From justdave at syndicomm.com Thu Jan 2 21:17:32 2003 From: justdave at syndicomm.com (David Miller) Date: Thu, 2 Jan 2003 16:17:32 -0500 Subject: [ANN] Bugzilla 2.14.5 Released Message-ID: The Bugzilla Team is pleased to announce the release of Bugzilla 2.14.5. 2.14.5 is the latest release on the 2.14 branch and fixes two security bugs in Bugzilla 2.14.4. For more detailed information, review the latest Bugzilla status report available at http://www.bugzilla.org/status_reports/2002-09-22.html . The Bugzilla team strongly recommends all 2.14.x users upgrade at least to 2.14.5, if not 2.16.2, due to the security bugs fixed in this release. All 2.14.x users who haven't already should begin planning an upgrade path to the 2.16 branch (currently at 2.16.2, also released today). The Bugzilla team has decided to focus development attention on newer, more maintainable release lineages. As such, the Bugzilla team has terminated support of the 2.14 branch as of this release. For details on upgrade options and to download 2.14.5, please see: http://www.bugzilla.org/download.html . Be sure to read the 2.14.5 release notes located within the release package in docs/rel_notes.txt. Finally, thanks to everyone who worked on this release! -- Dave Miller Project Leader, Bugzilla Bug Tracking System http://www.justdave.net/ http://www.bugzilla.org/ From justdave at syndicomm.com Thu Jan 2 21:17:49 2003 From: justdave at syndicomm.com (David Miller) Date: Thu, 2 Jan 2003 16:17:49 -0500 Subject: [ANN] Bugzilla 2.16.2 Released Message-ID: The Bugzilla Team is pleased to announce the release of Bugzilla 2.16.2. 2.16.2 is the latest stable Bugzilla release, and fixes two security bugs in Bugzilla 2.16.1. For more detailed information on what was fixed, review the latest Bugzilla status report available at http://www.bugzilla.org/status_reports/2003-01-02.html . The Bugzilla team strongly recommends all 2.16.x users upgrade to 2.16.2 due to the security bugs fixed in this release. For details on upgrade options and to download 2.16.2, see: http://www.bugzilla.org/download.html . Be sure to read the 2.16.2 release notes located within the release package in docs/rel_notes.txt. Thanks to everyone who worked on 2.16.2! -- Dave Miller Project Leader, Bugzilla Bug Tracking System http://www.justdave.net/ http://www.bugzilla.org/ From justdave at syndicomm.com Thu Jan 2 21:18:16 2003 From: justdave at syndicomm.com (David Miller) Date: Thu, 2 Jan 2003 16:18:16 -0500 Subject: [ANN] Bugzilla 2.17.3 Dev Snapshot Released Message-ID: The Bugzilla Team is pleased to announce the posting of Bugzilla 2.17.3, a snapshot of the current development sources from CVS. Bugzilla 2.17.3 is a Development Release and is intended for developers wishing to base large landings or patches off an official bugzilla.org release. It should not be used for production purposes, unless you have a Perl programmer on staff willing to put out any fires that may arise. The vast majority of sites wanting to test or use Bugzilla in production should continue to use version 2.16.2. To download 2.17.3, see http://www.bugzilla.org/download.html . Most of the details on new features available were posted in our latest status update, which can be viewed at http://www.bugzilla.org/status_updates/2003-01-02.html#newfeatures -- Dave Miller Project Leader, Bugzilla Bug Tracking System http://www.justdave.net/ http://www.bugzilla.org/ From justdave at syndicomm.com Thu Jan 2 21:20:08 2003 From: justdave at syndicomm.com (David Miller) Date: Thu, 2 Jan 2003 16:20:08 -0500 Subject: [BUGZILLA] Security Advisory - remote database password disclosure Message-ID: Bugzilla Security Advisory January 2nd, 2002 Severity: major (remote database password disclosure, bug 186383) minor (local file permissions, bug 183188) Summary ======= All Bugzilla installations are advised to upgrade to the latest versions of Bugzilla, 2.14.5 and 2.16.2, both released today. Security issues of varying importance have been fixed in both branches. These vulnerabilities affect all previous 2.14 and 2.16 releases. Development snapshots prior to version 2.17.3 are also affected, so if you are using a development snapshot, you should obtain a newer one or use CVS to update. 