above "Product")
859
-----------------------------------------------------
861
Previous Bugzillas had "Products" that you could file bugs in,
862
and "Components" for those products. Now, "Products" can be grouped
863
into "Classifications."
865
To enable this, a Bugzilla administrator can turn on the
866
"useclassification" parameter, using editparams.cgi.
869
Regular Reports by Email of Complex Queries ("Whining")
870
-------------------------------------------------------
872
You can now tell Bugzilla to do a specific query (or set of queries)
873
every X minutes/hours/days, and send you the results by email. This is
874
great for keeping track on a daily basis of what's going on in
878
"Environment Variable" Authentication Method
879
--------------------------------------------
881
You can now tell Bugzilla to accept a certain value passed in from
882
Apache as authentication for Bugzilla users. This means that Bugzilla
883
now "supports" any type of authentication that Apache supports.
885
To use this, set the "user_info_class" parameter to "ENV" and, at a
886
minimum, set the "auth_env_email" parameter to the name of the
887
Environment variable that passes the authenticated user (usually
888
"REMOTE_USER"). If your webserver knows users' real names as well, also
889
set the "auth_env_realname" parameter. If you are using a true
890
single-signon system that assigns an identifier uniquely to an
891
individual, even across changes of email address, then set
892
"auth_env_id" to the name of that variable.
895
User-List Drop-Down Menus
896
-------------------------
898
Now, anywhere in Bugzilla where you previously had to type in an
899
email address by hand, you have the choice of having Bugzilla instead
900
display a drop-down menu of users to pick from.
902
This feature is best for small installations with few users, because
903
on large installations the list grows too large to be useful.
905
To enable the feature, turn on the "usemenuforusers" parameter in
909
Server-Side Comment Wrapping
910
----------------------------
912
In older Bugzillas, comments were wrapped to 80 characters by the
913
user's web browser, and then stored in the database that way. This caused
914
problems because some browsers did not wrap comments properly.
916
Now, Bugzilla stores comments unwrapped and wraps them at display time, so
917
all new comments should be properly wrapped. Also, when you upgrade, Bugzilla
918
will look for old "mis-wrapped" comments and attempt to wrap them properly.
920
Lines beginning with the ">" character are assumed to be quotes, and are
924
UI for Editing Priority, OS, Platform, and Severity
925
---------------------------------------------------
927
Bugzilla now has a User Interface for adding and removing values
928
from the OS, Platform, Priority, and Severity fields. You can also
929
rename values. Any user in the "editcomponents" group can click
930
on the "Field Values" link in their page footer to edit these fields.
932
Also, the default list of choices for OS and Platform for new
933
installations is now much smaller. Old installations will keep
934
the same list they have now.
937
Bugzilla Queries as RSS
938
-----------------------
940
You can now view a Bugzilla query as valid RSS 1.0. This means that you
941
could add a particular query to your RSS aggregator, if you wanted, to
942
keep track of changes in Bugzilla.
944
To see a query as RSS, just click on the "RSS" link on the bottom of
945
your query results. Your query must return at least 1 result in order
946
for you to see the link.
949
Choice of E-Mail Sending Methods
950
--------------------------------
952
Bugzilla now uses perl's Mail::Mailer to send e-mail. This means that
953
you have several choices of how Bugzilla can send email. By default, it
954
still uses sendmail, but it can also use SMTP, qmail, or send all email
955
to a file instead of out to users.
957
A Bugzilla administrator can change which method is used by setting the
958
"mail_delivery_method" parameter in editparams.cgi.
964
Bugzilla users will now notice a section in their Preferences called
965
"General Preferences." Administrators will notice a new link called
968
The Preferences system allows Bugzilla developers to specify arbitrary
969
"user preferences" that change the behavior of certain parts of Bugzilla.
970
Administrators can control whether or not users are allowed to use these
971
preferences, and what the default settings are for a user who is not
974
The first two preferences that we have implemented are:
975
+ "Show a quip at the top of each bug list"
976
+ "When viewing a bug, show comments in this order..."
978
We plan to implement more preferences in the future.
981
"Large Attachment" Storage
982
--------------------------
984
Bugzilla can now store very large attachments on disk instead of in the
985
database. These attachments can't be searched with Boolean Charts, but
986
they also don't take up database space, and they can be deleted individually
989
When uploading an attachment, a user chooses if it's a "Big File." If so,
990
it's stored on the disk instead of in the database.
992
To enable this feature, set the "maxlocalattachmentsize" parameter to
993
a non-zero value, in editparams.cgi.
996
"User Visibility" Controls
997
--------------------------
999
It is now possible to prevent users from encountering all other users when
1000
using user-matching or drop-down userlists. To enable this restriction,
1001
enable the "usevisibilitygroups" parameter. Once this is enabled, each
1002
group's permissions will include a new column for "visible." The members
1003
of any group for which the group being edited is visible will be
1004
able to user-match this groups's users or see them in dropdown lists.
1006
This does not control who a user can CC on a bug, only who they can
1007
see in the user-matching lists or drop-downs.
1009
Miscellaneous Improvements
1010
--------------------------
1012
- Marking an attachment as obsolete will now cancel all pending flag
1013
requests for that attachment. That is, any flag that was set to "?"
1014
on that attachment will be cleared.
1016
- You can now see which users are "watching" you, on the email
1019
- You can tell Bugzilla to mark certain comments in a different
1020
color by adding "&mark=1,2,3,5-7" to the end of the show_bug.cgi URL,
1021
where "1,2,3,5-7" means "highlight comment 1, comment 2, comment 3, and
1022
comments 5 through 7."
1024
- "QA Contact" now also appears on the New Bug page, if QA Contacts are
1025
enabled on your installation.
1027
- Bugzilla email now has the "In-Reply-To" header added to it, so if
1028
you use an email client that supports threads, you can view your
1029
Bugzilla email in threads. If you are upgrading to a new version of
1030
Bugzilla, and you want this support, please see the instructions at:
1031
https://bugzilla.mozilla.org/attachment.cgi?id=172267
1033
- The email preferences system has been slightly updated. You will notice
1034
the changes on your Email Preferences page.
1036
- You can now negate individual "boolean charts" (in the
1037
"Advanced Searching" section at the bottom of the "Advanced
1038
Search" page). That is, you can add "NOT" to the front of them.
1040
- You can add the words %assignee%, %reporter%, %user% (yourself), or
1041
%qacontact% on the right-hand side of a Boolean Chart. For example, you
1042
could make a Boolean Chart which said "Reporter" "does not equal"
1043
"%assignee%". That would give you all bugs where the Reporter was not
1044
the same as the Assignee.
1046
- You can now search Boolean Charts by "commenter."
1048
- If you have a group with no name, it will be re-named to "group_#" where
1049
"#" is the numeric Bugzilla Group ID for that group.
1051
- If you are using time-tracking, you can now see a report of time spent
1052
on bugs using summarize_time.cgi.
1054
- If you are using time-tracking, bugzilla will now set "hours remaining"
1055
to "0" automatically if you RESOLVE a bug, whether you are in the
1056
time-tracking group or not.
1062
- Bugzilla 2.20 is the last Bugzilla version to support MySQL 3.23.x.
1063
Starting with Bugzilla 2.22, Bugzilla will require MySQL 4.0.x. This will
1064
allow Bugzilla to take advantage of the advanced features of MySQL 4.
1070
- (No Bug Number) VERY IMPORTANT: If you have customized the values in
1071
your Status/Resolution field, you must edit checksetup.pl BEFORE YOU
1072
RUN IT. Find the line that starts like this:
1074
bug_status => ["UNCONFIRMED",
1076
That's where you set the values for the Status field.
1078
resolution => ["","FIXED",
1080
And that's where you set values for the Resolution field.
1082
Those are both near line 1826 in checksetup.pl.
1084
If you forget to do this, you will have to manually edit the "bug_status"
1085
and "resolution" tables in the database to contain the correct values.
1087
- bug 37765: VERY IMPORTANT: If you use the "sendmail" support of Bugzilla,
1088
and you use an MTA which is *not* Sendmail (such as Postfix, Exim, etc.)
1089
you MUST turn on the "sendmailnow" parameter or Bugzilla will not send
1092
- (No Bug Number) If you close your web browser while the process_bug.cgi
1093
or post_bug.cgi screen is running, not all emails will be sent, and
1094
the next time that that bug is updated, there will be two updates. This
1095
is because of a behavior of Apache that is beyond our control.
1097
- bug 276230: The support for restricting access to particular Categories of
1098
New Charts is not complete. You should treat the 'chartgroup' Param as the
1099
only access mechanism available. However, additionally, charts migrated from
1100
Old Charts will be restricted to the groups that are marked MANDATORY for
1101
the corresponding Product. There is currently no way to change this
1102
restriction, and the groupings will not be updated if the group configuration
1103
for the Product changes. This will not be fixed in the 2.20 branch.
1105
- bug 69621: If you rename or remove a keyword that is in use on bugs, you will
1106
need to rebuild the "keyword cache" by running sanitycheck.cgi and choosing
1107
the option to rebuild the cache when it asks. Otherwise keywords may not show
1108
up properly in search results.
1110
- (No Bug Number) If you have a lot of non-ASCII data in your Bugzilla (for
1111
example, if you use a translation of Bugzilla), don't enable the XS::Stash
1112
option when you install the Template Toolkit, or your Bugzilla installation
1113
may become slow. This problem is fixed in a not-yet-released version of the
1114
Template Toolkit (after 2.14).
1116
- If at any time you upgraded from a version of Bugzilla between 2.17.4 -
1117
2.17.7 to either 2.18rc3 or 2.19.1, you must manually fix your New Charts in
1118
order for them to work. See the following link for instructions on how to do
1119
this: https://bugzilla.mozilla.org/show_bug.cgi?id=276237#c18
1120
If you are using 2.18rc3, but did not upgrade from version 2.17.4 or newer,
1121
then you don't need to do this.
1123
- (No Bug Number) If your DBI is really, really old, Bugzilla might fail
1124
with a strange error message when you try to run checksetup.pl. Try
1125
upgrading your DBI using: perl -MCPAN -e'install DBI'
1127
- Bug 126266: Bugzilla does not use UTF-8 to display pages. This means
1128
that if you enter non-ASCII characters into Bugzilla, they may
1129
display strangely, or Bugzilla may have other problems. For a workaround,
1130
see: http://www.bugzilla.org/docs/tip/html/security-bugzilla.html
1131
This has been fixed in the 2.22 series.
1133
- Bug 99215: Flags are not protected by "mid-air collision" detection.
1134
Nor are any attachment changes.
1136
- Bug 89822: When changing multiple bugs at the same time, there is no
1137
"mid-air collision" protection.
1139
- Bug 285614: importxml.pl may be broken in many different ways.
1140
It has been fixed and completely re-written in the 2.22 series.
1142
- (No Bug Number) Note that the email interface (bug_mail.pl) in the
1143
contrib/ directory has not been maintained (as it has no maintainer),
1144
and so may not be working properly. Contributions are welcome, if
1145
anybody would like to work on it.
1148
Upgrading From An Older Bugzilla
1149
************************************
1151
NOTE: Running checksetup.pl to upgrade a large installation (over 10,000 bugs)
1152
may take a significant amount of time. checksetup will try to let
1153
you know how long it will take, but expect downtime of an hour or
1154
more if you have many bugs, many attachments, or many users.
1159
1) View the Sanity Check (sanitycheck.cgi) page on your installation before
1160
upgrading. Attempt to fix all warnings that the page produces before
1161
you go any further, or you may experience problems during your upgrade.
1163
2) Make a backup of the Bugzilla database before you upgrade, perhaps
1168
mysqldump -u root -p --databases bugs > bugs.db.backup
1170
3) Replace the files in your installation with the new version of Bugzilla,
1171
or you can try to use CVS to upgrade. The Bugzilla.org website has
1172
instructions on how to do the actual installation.
1174
4) Make sure that you run checksetup.pl after you install the new version.
1176
5) View the Sanity Check page again after you run checksetup.pl.
1178
6) It is recommended that, if possible, you fix any problems you find
1179
immediately. Failure to do this may mean that Bugzilla will not work
1180
correctly. Be aware that if the sanity check page contains more errors after
1181
an upgrade, it doesn't necessarily mean there are more errors in your
1182
database, as additional tests are added to the sanity check over time, and
1183
it is possible that those errors weren't being checked for in the old
1186
7) If you want threading support on your Bugzilla email (see the
1187
"Miscellaneous Improvements" section above for a description),
1188
you need to follow the instructions at:
1189
https://bugzilla.mozilla.org/attachment.cgi?id=172267
1192
Code Changes Which May Affect Customizations
1193
********************************************
1195
The New Database-Compatibility Layer
1196
------------------------------------
1198
For most customizations, this should have no effect. However, you should
1199
be aware that Bugzilla->dbh is now an instance of "Bugzilla::DB" instead
1200
of being a DBI object directly. In fact, it's actually a
1201
Bugzilla::DB::Mysql for MySQL users, and a Bugzilla::DB::Pg for
1204
Anything called from $dbh (like $dbh->bz_last_key) that starts with
1205
"bz_" or "sql_" is a custom Bugzilla function. Anything *not* starting
1206
with those two prefixes is a normal DBI function.
1208
Methods whose names start with "sql_" generate a piece of a SQL statement.
1209
They generate the correct version of the statement for whichever database
1212
Methods whose names start with "bz_" do something directly.
1214
You can see more documentation about this at:
1216
http://www.bugzilla.org/docs/2.20/pod/Bugzilla/DB.pm
1219
If You Customize Your Database...
1220
---------------------------------
1222
In order to support multiple databases, we had to do something sort of
1223
tricky. Bugzilla now stores what it *thinks* the current database schema
1224
is, in a table called bz_schema.
1226
This means that when checksetup changes the database, it updates the
1227
bz_schema table. When *you* update the database, without using
1228
checksetup to do it, the bz_schema table is *not* updated.
1230
So, if you're going to add/remove a new column/table to Bugzilla, or if you're
1231
going to change the definition of a column, try to do it by adding code to
1232
checksetup in the correct place. (It's one of the places where you find
1233
the word "--TABLE--".)
1235
You can see the documentation on the $dbh functions used to do this at:
1237
http://www.bugzilla.org/docs/2.20/pod/Bugzilla/DB.pm#schema_modification_methods
1240
Many Functions Renamed
1241
----------------------
1243
We are reorganizing the Bugzilla code so that it can support mod_perl. As
1244
part of this, we are moving all functions out of globals.pl and CGI.pl, and
1245
into modules in the Bugzilla/ directory.
1247
Sometimes when we moved them, we also renamed them. The new Bugzilla standard
1248
is to have functions_named_like_this, instead of FunctionsNamedLikeThis.
1250
So if you were using a FunctionNamedLikeThis that no longer works, try just
1251
using it as function_named_like_this. If that doesn't work, you may have to
1252
search for where we put it, and what we renamed it to. Most of the functions
1253
moved to logical places.
1255
If you really can't find it, search bugzilla.mozilla.org using the name
1256
of the old function. We usually moved one function per bug, so the new
1257
name will be somewhere in a bug report.
1263
Bugzilla now has a "User Preferences" system! These preferences are stored
1264
in the database, and specified by a Bugzilla developer. The Bugzilla
1265
developers actually call these "settings," but we called them "User
1266
Preferences" in the UI to make things clearer.
1268
You access a user's settings differently depending on if you are in a
1269
.cgi file or in a template file:
1271
CGI: Bugzilla->user->settings->{'setting_name'}->value
1272
Template: Bugzilla.user.settings.setting_name.value
1274
Where "setting_name" is the name of the setting. You can see the current
1275
setting names in the "setting" table in the database.
1277
Remember that sometimes you may want to check a user's settings when
1278
making a customization.
1280
To see how to add new settings, search for "add_setting" in checksetup.pl.
1281
Also see the template: template/en/default/global/setting-descs.none.tmpl.
1286
- The $::unconfirmedstate variable has been replaced by the actual string
1287
"UNCONFIRMED" everywhere in Bugzilla code.
1289
- The %::FORM and %::MFORM variables are no longer used to access form
1290
data. Instead, use $cgi->param(). There are many examples of how to do
1291
this, all over the Bugzilla code.
1293
- SendSQL() and related calls are deprecated, and the various $dbh methods
1294
should be used instead, such as $dbh->prepare() and $dbh->execute().
1295
Bugzilla->dbh is the $dbh handle to use. For more information on how
1296
to use the $dbh methods, see: http://search.cpan.org/dist/DBI/DBI.pm
1298
- The $::userid variable will be going away. Use Bugzilla->user->id instead.
1300
- All global variables (any that start with $::, @::, or %::) will
1301
be entirely gone by Bugzilla 2.24.
1304
Security Fixes in 2.20 Releases
1305
*******************************
1310
There were three security issues discovered after the release of
1311
Bugzilla 2.20 that we resolved for Bugzilla 2.20.1. One SQL Injection
1312
(from an administrator only), one Cross-Site Scripting vulnerability
1313
(that mostly affects only the user who can exploit it), and one minor,
1314
extremely specific information leak.
1316
To see details on the vulnerabilities that were fixed, see the
1317
Security Advisory at:
1319
http://www.bugzilla.org/security/2.16.10/
1322
Release Notes for Previous Versions
1323
***********************************
1325
*****************************************
1326
*** The Bugzilla 2.18.x Release Notes ***
1327
*****************************************
1333
- Important Updates In This Point Release
1337
* Dependency Requirements
1342
* Enterprise Group Support
1343
* User Wildcard Matching
1344
* Support for "Insiders"
1346
* Authentication module/LDAP improvements
1347
* Improved localization support
1349
* Comment Reply Links
1351
* Email Address Munging
1353
* Miscellaneous Improvements
1357
* New Saved Search User Interface
1358
* Rules for changing fields
1360
- Code Changes Which May Affect Customizations
1361
- Recommended Practice for the Upgrade
1362
* Note About Upgrading From MySQL With ISAM Tables
1363
* Steps for Upgrading
1364
- Outstanding Issues (<======================== IMPORTANT, PLEASE READ)
1365
- Security Fixes In 2.18 Releases
1366
- Detailed Version-To-Version Release Notes
1372
This document contains the release notes for Bugzilla 2.18 and
1373
the bugfix releases after 2.18. In this document, recently added,
1374
changed, and removed features of Bugzilla are described.