2.14.x users are additionally encouraged to upgrade to 2.16.2 as soon as possible, as this is the last 2.14.x release and the 2.14 branch will no longer be supported by the Bugzilla team. This advisory covers two security bugs: one involves incorrect local permissions on a directory, allowing local users access. The other involves protecting configuration information leaks due to backup files created by editors. Vulnerability Details ===================== The following security issues were fixed in 2.14.5, 2.16.2, and 2.17.3: - The provided data collection script intended to be run as a nightly cron job changes the permissions of the data/mining directory to be world- writable every time it runs. This would enable local users to alter or delete the collected data. (Bugzilla bug 183188 / Bugtraq ID 6502). - The default .htaccess scripts provided by checksetup.pl do not block access to backups of the localconfig file that might be created by editors such as vi or emacs (typically these will have a .swp or ~ suffix). This allows an end user to download one of the backup copies and potentially obtain your database password. If you already have such an editor backup in your bugzilla directory it would be advisable to change your database password in addition to upgrading. In addition, we also continue to recommend hardening access to the Bugzilla database user account by limiting access to the account to the machine Bugzilla is served from (typically localhost); consult the MySQL documentation for more information on how to accomplish this. (Bugzilla bug 186383 / Bugtraq ID 6501) Also included in these releases are the patches that were posted as part of our earlier security advisory on November 26th, 2002. (Bugzilla bug 179329, Bugtraq ID 6257 - see http://online.securityfocus.com/archive/1/301316 ) Vulnerability Solutions ======================= The fixes for both security bugs contained in this release, as well as the previously announced security bug involving cross-site scripting vulnerabilities are contained in the 2.14.5, 2.16.2, and 2.17.3 releases. Upgrading to these releases will protect installations against exploitations of these security bugs. Individual patches to upgrade Bugzilla are available at: http://ftp.mozilla.org/pub/webtools/ (these patches are only valid for 2.14.4 and 2.16.1 users). Full release downloads and CVS upgrade instructions are available at: http://www.bugzilla.org/download.html References ========== Complete bug reports for the security bugs covered herein may be obtained at: http://bugzilla.mozilla.org/show_bug.cgi?id=183188 http://bugzilla.mozilla.org/show_bug.cgi?id=186383 General information about the Bugzilla bug-tracking system can be found at http://www.bugzilla.org/ Comments and follow-ups can be directed to the netscape.public.mozilla.webtools newsgroup or the mozilla-webtools mailing list; http://www.mozilla.org/community.html has directions for accessing these forums. -30- -- Dave Miller Project Leader, Bugzilla Bug Tracking System http://www.justdave.net/ http://www.bugzilla.org/ From justdave at syndicomm.com Thu Jan 2 21:35:57 2003 From: justdave at syndicomm.com (David Miller) Date: Thu, 2 Jan 2003 16:35:57 -0500 Subject: Bugzilla Status Update 2003-01-02 Message-ID: The following document can be viewed in HTML format with hyperlinks and tooltips and so forth at http://www.bugzilla.org/status_updates/2003-01-02.html Bugzilla Status Update J. Paul Reed and the Bugzilla Team Thursday, January 2nd, 2003 Copyright ? 2003 The Mozilla Organization. Introduction ============ The Bugzilla Team is pleased to announce the release of three versions of Bugzilla today: 2.14.5, 2.16.2, and 2.17.3: * 2.14.5 is a maintenance release on the 2.14 branch; it contains a couple of security-related bug fixes. Note: this is the last 2.14.x release, as the Bugzilla Team has officially stopped supporting the 2.14 branch. * 2.16.2 is a maintenance release on the 2.16 branch, containing a couple of security-related bug fixes. It is recommended that all production installations upgrade to 2.16.2 to make sure they get the fixes for these security bugs. * 2.17.3 is the latest developers' snapshot release from the trunk; it contains the above security bug fixes as well as tweaks to features in 2.17.1 (bug and attachment flags, enterprise groups, etc.). This release is a developers' release and is not generally intended for production use. The security bug fixes on the 2.14.x and 2.16.x branches and the trunk all address the same security bugs. These bugs address cross site scripting vulnerabilities (which the Bugzilla Team already released an announcement about on November 26th), and sensitive directory and file permissions. In all cases, local server compromises aren't possible, but unrestricted Bugzilla database access is possible. Unfortunately, none of these release address the Win32 situation which is still unchanged. What Happened to 2.17.2?! ========================= Bugzilla project observers may note that we're releasing a 2.17.3 developers' release without having released a 2.17.2 version. This was due to an overzealous Bugzilla developer (JayPee) who tagged the 2.17.2 release in CVS before it was quite ready to be released. Because of the holiday season and a couple of