1376
The 2.18 release is our current stable series, containing the results
1377
of over two years of hard and dedicated work by volunteers all over
1378
the world under the lead of Dave Miller.
1381
Important Updates In This Point Release
1382
***************************************
1384
There are usually many other bug fixes than those listed below,
1385
but the below fixes are the ones that we thought System Administrators
1386
would like to specifically know about.
1388
To see a listing of all changes in this release, you can use the
1391
http://www.bugzilla.org/status/changes.html
1396
+ You can now enter a negative time for "Hours Worked"
1397
in the time-tracking area. (Bug 271276)
1399
+ The BugMail.pm customization required for Windows (as
1400
described in the Bugzilla Guide) now actually works. (Bug 280911)
1402
+ Users who were using Bugzilla 2.8 can now successfully upgrade
1403
to 2.18.1 (they couldn't upgrade to 2.18). (Bug 283403)
1405
+ Dependency mails are now properly sent during a mass-change of bugs.
1412
+ You can now create accounts with createaccount.cgi even
1413
when the "requirelogin" parameter is turned on. (Bug 294778)
1415
+ Bugs that are in disabled groups may not show a padlock
1416
on the bug list, or may otherwise behave strangely. You
1417
can now fix this using sanitycheck.cgi. (Bug 277454)
1419
+ If sendmail dies while you are marking a bug
1420
as a duplicate, the duplicates table will no longer become
1421
corrupted. (Bug 225042)
1427
Dependency Requirements
1428
-----------------------
1430
Minimum software requirements:
1432
MySQL v3.23.41 (changed from 2.16)
1433
Perl v5.6.0 (changed from 2.16) (Non-Windows platforms)
1434
ActiveState Perl v5.8.1 (Windows only)
1436
Required Perl modules:
1439
CGI v2.93 (new since 2.16) (changed from 2.17.7)
1441
Date::Format v2.21 (changed from 2.16)
1442
DBI v1.36 (changed from 2.16) (changed from 2.17.7)
1443
DBD::mysql v2.1010 (changed from 2.16)
1446
Template Toolkit v2.08 (changed from 2.16)
1447
Text::Wrap v2001.0131
1449
Optional Perl modules:
1451
Chart::Base v1.0 (changed from 2.16) (changed from 2.17.7)
1452
GD v1.20 (changed from 2.16)
1453
GD::Graph (any) (new since 2.16)
1454
GD::Text::Align (any) (new since 2.16)
1455
Net::LDAP (any) (new since 2.16)
1456
PatchReader v0.9.4 (new since 2.16) (changed from 2.17.7)
1466
Bugzilla has a new mechanism for generating reports of the current state of
1467
the bug database. It has two related parts: a table-based view, and several
1470
The table-based view allows you to specify an x, y and z (multiple tables of
1471
data) axis to plot, and then restrict the bugs plotted using the standard
1472
query form. You can view the resulting data as an HTML or CSV export (e.g.:
1473
for importing into a spreadsheet).
1475
There are also bar, line and pie charts, which are defined in a very similar
1476
way. These views may be more appropriate for particular data types, and are
1477
suitable for saving and then putting into presentations or web pages.
1483
Bugzilla has a new mechanism for generating charts (graphs over time) of any
1484
arbitrary search. This is known as "New Charts." Legacy data from the previous
1485
charting mechanism ("Old Charts") is migrated into the "New Charts" when you
1486
upgrade. The Old Charts mechanism remains, but is deprecated and will be
1487
removed in a future version of Bugzilla.
1489
Individual users can see/create charts as long as they are a member of the
1490
group specified in the Param 'chartgroup'. Data can be collected for
1491
personal charts every seven days (or a longer period, as set by the user).
1492
Charts created by an administrator can be made public (visible to all). Data
1493
is collected for administrator charts every day (or a longer period, as set
1496
The data is collected by the collectstats.pl script, which an administrator
1497
will need to arrange to be run once every day (see the manual). Chart data can
1498
be plotted in a number of different ways, and different data sets can be
1499
plotted on the same graph for comparison.
1501
Please see the Known Bugs section for some important limitations relating to
1502
access controls on charts.
1508
The Request System (RS) is a set of enhancements that adds powerful flag
1509
(superset of the old attachment status) features to the bugs.
1511
RS allows for four states: off, granted, denied, and (optionally) requested,
1512
where "granted" is the equivalent of "on". These additions mean it is no
1513
longer necessary to define a status to negate another status (e.g.
1514
"needs-work" to negate "has-review") because negation is built into each
1515
status via the status' "denied" state. Bug statuses: Previously only
1516
attachments could have these kinds of statuses. RS enables them for bugs as
1517
well. This feature can be used to request and grant/deny certain properties
1518
for a bug, such as inclusion for a specific milestone or approval for checkin.
1519
This way, Bugzilla supports the natural decision-making process in your
1522
- Requests: Flags can now optionally be made requestable, which means users
1523
can ask other users to set them. When a user requests a flag, Bugzilla
1524
emails the requestee and adds the request to a browsable queue so both the
1525
requester and the requestee can keep track of its status. Once the
1526
requestee fulfills the request by setting the flag to either granted or
1527
denied, Bugzilla emails the requestee and removes the request from the
1528
queue. This feature supports workflow like the mozilla.org code review
1529
and milestone approval processes, whereby code is peer reviewed before
1530
being committed and patches get approved by product release managers for
1531
inclusion in specific product releases.
1533
- Product/component specificity: Previously flags were product-specific, and
1534
if you wanted the same flag for multiple products you had to define
1535
multiple flags with the same name. Flags are now
1536
product/component-specific, and a single flag can be enabled or disabled
1537
for multiple product/component combinations via inclusions and exclusions
1538
lists. Flags are enabled for all combinations on their inclusions list
1539
except those that appear on their exclusions list.
1542
Enterprise Group Support
1543
------------------------
1545
Bugzilla is no longer limited to 55 access control groups. Administrators can
1546
define an arbitrary number of access groups composed of individual users or
1547
other groups. The groups can be configured via the web interface to achieve a
1548
wide variety of access control policies. See the documentation section on
1549
'Groups And Group Controls' for details.
1552
User Wildcard Matching
1553
----------------------
1555
Sites can now enable the use of wildcards and substrings in bug entry and
1556
editing forms. If the user enters an incomplete username, he'll get a list of
1557
users that matched the given username.
1560
Support for "Insiders"
1561
----------------------
1563
If the 'insidergroup' parameter is defined, a specific group of users can be
1564
designated insiders who can designate comments and attachments as private to
1565
other insiders. These comments and attachments will be invisible to other
1566
users who are not members of the insiders group even if the bugs to which they
1567
apply are visible. Other insiders will see the comments and attachments with a
1568
visual tinting indicating that they are private.
1574
Controls for tracking time spent fixing bugs are included in the bug form for
1575
members of the group specified by the 'timetrackinggroup' parameter. Any time
1576
comments are added to the bug, members of the time tracking group can add an
1577
amount of time they spent, and it's figured into the total and displayed at
1578
the top of the bug. Shown in the bug are your original estimate, the amount of
1579
time spent so far, the revised estimate of how much time is remaining, and
1580
your gain/loss on the original estimate.
1583
Authentication module/LDAP improvements
1584
---------------------------------------
1586
Bugzilla's authentication mechanisms have been modularized, making pluggable
1587
authentication schemes for Bugzilla a reality. Both the existing database and
1588
LDAP systems were ported as part of modularization process. Additionally, the
1589
CGI portion of the backend was redesigned to allow for authentication from
1590
other sources, including (theoretically) email, which will help Bug 94850.
1592
As part of this conversion, LDAP logins now use Perl's standard Net::LDAP
1593
module, which has no external library dependencies.
1596
Improved localization support
1597
-----------------------------
1599
Bugzilla administrators can now configure which languages are supported by
1600
their installations and automatically serve correct, localized content to
1601
users based on the HTTP 'Accept-Language' header sent from users' browsers.
1603
There are currently localized templates available for: Arabic, Belarusian,
1604
Chinese, French, German, Italian, Korean, Portuguese (Brazil) Spanish (Spain
1605
or Mexico) and Russian. These localized template packs are third-party
1606
contributions, may only be available for specific versions, and may not be
1607
supported in the future. (http://www.bugzilla.org/download/#localizations)
1613
Viewing and reviewing patches in Bugzilla is often difficult due to lack of
1614
context, improper format and the inherent readability issues that raw patches
1615
present. Patch Viewer is an enhancement to Bugzilla designed to fix that by
1616
offering increased context, linking to sections, and integrating with Bonsai,
1623
In Edit Bug, each bug comment now includes a convenient (reply) link that
1624
quotes the comment text into the textarea. This feature is only enabled in
1625
Javascript-capable browsers, but causes no inconvenience to other user agents.
1631
It is now possible to query the Bugzilla database using full-text searching,
1632
which spans comments and summaries, and which searches for substrings and stem
1633
variations of the search term. Basically, it's like using Google.
1636
Email Address Munging
1637
---------------------
1639
The fact that raw email addresses are displayed in Bugzilla makes it trivial
1640
for bots that spamharvest to spider through Bugzilla, in particular, through
1641
Bugzilla's buglists. This change adds HTML obfuscation of email addresses as
1642
they appear in the Bugzilla web pages.
1645
Google-like Bug Search
1646
----------------------
1648
Bugzilla now includes a very simple, Google-like "Find a Specific Bug" page,
1649
in addition to its advanced search page.
1652
Miscellaneous Improvements
1653
--------------------------
1655
- The "Assigned To" field on the new bug page is now prefilled with the default
1658
- A bug alias column is now available in the buglist page.
1660
- Lists of bugs containing errors in the sanity check page now have a "view as
1661
buglist" link in addition to the individual bug links.
1663
- Autolinkification Page - It's now possible to apply Bugzilla's comment
1664
hyperlinking algorithm to any text you like. This should be useful for status
1665
updates and other web pages which give lists of bugs. The bug links created
1666
include the subject, status and resolution of the bug as a tooltip.
1668
- There are more <link> tags on the links toolbar for navigating quickly between
1671
- Buglists are now available as comma-separated value files (CSV) and JavaScript
1672
(JS) as well as HTML and RDF.
1674
- Keywords and dependencies can now be entered during initial bug entry.
1676
- A CSS id signature unique to each Bugzilla installation is now added to the
1677
<body> tag on Bugzilla pages to allow custom end-user CSS to explicitly affect
1680
- Perl's path has been changed to a normal /usr/bin/perl from the original
1681
legacy "bonsaitools" path specifier.
1683
- A new "always-require-login" parameter allows administrators to require a
1684
login before being able to view any page, except the front page.
1686
- A developer may add an attachment, and also reassign a bug to himself as part
1687
of that single action.
1689
- Bugzilla is now able to use the replication facilities provided by the
1690
MySQL database to handle updates from the main database to the secondaries.
1692
- Mail handling is now between 125% to 175% faster.
1694
- Guided Bug Entry: You can see a sample enter_bug.cgi template at
1695
enter_bug.cgi?format=guided that "guides" users through the process of
1696
filing a "good" bug. It needs to be modified before use in your organization.
1698
- There is now a "Give me some help" link on the Advanced Search page that will
1699
enable pop-up help for every field on the page.
1701
- The Bugzilla administrator can now forbid users from marking bugs RESOLVED
1702
when there are unresolved dependencies.
1708
To see a list of EVERY bug that was fixed between 2.16 and 2.18 (over 1000),
1709
see: http://tinyurl.com/6m3e4
1719
Prerelease versions of Bugzilla 2.17 and 2.18 inadvertantly allowed
1720
commas and spaces in the names of flags, which due to the way they're
1721
processed, caused lots of internal havoc if you named flags to have
1722
any commas or spaces in them. Having commas or spaces in the names
1723
can cause errors in the notification emails and in the bug activity
1724
log. The ability to create new flags with these characters has been
1725
removed. If you have any existing flags that you named that way,
1726
running checksetup will attempt to automatically rename them by
1727
replacing commas and spaces with underscores.
1730
New Saved Search User Interface
1731
-------------------------------
1733
In previous Bugzilla versions, you could specify on the search page that you
1734
wanted to save a search and store it as a link in your footer. This option has
1735
now moved to the search results page (buglist.cgi), where you will see a
1736
"Remember search" button with a box next to it to enter the name of the search.
1738
You can manage your saved searches on the Preferences page.
1741
Rules for changing fields
1742
-------------------------
1744
There have been some changes to the rules governing who can change which fields
1745
of a bug report. The rules for Bugzilla version 2.16 and 2.18, along with
1746
differences between them, are listed below. Bear in mind that there are other
1747
restrictions on bug manipulation besides the ones listed below. In particular,
1748
the groups system enforces restrictions on who can create, edit, or even see
1751
Bugzilla 2.16 rules:
1753
- anyone can make a null change;
1754
- anyone can add a comment;
1755
- anyone in the editbugs group can make any change;
1756
- the reporter can make any change to the status;
1757
- anyone in the canconfirm group can change the status
1758
to any opened state (NEW, REOPENED, ASSIGNED).
1759
- anyone can change the status to any opened state
1760
if the everconfirmed flag is set;
1761
- the owner, QA contact, or reporter can make any change
1762
*except* changing the status to an opened state;
1763
- No other changes are permitted.
1765
[Note that these rules combine to allow the reporter to make any change
1768
Bugzilla 2.18 rules:
1770
- anyone can make a null change;
1771
- anyone can add a comment;
1772
- anyone in the editbugs group can make any change;
1773
- anyone in the canconfirm group can change the status
1774
from UNCONFIRMED to any opened state;
1775
- the owner or QA contact can make any change;
1776
- the reporter can make any change *except*:
1777
- changing the status from UNCONFIRMED to any opened state; or
1778
- changing the target milestone; or
1779
- changing the priority (unless the letsubmitterchoosepriority
1781
- No other changes are permitted.
1783
The effective differences in the rules:
1785
- In 2.16, the reporter could always change anything about a bug.
1787
In 2.18, the reporter can't:
1789
- confirm the bug unless he is in the canconfirm group;
1790
- change the target milestone;
1791
- change the priority (unless the 'letsubmitterchoosepriority'
1794
(unless he is also the owner, the QA contact, or in the editbugs
1795
group, in which case he can do all these things).
1797
- In 2.16, the owner or QA contact (if the 'useqacontact' parameter
1798
is set) can't change the bug status to an opened status unless they
1799
are also the reporter, or have editbugs or canconfirm, or the
1800
everconfirmed flag is set on the bug).
1802
In 2.18 the owner or QA contact can make any change to a bug.
1804
- In 2.16, a member of the canconfirm group can set the status
1805
to any opened status.
1807
In 2.18 this is only possible if the status was previously
1808
the unconfirmed status.
1810
- In 2.16, the status can be set to anything by anybody
1811
if the 'everconfirmed' flag is set.
1813
In 2.18, this authorization code does not pay any attention
1814
to the 'everconfirmed' flag.
1820
- Please note that Bugzilla no longer supports MySQL 3.22. The minimum required
1821
version is now 3.23.41.
1823
- The "shadow database" mechanism is no longer used. Instead, use MySQL's
1824
built-in replication feature.
1826
- If you have placed any comments in the localconfig file, they may be removed
1830
Code Changes Which May Affect Customizations
1831
********************************************
1833
- A mechanism (called "Template Hooks") for third party extensions to plug into
1834
existing templates without having to patch or replace distributed templates
1835
has been added. More information on this can be found in the documentation.
1837
- Header output now uses CGI.pm, in a step towards enabling mod_perl
1838
compatibility. This change will affect users that had customized charsets in
1839
their CGI files: previously the charset had to be added everywhere that
1840
printed the Content-Type header; now it only needs changing in one spot, in
1843
- $::FORM{} and $::COOKIE{} are deprecated. Use the $cgi methods to access
1846
- $::userid is gone in favor of Bugzilla->user->id
1848
- ConnectToDatabase() is gone (it's done automatically when you initialize the
1851
- quietly_check_login() and confirm_login() are gone, use Bugzilla->login()
1852
with parameters for whether the login is required or not.
1854
- Use Bugzilla->user->login in place of $::COOKIE{Bugzilla_login}
1856
- You can tell if there's a user logged in or not by using
1857
Bugzilla->user rather than looking for $::userid==0.
1858
In new 2.18 code, use defined(Bugzilla->user) && (Bugzilla->user->id)
1859
In 2.20, this will become just (Bugzilla->user->id)
1860
In templates, always test [% IF user.id %] rather than [% IF user %]
1862
- SendSQL() and related calls are deprecated, and the various $dbh methods
1863
should be used instead, such as $dbh->prepare() and $dbh->execute().
1864
Bugzilla->dbh is the $dbh handle to use.
1867
Recommended Practice for the Upgrade
1868
************************************
1870
Note About Upgrading From MySQL With ISAM Tables
1871
------------------------------------------------
1872
As previously noted in the Dependency Requirements MySQL is now required
1873
to be at least version 3.23.41. This implies that all tables of type ISAM will
1874
be converted by the checksetup.pl script to MyISAM.
1880
1) View the Sanity Check (sanitycheck.cgi) page on your installation before
1883
2) As with any upgrade it is recommended that you make a backup of the
1884
Bugzilla database before you upgrade, perhaps by using mysqldump.
1888
mysqldump -u root -p --databases bugs > bugs.db.backup
1890
3) Replace the files in your installation, or you can try to use CVS to upgrade.
1891
The Bugzilla.org website has instructions on how to do the actual
1894
4) Make sure that you run checksetup.pl after you install the new version.
1896
5) View the Sanity Check page again after you run checksetup.pl.
1898
6) It is recommended that, if possible, you fix any problems you find
1899
immediately. Failure to do this may mean that Bugzilla will not work
1900
correctly. Be aware that if the sanity check page contains more errors after
1901
an upgrade, it doesn't necessarily mean there are more errors in your
1902
database, as additional tests are added to the sanity check over time, and
1903
it is possible that those errors weren't being checked for in the old
1910
These are known problems with the release that we think you should know about.