other bugs that were found, the Team decided to hold the release of 2.17.2 until after the holidays. But, some astute users noticed the new, incorrect tag and had already started to pull it from CVS. Therefore, to minimize confusion, and signify that other patches had been checked into the tree after what had been dubbed "2.17.2" was tagged, the Team decided to bump the version number to 2.17.3. Developers (and anyone else) do not want the 2.17.2 "release"; they want 2.17.3. Check-in Policy Update ====================== As Bugzilla project lead Dave Miller announced in the last status report, the Bugzilla project has changed its policies regarding check-ins. The new policy institutes an "approval" process for check-ins and comes as an addition to our existing review policy. Previously, to check something into Bugzilla's CVS tree, developers were only required to get the approval of one or two people on the review team. That process is now augmented by a requirement of obtaining approval on the patch from the project lead or a designee before it can be checked in. Current "designees," if there are any, are noted in the #mozwebtools topic. This won't amount to a code review, but rather a 'yes' or 'no' on whether this feature or bugfix in this form at this time is the best course of action to fulfill Bugzilla's design goals. Approvals are also being used to coordinate landing patches, so the approval flag generally won't be set until there's a patch ready to land. If you want to know if a patch you're working on will likely be given approval for check-in before you expend effort on it, you can ask on the developers at bugzilla.org mailing list. Bugzilla developers and reviewers are adjusting to this new policy well, and it's seemingly serving the Bugzilla project well. The quick release of another 2.17 developers' snapshot, a mere six weeks after 2.17.1, provides good evidence of this. Upcoming Major Features ======================= The following is a list of major new features the Bugzilla Team is currently working on. You can find more information, including implementation/design discussions, proposed landing dates, and status in the bug reports below. These are also features that the Bugzilla Team would appreciate help on, so if one of the features below interests you, feel free to jump into the fray! * Ability to send email via SMTP instead of relying on a local installation of sendmail. (Bug 84876) * PostgreSQL support. (Bug 98304) * Sybase support. (Bug 173130) * Ability to add generic customized fields to bugs (Bug 91037) * Customized resolutions, that allow adding, removing, deactivating and renaming of resolutions. (Bug 94534) * Expanding the e-mail preferences to allow watching components, keywords, etc. (Bug 73665) * mod_perl support. (Bug 87406) * New makefile-based installation system (Bug 104660, Bug 105854, Bug 105855, and Bug 105856) * Generic charting. Allows users to define arbitrary data sets for which historical data will be recorded, and then plot those data sets. Bug 16009. New Bugzilla Features ===================== Re-architected Product Groups ----------------------------- Bug 147275, re-architected product groups, has finally landed. In the 2.17.3 release, the entire mechanism for handling groups has been revised. It is now possible to exert much more control over how groups and products are related. In editproducts.cgi, there is now a mechanism to permit you to edit the "Group Controls" for a product and determine which groups are applicable, default, and mandatory for each product as well as controlling entry for each product and being able to set bugs in a product to be totally read-only unless some group restrictions are met. The patch author, Joel Peshkin, has noted that all of the possible scenarios have not been anticipated and this is a new feature, so please Cc him on all bugs you file against re-architected product groups. Some examples of advanced uses for the re-architected product groups follow: * Example: When several products need to be associated with the same default group (formerly a product group), instead of defining several groups with the same names as the products and managing memberships in each group, a single group can be defined to control access and that group can be set as a "Default" group for all of the products. * Example: If certain products are never supposed to have a publicly accessible bug, define a group of all authorized users and set the groups control for those products to indicate that the group is Mandatory/Mandatory. This will place bugs in that group without giving the user any option at all. * Example: Anyone can enter a security bug. Create a product for security bugs. Do not restrict entry to the product at