1911
They each have a bug number for http://bugzilla.mozilla.org/
1913
- If at any time you upgraded from a version of Bugzilla between 2.17.4 -
1914
2.17.7 to either 2.18rc3 or 2.19.1, you must manually fix your New Charts in
1915
order for them to work. See the following link for instructions on how to do
1916
this: https://bugzilla.mozilla.org/show_bug.cgi?id=276237#c18
1917
If you are using 2.18rc3, but did not upgrade from version 2.17.4 or newer,
1918
then you don't need to do this.
1920
- bug 37765: If you use an MTA other than sendmail (such as Postfix, Exim,
1921
etc.) you MUST turn on the "sendmailnow" parameter or Bugzilla will not send
1924
- bug 276230: The support for restricting access to particular Categories of
1925
New Charts is not complete. You should treat the 'chartgroup' Param as the
1926
only access mechanism available. However, additionally, charts migrated from
1927
Old Charts will be restricted to the groups that are marked MANDATORY for
1928
the corresponding Product. There is currently no way to change this
1929
restriction, and the groupings will not be updated if the group configuration
1930
for the Product changes.
1932
- bug 69621: If you rename or remove a keyword that is in use on bugs, you will
1933
need to rebuild the "keyword cache" by running sanitycheck.cgi and choosing
1934
the option to rebuild the cache when it asks. Otherwise keywords may not show
1935
up properly in search results.
1937
- (No Bug Number) If you have a lot of non-ASCII data in your Bugzilla (for
1938
example, if you use a translation of Bugzilla), don't enable the XS::Stash
1939
option when you install the Template Toolkit, or your Bugzilla installation
1940
may become slow. This problem is fixed in a not-yet-released version of the
1941
Template Toolkit (after 2.14).
1943
- bug 266579: Users may be able to circumvent not having "canconfirm" privileges
1944
in some circumstances. This is fixed starting with 2.19.3, but will not
1945
be fixed in any 2.18 release, as the changes required to fix it are quite
1948
- bug 99215: Attachment changes have no mid-air collision detection, unlike bug
1951
- bug 57350: Searching using the "commenter is" option may be VERY slow. Note
1952
that searching for "field: comment, changed by: user@domain.com" is fast,
1955
- bug 151509: Using the boolean chart option "contains the string" with the
1956
"flag name" field or certain other fields will cause Bugzilla to emit an
1957
error. This is fixed in 2.20rc1, but will not be fixed in the 2.18 series.
1959
- bug 234159: Bugzilla may sometimes send multiple notices in one email.
1961
- bug 237107: If you search for attachment information using the Boolean Charts
1962
at the bottom of the Advanced Query page, bugs without attachments will not
1963
show up in the result list.
1966
Security Fixes In 2.18 Releases
1967
*******************************
1972
Summary: XSS in Internal Error messages in Bugzilla 2.16.7 and 2.18rc3
1973
CVE Name: CAN-2004-1061
1974
Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=272620
1976
It is possible to send a carefully crafted URL to Bugzilla designed to
1977
trigger an error message. The Internal Error message includes javascript code
1978
which displays the URL the user is visiting. The javascript code does not
1979
escape the URL before displaying it, allowing scripts contained in the URL to
1980
be executed by the browser. Many browsers do not allow unescaped URLs to be
1981
sent to a webserver (thus complying with RFC 2616 section 2.3.1 and RFC 2396
1982
section 2.4.3), and are thus immune to this issue.
1983
Browsers which are known to be immune: Firefox 1.0, Mozilla 1.7.5,
1984
Camino 0.8.2, Netscape 7.2, Safari 1.2.4
1985
Browsers known to be susceptible: Internet Explorer 6 SP2,
1987
Browsers not listed here have not been tested.
1993
Two security issues were fixed in Bugzilla 2.18.1, neither of them
1996
See http://www.bugzilla.org/security/2.16.8/ for details.
2002
Two security issues were fixed in Bugzilla 2.18.2. One of them
2003
is a major Information Leak/Unauthorized Bug Change. The other
2004
is a minor Information Leak.
2006
See http://www.bugzilla.org/security/2.18.1/ for details.
2009
Detailed Version-To-Version Release Notes
2010
*****************************************
2012
*********************************************************
2013
*** USERS UPGRADING FROM ALL VERSIONS PRIOR TO 2.16.7 ***
2014
*********************************************************
2016
*** Security fixes ***
2018
- It is possible to send a carefully crafted HTTP POST message to
2019
process_bug.cgi which will remove keywords from a bug even if you don't have
2020
permissions to edit all bug fields (the "editbugs" permission). Such changes
2021
are reported in "bug changed" email notifications, so they are easily
2022
detected and reversed if someone abuses it. Users are now prevented from
2023
making changes to keywords if they do not have editbugs privileges. (bug
2026
*** Bug fixes of note ***
2028
- Enforce a minimum of 10 minutes between attempts to reset a password, so
2029
we don't mailbomb the user if someone submits the form many times in a
2032
- Put products in alphabetical order on the create attachment status page.
2035
- Specify MyISAM as the table type when creating new tables. MySQL 4.1 and
2036
up default to InnoDB, which doesn't support some of the indexing methods
2037
that we use. (bug 263165)
2039
*********************************************************
2040
*** USERS UPGRADING FROM ALL VERSIONS PRIOR TO 2.16.6 ***
2041
*********************************************************
2043
*** Security fixes ***
2045
- If Bugzilla is configured to hide entire products from some users, both
2046
duplicates.cgi and the form for mass-editing a list of bugs in buglist.cgi
2047
can disclose the names of those hidden products to such users.
2048
(bugs 234825 and 234855)
2050
- Several administration CGIs echo invalid data back to the user without
2051
escaping it. (bug 235265)
2053
- A user with privileges to grant membership to any group (i.e. usually an
2054
administrator) can trick editusers.cgi into executing arbitrary SQL.
2057
*** Bug fixes of note ***
2059
- Allow XML import to function when there are regexp metacharacters in product
2062
- Allow the bug_email.pl contrib script to work with useqacontact (bug 239912)
2064
- Improve the error message used by checksetup.pl when the MySQL requirements
2065
are not met (bug 240228)
2067
- Elimnate the warning in checksetup.pl about the minimum sendmail version (bug
2070
- $webservergroup now defaults to group 'apache' in new installations (bug
2073
- Correct a situation where a bugmail message could be sent twice to a user
2074
being added to the CC list if the address was entered in a different case
2075
than the user registered with. (bug 117297)
2077
- Various documentation updates
2079
*********************************************************
2080
*** USERS UPGRADING FROM ALL VERSIONS PRIOR TO 2.16.4 ***
2081
*********************************************************
2083
*** Bug fixes of note ***
2085
- Fix a "used only once" warning that ocurred only in perl 5.00503
2088
- When a user is creating a new account and enters an invalid email
2089
address, the error page sent the "Content-type" header twice, causing
2090
the second one to be visible at the top of the page.
2093
- An HTML encoding issue which only affected Internet Explorer was
2094
corrected in the "Change several bugs at once" page.
2097
- During initial setup, using invalid characters in the administrator
2098
password would present an error message stating your password was
2099
too long or too short instead of telling you it had invalid
2103
- When a user reset their own password via an emailed token, the new
2104
password in the first field would be accepted if the second password
2105
field was left blank.
2108
- Reopening bugs from the "change several bugs at once" page now works.
2111
- Fix a regression in xml.cgi caused by the previous bugfix for MySQL
2112
SUM() changes. The original fix didn't work properly either.
2115
- No longer use server push with the "Safari" browser, which claims to
2116
use the Mozilla layout engine but doesn't.
2119
- Creating a shadow database no longer fails with taint mode errors.
2122
- If you change your cookiepath setting at some stage (because you have
2123
moved the directory Bugzilla resides on your webserver), users can
2124
have login cookies with the old cookiepath, and their browsers will
2125
send multiple logincookies. Bugzilla now uses the first rather than
2126
the last in order to get the most specific cookie which will be the
2130
- Fixed a regression caused by the previous DBD::mysql fixes, that
2131
caused older versions of DBD::mysql to break due to not supporting
2135
- Bugzilla no longer sends out invalid dates for cookie expiry. This
2136
bug had no known user visible ramifications.
2139
- Update the shadow database parameters description to tell the user
2140
about permissions requirements for creating a shadow database.
2143
- Various documentation updates.
2145
*********************************************************
2146
*** USERS UPGRADING FROM ALL VERSIONS PRIOR TO 2.16.3 ***
2147
*********************************************************
2149
*** SECURITY ISSUES RESOLVED ***
2151
- A user with 'editproducts' privileges (i.e. usually an administrator)
2152
can select arbitrary SQL to be run by the nightly statistics cron job
2153
(collectstats.pl), by giving a product a special name.
2156
- A user with 'editkeywords' privileges (i.e. usually an administrator)
2157
can inject arbitrary SQL via the URL used to edit an existing keyword.
2160
- When deleting products and the 'usebuggroups' parameter is on, the
2161
privilege which allows someone to add people to the group which is
2162
being deleted does not get removed, allowing people with that
2163
privilege to get that privilege for the next group that is created
2164
which reuses that group ID. Note that this only allows someone who
2165
had been granted privileges in the past to retain them.
2168
- If you know the email address of someone who has voted on a secure
2169
bug, you can access the summary of that bug even if you do not have
2170
sufficient permissions to view the bug itself.