all. However, set the Member/Nonmember permissions to Default/Mandatory for the security group. This will permit anyone to enter and members of the security group will be able to override the default group restriction while nonmembers will be forced to restrict the bug to the security group. Replication/shadowdb removal ---------------------------- The shadowdb was a readonly copy of Bugzilla's database, which Bugzilla used for potentially expensive readonly queries, such as from buglist.cgi. Due to MySQL's table-level locking mechanism, long running queries block modifications and updates to the database; the shadowdb attempted to alleviate this bottleneck by creating a second database for these long running queries to use. Previously, Bugzilla handled updates from the main database to the copy on its own by keeping track of every SQL update. These updates were then sent to the shadow database via a separate process (syncshadowdb). This process had several bugs and was inefficient. With the landing of bug 124589, which added MySQL replication support to Bugzilla, and bug 180870, which removed the old manual syncing code, Bugzilla 2.17.3 is now able to use the replication facilities provided by the database to handle these updates. The system is now given the locations of the two databases, but leaves updating them to an alternative process. This simplifies the Bugzilla code, and enables further optimizations which were not possible when Bugzilla needed to capture all of an SQL UPDATE/INSERT command. New "always-require-login" Parameter ------------------------------------ This new parameter, added under bug 173761, allows administrators running commercial or sensitive Bugzilla installations to require users to present login credentials to access Bugzilla. Bugzilla is most commonly used for open source projects, where anyone should be able to search for and view certain types of bugs. But some entities need to restrict these operations to logged in users; this parameter allows administrators to require a login on every Bugzilla page, except for the front page. If users try to access any page without login credentials (in the form of a valid login cookie) and "always-require-login" is set, they will be prompted for the information before being allowed to continue. Attach and Reassign at Once --------------------------- When developers attach patches or other attachments (testcases, etc.) to bugs, they will commonly reassign the bug to themselves shortly thereafter, since that developer is actively working on that bug. These used to be distinct steps, which generated two email messages and required Bugzilla users to attach their patch and then reassign the bug to themselves. This patch, added as part of bug 116819 allows developers to reassign the bug to themselves and set the status to accepted during the attachment creation process. This effectively makes the above process one atomic operation, reducing bug spam and streamlining a very common process. Trunk Checkins Since the Last Status Update =========================================== The following is a list of specific bugs fixed (and their checkin messages) since the last Bugzilla status report. It is ordered by the checkin date, as ordered by Bonsai. It includes checkins on the trunk from 11/17/2002 to 01/02/2003. This list was generated by filtering Bonsai's output on that query. Bold italic bugs are security-sensitive bugs. Checkins made without reference to any specific bugs: * (12/28/02) Release notes update (mattyt) * (12/21/02) Documentation rebuild (gerv) * (11/21/02) Post-2.17.1 release documentation corrections (justdave) Checkin manifest: (omitted for brevity - please see the online version [link at the top of this email]) 2.16 & 2.14 Branch Checkins Since the Last Status Update ======================================================== The following is a list of specific bugs fixed (and their checkin messages) since the last Bugzilla status report. It is ordered by the checkin date, as ordered by Bonsai. It includes checkins on the 2.14 and 2.16 branches from 11/17/2002 to 01/02/2003. This list was generated by filtering Bonsai's output on that query (contains both branches). Bold italic bugs are security-sensitive bugs. Checkins made without reference to any specific bugs: * Versions numbers were bumped and release notes updated for both branches Checkin manifest: * Bug 186383 - Checksetup leaves editor backups of localconfig accessible * Bug 183188 - collectstats.pl no longer makes data/mining world- readable * Bug 179329 - filter quips in "show all the quips" for HTML Copyright ? 2003 The Mozilla Organization. -- Dave Miller Project Leader, Bugzilla Bug Tracking System http://www.justdave.net/ http://www.bugzilla.org/