2173
*** Bug fixes of note ***
2175
Perl 5.8.0 Compatibility fixes:
2177
- Two taint errors were fixed, one in process_bug.cgi, and
2178
another in post_bug.cgi.
2179
(bugs 220332 and 177828)
2181
MySQL 4.0 Compatibility fixes:
2183
- A cosmetic fix was applied to votes.cgi (if there were no
2184
votes, the "0" was not displayed) due to a change in semantics
2185
in SUM() in MySQL 4.0.
2188
DBD::mysql > 2.1026 Compatibility fixes:
2190
- DBD::mysql versions after 2.1026 return the table list quoted, which
2191
broke the existing "table exists" check in checksetup.pl, which caused
2192
the second and subsequent attempts to run checksetup.pl to fail.
2195
Miscellaneous bug fixes:
2197
- A Mozilla-specific reference was removed from one of the report
2201
- It was possible to enter a situation where you were unable to get to
2202
editparams.cgi to turn the shutdownhtml param back off after you
2203
turned it on when Apache was configured to run Bugzilla in suexec
2207
- The processmail rescanall task would not send e-mails about more than
2208
one bug to the same address.
2211
- If Bugzilla hadn't been accessed in the last hour when the
2212
collectstats.pl or whineatnews.pl cron jobs ran, the versioncache
2213
would get recreated with the file owner being the user the cron job
2214
was running as (usually not the webserver user), causing subsequent
2215
access to Bugzilla by the webserver to fail until the permissions were
2216
fixed. Now if versioncache isn't readable when accessing from the
2217
webserver, we pretend it doesn't exist and recreate it again.
2220
- The 'sendmailnow' param is now on by default in new installations
2221
(this does not affect existing installations).
2224
- The 008filter.t test would fail if you had multiple language packs
2225
installed. It now properly tests all of the installed language packs.
2228
- A few minor documentation changes were committed.
2230
*********************************************************
2231
*** USERS UPGRADING FROM ALL VERSIONS PRIOR TO 2.16.2 ***
2232
*********************************************************
2234
*** SECURITY ISSUES RESOLVED ***
2236
- A cross site scripting (XSS) vulnerability was fixed in which bug
2237
summaries were not properly filtered when a user viewed a dependency graph
2238
allowing JavaScript to be embedded on that page.
2241
- Several XSS vulnerabilities were fixed in which user
2242
input was not escaped when being displayed. A new
2243
test has been added to warn about unfiltered data in template
2244
files (t/008filter.t).
2247
- An issue was fixed in which the QA contact was still treated as the QA
2248
contact even after the 'useqacontact' setting was turned off. This also
2249
allowed the QA contact to edit the security groups and view secured bugs that
2250
he/she was allowed to access prior to the 'useqacontact' setting being
2254
- Fixed a situation where an attacker (with local access to the webserver)
2255
could overwrite any file on the webserver to which the webserver user
2256
has write access by creating appropriately named symbolic links in the
2257
data and webdot directories (world-writable in many configurations).
2258
Bugzilla now uses File::Temp to create secure temporary files. File::Temp
2259
is part of the Perl distribution for Perl 5.6.1 and later, but if you're
2260
using an older version of Perl you'll need to install it with CPAN.
2263
** IMPORTANT CHANGES ***
2265
- New module requirement: File::Temp, as mentioned above.
2267
*** Bug fixes of note ***
2269
- An issue was fixed in which administrator rights could be removed from an
2270
administrator who deleted a product while the 'usebuggroups' setting is
2274
- Fixed an issue in which importxml.pl would fail the test suite when running
2275
under perl 5.8.0 with the optional XML::Parse module.
2278
- There was previously a bug in CGI.pl in which the following warning
2279
would be given under certain conditions:
2280
"Character in "c" format wrapped at CGI.pl..."
2281
This is now fixed. In some cases the warning was filling up web server log
2285
- Fixed a bug in which long component names (in excess of 50 characters) would
2286
be accepted when creating the component but would cause problems when trying
2287
to use that component on a bug because it would get truncated. It is now no
2288
longer possible to create components with names in excess of 50 characters.
2291
- Fixed a bug in checksetup.pl in which permissions were not being fixed
2292
on the 'data/comments' file, the quip file.
2295
*****************************************************************
2296
*** USERS UPGRADING FROM 2.16.1 OR EARLIER, 2.14.4 OR EARLIER ***
2297
*****************************************************************
2299
*** SECURITY ISSUES RESOLVED ***
2301
- Fixed a cross site scriptability issue in quips. This is only a problem
2302
if quips with HTML could have been inserted into your quips files. Bugzilla
2303
has not allowed this since 2.12.
2305
- checksetup.pl will now attempt to prevent access to "editor backups" of
2308
- collectstats.pl no longer makes data/mining (which contains graphing
2309
information) world writeable.
2312
***********************************************
2313
*** USERS UPGRADING FROM 2.16.0 OR EARLIER ***
2314
***********************************************
2316
*** SECURITY ISSUES RESOLVED ***
2318
- Apostrophes were not properly handled in email addresses. This was a
2319
regression introduced in 2.16. It is not known whether this was
2323
See also next major section.
2325
*** Bug fixes of note ***
2327
- The VERSION cookie which allowed the previously entered version of a product
2328
to be remembered was not correctly set. It was only set as a session
2329
cookie, and under some circumstances could interfere with other cookies
2330
(such as the login information) send at the same time.
2333
- importxml.pl would fail if the versioncache needed to be updated.
2336
- Bug changes going through intermediate pages would munge fields with
2337
multiple fields, such as CCs.
2340
- On failure in template->new, Bugzilla will now die rather than futilely
2341
attempt to use an error template.
2344
- Fixed a problem where checksetup had problems converting old installations
2345
that didn't have a duplicates table.
2348
- Fixed a problem that caused taint errors when viewing or editing user
2349
preferences with Perl 5.005 and Template 2.08.
2352
See also next section.
2354
******************************************************
2355
*** USERS UPGRADING FROM 2.16.0, 2.14.3 OR EARLIER ***
2356
******************************************************
2358
*** SECURITY ISSUES RESOLVED ***
2360
- When a new product is added to an installation with 47 groups or more and
2361
"usebuggroups" is enabled, the new group will be assigned a groupset bit
2362
using Perl math that is not exact beyond 2^48. This results in the new
2363
group being defined with a "bit" that has several bits set. As users are
2364
given access to the new group, those users will also gain access to
2365
spurious lower group privileges. Also, group bits were not always reused
2366
when groups were deleted.
2369
- The email interface had another insecure single parameter system call. This
2370
could potentially allow arbitrary shell commands to be run. This file is
2371
not supported at this time, but as long as we knew about the problem, we
2372
couldn't overlook it.
2375
*** Bug fixes of note ***
2377
- The email interface was broken. This was a 2.14.3 regression. This file
2378
is not supported at this time, but as long as we knew about the problem, we
2379
couldn't overlook it.
2382
***********************************************
2383
*** USERS UPGRADING FROM 2.14.5 OR EARLIER ***
2384
***********************************************
2386
*** SECURITY ISSUES RESOLVED ***
2388
- The bug reporter could set the priority even when
2389
'letsubmitterchoosepriority' was off.
2392
- Most CGIs are now templatized. This helps to make it
2393
easier to remember to HTML filter values and easier to spot
2394
when they are not, preventing cross site scripting attacks.
2397
- Most CGIs now run in taint mode. This helps to prevent
2398
failure to validate errors.
2401
*** IMPORTANT CHANGES ***
2403
- 2.16 introduces "templatization", a new feature that allows
2404
administrators to easily customize the HTML output (the "look and feel")
2405
of Bugzilla without altering Perl code. Bugzilla uses the
2406
"Template Toolkit" for this. Please see the "Template Customization"
2407
section of the Bugzilla Guide for more details.
2409
Administrators who ran the 2.15 development version with custom
2410
templates should check the templates are still valid, as file names
2411
and file paths have changed.
2413
Most output is now templatized. This process will be complete next
2416
For speed, compiled templates are cached on disk. If you modify the
2417
templates, the toolkit will normally detect the changes, and recompile the
2420
Adding new directories anywhere inside the template directory may cause
2421
permission errors if you don't have a webservergroup specified in
2422
localconfig. If you see these, rerun checksetup.pl as root. If you do not
2423
have root access, or cannot get someone who does to do this for you, you can
2424
rename the data/template directory to data/template.old (or any other name
2425
Bugzilla doesn't use). Then rerun checksetup.pl to regenerate the compiled
2429
- Administrators can now configure maximum attachment sizes. These
2430
should remain below the maximum size for your MySQL server, or you
2431
will get obscure MySQL errors if you attach a bigger attachment.
2433
To find out the current size attachment that MySQL can accept, type
2434
the command 'mysqladmin variables' and find out the value of the
2435
'max_allowed_packet' varible in bytes.
2437
To change the maximum size that MySQL can accept you can alter this
2438
variable in your 'my.cnf' file.
2441
- Perl 5.004 is no longer supported because the Template Toolkit
2445
- New module requirements: Text::Wrap, Template [requires AppConfig],
2447
(bugs 97784, 84338, 103778)
2449
- The index page is now a CGI instead of an HTML page. You should remove
2450
any existing index.html file and make sure your web server allows index.cgi
2451
to be the default page in a directory. If you are not able to do that you
2452
can instead set index_html in the 'localconfig' file to 1 and checksetup.pl
2453
will create a redirect page for you.
2456
- It is now recommended that administrators run "processmail rescanall"
2457
after upgrading to 2.16 or beyond.
2459
This will send out notification emails for changes that were
2460
made but not emailed, due to Bugzilla bugs. All known
2461
causes of this have been fixed in this version (bug 104589 and 99519).
2463
It is also recommended that this be run nightly to avoid
2464
lengthy delays in future if this problem reoccurs.
2467
- In parallel with templatization, a lot of changes have been made to the HTML
2468
output of the Bugzilla CGIs. This could break code that attempts to parse
2469
such code. For example, this breaks mozbot.
2472
- The "HTML template" parameters (headerhtml, bodyhtml, footerhtml,
2473
errorhtml, bannerhtml, blurbhtml, mostfreqhtml, entryheaderhtml) have now
2474
been moved to Template Toolkit templates. If you have modified these
2475
parameters you will need to make corresponding changes to the corresponding
2476
templates. Your old parameter values will be moved to a file called
2477
old-params.txt by checksetup.pl.
2479
The old parameters correspond to files in template/en/default as follows:
2481
headerhtml: global/header.html.tmpl
2482
footerhtml: global/footer.html.tmpl
2483
bannerhtml: global/banner.html.tmpl
2484
blurbhtml: global/banner.html.tmpl
2485
mostfreqhtml: reports/duplicates*.html.tmpl
2486
entryheaderhtml: bug/create/user-message.html.tmpl
2490
*** Other changes of note ***
2492
- The query page has been redesigned for better user friendliness.
2494
- Users can now change their email account.
2496
- "Dependent Bug Changed" notification emails now contain the
2497
dependent bug's summary and URL.
2499
- Bugs with severity "critical", "blocker", and "enhancement" are
2500
visually differentiated on bug lists for browsers with sufficient
2503
- Bugzilla now has a sidebar for the Mozilla browser.
2505
- A link to just created attachments now appears in notification
2508
- Comments now have numbers and can be referenced with
2509
autohyperlinkifying similar to bugs.
2511
- The attachment system has been rewritten, supporting new
2512
"attachment statuses" (like keywords, but for attachments),
2513
the ability to obsolete attachments, edit attachment MIME type,
2514
and edit whether the attachment is a patch.
2516
- syncshadowdb now supports a configurable temp file location,
2517
and properly shuts down Bugzilla while running.
2519
- Dependency tree now lets you exclude resolved bugs and bugs
2520
below a specified depth.
2522
- The "strictvaluechecks" parameter has gone away. These checks
2523
are now always done.
2525
- The midair collision page now shows all changes since the bug
2526
page was loaded, not just the last one.
2528
- Added support for making dependency graphs with 'dot', which
2529
is better at creating complex graphs than 'webdot'.
2532
*** Bug fixes of note ***
2534
- Bugzilla scripts are now usually not terminated when the browser
2535
window they are running in is closed. This caused hard to
2538
- On browsers that "reflow" the page, large component / milestone /
2539
version fields were extremely slow to reflow when you altered
2542
- The selection in the component / milestone / version fields is
2543
no longer lost when you change the selection in the product
2544
field or use the back/forward buttons in your browser to return
2547
- You could not reverse dependencies in one step.
2549
- Mass reassignment of non-open bugs will no longer reopen them.
2551
- Attempting to bulk change no bugs will now give a user-friendly
2554
- If you make a change to a bug where you only add yourself to CC,
2555
email notifications are now properly sent out for MySQL 3.23.
2557
- Bug entry now properly validates the data it has been sent.
2559
- Midair collision checks will now properly work in all situations
2560
where dependencies have changed.
2562
- Browsers can no longer corrupt the params file if they use the "wrong"
2563
end-of-line markers.
2565
- The MySQL port defined in localconfig is now properly honoured.
2567
- Apostrophes in component/milestone/version names no longer cause
2568
a problem on the query page.
2570
- File attachment comments will now wrap.
2572
- Saved queries are no longer mangled if you need to log in again,
2573
for example if you had cookies off.
2575
- Bug counts (on reports.cgi) were very slow if you had to
2576
count a lot of bugs.
2578
- 2.14 introduced options to let people see a bug when their name
2579
is on it but who aren't in the groups the bug is restricted
2580
to. These only allowed the people to view the bugs directly,
2581
and not see them on buglists and receive email about them.
2583
- A new 'cookiepath' parameter on editparams.cgi allows multiple
2584
Bugzilla installations to exist on one host without problems.
2586
- whineatnews.pl now respects the 'sendmailnow' parameter.
2588
- The query page came up even when Bugzilla was shut down.
2590
- Quicksearch gave a weird error message when Bugzilla was
2593
- Operating system detection fixes.
2594
(bugs 92763, 135666)
2595
- QA contacts now receive emails when a new bug is created and
2596
their only email preference was being added or removed from QA.
2599
***********************************************
2600
*** USERS UPGRADING FROM 2.14.4 OR EARLIER ***
2601
***********************************************
2603
See section above about users upgrading from 2.16.1 or earlier,
2606
***********************************************
2607
*** USERS UPGRADING FROM 2.14.3 OR EARLIER ***
2608
***********************************************
2610
See section above about users upgrading from 2.16.0 or earlier.
2612
***********************************************
2613
*** USERS UPGRADING FROM 2.14.2 OR EARLIER ***
2614
***********************************************
2616
*** SECURITY ISSUES RESOLVED ***
2618
- Basic maintenance on contrib/bug_email.pl and
2619
contrib/bugzilla_email_append.pl which also fixes a
2620
possible security hole with a misuse of a system() call.
2621
These files are not supported at this time, but as long
2622
as we knew about the problem, we couldn't overlook it.
2625
*** Bug fixes of note ***
2627
- The fix for bug 130821 in 2.14.2 broke being able to sort
2628
bug lists on more than one field. buglist.cgi now allows
2629
you to sort on more than one field again.
2632
***********************************************
2633
*** USERS UPGRADING FROM 2.14.1 OR EARLIER ***
2634
***********************************************
2636
*** SECURITY ISSUES RESOLVED ***
2638
- queryhelp.cgi no longer shows confidential products to
2639
people it shouldn't.
2642
- It was possible for a user to bypass the IP check by
2643
setting up a fake reverse DNS, if the Bugzilla web server
2644
was configured to do reverse DNS lookups. Apache is not
2645
configured as such by default. This is not a complete
2646
exploit, as the user's login cookie would also need to
2647
be divulged for this to be a problem.
2650
- In some situations the data directory became world writeable.
2653
- Any user with access to editusers.cgi could delete a user
2654
regardless of whether 'allowuserdeletion' is on.
2657
- Real names were not HTML filtered, causing possible cross
2658
site scripting attacks.
2659
(bug 146447, 147486)
2661
- Mass change would set the groupset of every bug to be the
2662
groupset of the first bug.
2665
- Some browsers (eg NetPositive) interacted with Bugzilla
2666
badly and could have various form problems, including
2667
removing group restrictions on bugs.
2670
- It was possible for random confidential information to be
2671
divulged, if the shadow database was in use and became
2675
- The bug list sort order is now stricter about the SQL it will accept,
2676
ensuring you use correct column name syntax. Before this, there were
2677
some syntax checks, so it is not known whether this problem was
2681
********************************************
2682
*** USERS UPGRADING FROM 2.14 OR EARLIER ***
2683
********************************************
2685
The 2.14.1 release fixes several security issues that became
2686
known to us after the Bugzilla 2.14 release.
2688
*** SECURITY ISSUES RESOLVED ***
2690
- If LDAP Authentication was being used, Bugzilla would allow
2691
you to log in as anyone if you left the password blank.
2694
- It was possible to add comments or file a bug as someone else
2695
by editing the HTML on the appropriate submission page before
2696
submitting the form. User identity is checked now, and the
2697
form values suggesting the user are now ignored.
2698
(bug 108385, 108516)
2700
- The Product popup menu on the show_bug form listed all
2701
products, even if the user didn't have access to all of them.
2702
It now only shows products the user has access to (and the
2703
product the bug is in, if the user is viewing it because of
2704
some other override).
2707
- If a user had any blessgroupset privileges (the ability to
2708
change only specific privileges for other users), it was
2709
possible to change your own groupset (privileges) by
2710
altering the page HTML before submitting on editusers.cgi.
2713
- An untrusted variable was echoed back to user in the HTML
2714
output if there was a login error while editing votes.
2717
- buglist.cgi had an undocumented parameter that allowed you
2718
to pass arbitrary SQL for the "WHERE" part of a query.
2719
This has been disabled.
2722
- It was possible for a user to send arbitrary SQL by inserting
2723
single quotes in the "mybugslink" field in the user
2727
- buglist.cgi was not validating that the field names being
2728
passed from the "boolean chart" query form were valid field
2729
names, thus allowing arbitrary SQL to be inserted if you
2730
edited the HTML by hand before submitting the form.
2733
- long_list.cgi was not validating that the bug ID parameter
2734
was actually a number, allowing arbitrary SQL to be inserted
2735
if you edited the HTML by hand.
2738
********************************************
2739
*** USERS UPGRADING FROM 2.12 OR EARLIER ***
2740
********************************************
2742
*** SECURITY ISSUES RESOLVED ***
2744
- Multiple instances of unauthorized access to confidential
2745
bugs have been fixed.
2746
(bug 39524, 39526, 39527, 39531, 39533, 70189, 82781)
2748
- Multiple instances of untrusted parameters not being
2749
checked/escaped was fixed. These included definite security
2751
(bug 38854, 38855, 38859, 39536, 87701, 95235)
2753
- After logging in passwords no longer appear in the URL.
2756
- Procedures to prevent unauthorized access to confidential
2757
files are now simpler. In particular the shadow directory
2758
no longer exists and the data/comments file no longer needs
2759
to be directly accessible, so the entire data directory can
2760
be blocked. However, no changes are required here if you
2761
have a properly secured 2.12 installation as no new files
2765
- If they do not already exist, checksetup.pl will attempt to
2766
write Apache .htaccess files by default, to prevent
2767
unauthorized access to confidential files. You can turn this
2768
off in the localconfig file.
2771
- Sanity check can now only be run by people in the 'editbugs'
2772
group. Although it would be better to have a separate
2773
group, this is not possible until the limitation on the
2774
number of groups allowed has been removed.
2777
- The password is no longer stored in plaintext form. It will
2778
be eradicated next time you run checksetup.pl. A user must
2779
now change their password via a password change request that
2780
gets validated at their e-mail account, rather than have it
2784
- When you are using product groups and you move a bug between
2785
products (single or mass change), the bug will no longer be
2786
restricted to the old product's group (if it was) and will
2787
be restricted to the new product's group.
2790
- There are now options on a bug to choose whether the
2791
reporter, and CCs can access a bug even if they aren't in
2792
groups the bug it is restricted to.
2795
- You can no longer mark a bug as a duplicate of a bug you
2796
can't see, and if you mark a bug a duplicate of a bug
2797
the reporter cannot see you will be given options as to
2798
what to do regarding adding the reporter of the resolved
2799
bug to the CC of the open bug.
2802
*** IMPORTANT CHANGES ***
2804
- Bugzilla 2.14 no longer supports old email tech. Upon
2805
upgrading, all users will be moved over to new email tech.
2806
This should speed up upgrading for installations with
2807
a large number of bugs.
2810
- There is new functionality for people to see why they are
2811
receiving notification mails.
2813
Previously, some people filtered old email tech
2814
notifications depending on whether they were in the To or the
2815
CC header, in order to get a limited way of determining why
2816
they were receiving the notification for filtering purposes.
2818
Existing installations will need to make changes to support
2819
this feature. The receive reasons can be added to the
2820
notifications as a header and/or in the body. To add these
2821
you will need to modify your newchangedmail parameter on
2822
editparams.cgi, either by resetting it or appropriately
2823
modifying it. The header value is specified by
2824
%reasonsheader% and the body by %reasonsbody%. For example,
2825
the new default parameter is:
2827
--------------------------------------------------
2828
From: bugzilla-daemon
2830
Subject: [Bug %bugid%] %neworchanged%%summary%
2831
X-Bugzilla-Reason: %reasonsheader%
2833
%urlbase%show_bug.cgi?id=%bugid%
2840
--------------------------------------------------
2844
- Very long fields (especially multi-valued fields like keywords,
2845
CCs, dependencies) on bug activity and notifications previously
2846
could get truncated, resulting in useless notifications and data
2847
loss on bug activity. Now the multi-valued fields only show
2848
changes, and very big changes are split into multiple lines.
2849
Where data loss has already occurred on bug activity, it is
2850
indicated using question marks.
2853
- Previously, when a product's voting preferences changed all
2854
votes were removed from all the bugs in the product. Also,
2855
when a bug was moved to another product, all of its votes
2856
were removed. This no longer occurs.
2858
Instead, if the action would leave one or more bugs with
2859
greater than the maximum number of votes per person per bug,
2860
the number of votes will be reduced to the maximum. The
2861
person will still be notified of this as before.
2863
If the action would leave a user with more votes in a product
2864
than is allowed, the limit will be breached so as to not lose
2865
votes. However the user will not be able to update their
2866
votes except to fix this situation. No further action is taken
2867
in this version to make sure that the user does this.
2870
*** Other changes of note ***
2872
- Groups can now be marked inactive, so you can't add a new
2873
restriction on that group to a bug, while leaving bugs that
2874
were previously restricted on that group alone.
2876
- backdoor.cgi has been removed from the installation. It was
2877
old code that was Netscape-specific and its name was scaring
2880
- You can now add or remove from CC on the bulk change page.
2882
- New users created by administrators are now automatically
2883
inserted into groups according to the group's regular
2884
expression. Administrators must edit the user in a second
2885
step to override these choices. Previously the
2886
administrator specified these explicitly which could lead
2887
to incorrect settings.
2889
- The userregexp of system groups can now be edited without
2890
resorting to direct database access.
2893
*** Bug fixes of note ***
2895
- The bug list page was sometimes bringing up a not logged in
2896
footer when the user was logged in and the installation was
2897
using a shadow database.
2899
- You can now view the bug summary in your browser title for
2900
a group-restricted bug if you have proper permissions.
2902
- Quick search for search terms did not work in IE5.
2903
This has been worked around.
2905
- Quick search for search terms crashed NN4.76/4.77 for Unix.
2906
This has been worked around.
2908
- Queries on bugs you have commented on using the "added
2909
comment" feature should be a lot faster and not time out
2910
on large installations due to the addition of an index.
2912
- You can now alter group settings on bulk change for groups
2913
that aren't on for all bugs or off for all bugs.
2915
- New bug notifications now include the CC and QA fields.
2917
- Bugzilla is now more Windows friendly, although it is still
2918
not an official platform.
2920
- Passwords are now encrypted using Perl's encrypt function.
2921
This makes Bugzilla more portable to more operating systems.
2923
- Bugzilla didn't properly shut down when told to - some
2924
queries could still be sent to the database.
2927
********************************************
2928
*** USERS UPGRADING FROM 2.10 OR EARLIER ***
2929
********************************************
2931
*** SECURITY ISSUES RESOLVED ***
2933
- Some security holes have been fixed where shell escape characters
2934
could be passed to Bugzilla, allowing remote users to execute
2935
system commands on the web server.
2937
*** IMPORTANT CHANGES ***
2939
- There is now a facility for users to choose the sort of
2940
notifications they wish to receive. This facility will
2941
probably be improved in future versions.
2944
- "Changed" will no longer appear on the subject line of
2945
change notification emails. Because of this, you should
2946
change the subject line in your 'changedmail' and
2947
'newchangedmail' params on editparams.cgi. The subject
2948
line needs to be changed from
2950
Subject: [Bug %bugid%] %neworchanged% - %summary%
2954
Subject: [Bug %bugid%] %neworchanged%%summary%
2956
or whatever is appropriate for the subject you are using
2957
on your system. Note the removal of the " - " in the
2961
*** Other changes of note ***
2963
- Bug titles now appear in the page title, and will hence
2964
display in the user's browser's bookmarks and history.
2966
- Edit groups functionality (editgroups.cgi).
2968
- Support for moving bugs to other Bugzilla databases.
2970
- Bugzilla now can generate a frequently reported bugs list
2971
based on what duplicates you receive.
2973
- When installing Bugzilla fresh, the administrator account is
2974
now created in checksetup.pl.
2976
- Stored queries now show their name above the bug list, which
2977
helps the user when they have multiple bug lists in multiple
2978
browser windows. It also appears in the page title, and will
2979
hence display in the user's browser's bookmarks and history.
2981
- All states and resolutions can now be collected for charting.
2983
- A new search-engine-like "quick search" feature appears on
2984
the front page to try and making searching easier.
2986
- Querying on dependencies now works in the advanced query
2987
section of the query page.
2989
- When a bug is marked as a duplicate, the reporter of the
2990
resolved bug is automatically added to the CC list of the
2994
*** Bug fixes of note ***
2996
- Notification emails will now always be sent to QA contacts.
2997
Previously they wouldn't if you were using new email tech.
2999
- When marking a bug as a duplicate, the duplicate stamp marked
3000
on the open bug will no longer be written too early (such as
3001
on mid-air collisions).
3003
- Various bug fixes were made to the initial assignee and QA
3004
of a component. It is no longer possible to enter an
3005
invalid address. They will also now properly update when
3006
a user's email address is changed. Sanity check will now
3009
- Administrators can no longer create an email accounts that do
3010
not match the global email regular expression parameter.
3011
Previously this could occur and would cause sanity check
3014
- The resolution field can no longer become empty when the
3015
bug is resolved. This occurred because of midair collisions.
3018
*******************************************
3019
*** USERS UPGRADING FROM 2.8 OR EARLIER ***
3020
*******************************************
3022
Release notes were not compiled for versions of Bugzilla before
3025
The file 'UPGRADING-pre-2.8' contains instructions you may
3026
need to perform in addition to running 'checksetup.pl' if you
3027
are running a pre 2.8 version.