From mkanat at bugzilla.org Fri Nov 7 09:20:09 2008 From: mkanat at bugzilla.org (Max Kanat-Alexander) Date: Fri, 7 Nov 2008 01:20:09 -0800 Subject: [ANN] Release of Bugzilla 3.2rc2, 3.0.6, 2.22.6, and 2.20.7 Message-ID: <20081107012009.022fbe56@es-compy> Today there are four releases of Bugzilla! The biggest release is Bugzilla 3.2rc2. There have been a lot of changes since 3.2rc1, particularly in the UI, so we wanted to put out another release candidate to get feedback. If all goes well with this release candidate, it should become 3.2 final in a few weeks with very few changes. 3.2rc2 is stable enough to use in small production environments, but major installations should wait for 3.2 final before upgrading. Other than 3.2rc2, there are three other releases: 3.0.6, 2.22.6, and 2.20.7. 3.0.6 has some minor bug fixes, 2.22.6 brings Perl 5.10 compatibility to the 2.22 series, and 2.20.7 is security-fix release. We also fixed a security bug in all releases that are coming out today. See the Security Advisory section for details. Download - -------- Bugzilla is available at: http://www.bugzilla.org/download/ Release Notes & Changes - ----------------------- Before installing or upgrading, it is VERY IMPORTANT to read the Release Notes: 3.2rc2: http://www.bugzilla.org/releases/3.2/release-notes.html 3.0.6: http://www.bugzilla.org/releases/3.0.6/release-notes.html 2.22.6: http://www.bugzilla.org/releases/2.22.6/release-notes.html 2.20.7: http://www.bugzilla.org/releases/2.20.7/release-notes.html To see a list of all changes between your version of Bugzilla and the current version of Bugzilla, you can use the chart at: http://www.bugzilla.org/status/changes.html Security Advisory - ----------------- You can read the security advisory describing the fixed issues here: http://www.bugzilla.org/security/2.20.6/ Report Bugs - ----------- If you find a bug in Bugzilla, please report it! Instructions are at this URL: http://www.bugzilla.org/developers/reporting_bugs.html Try Out Bugzilla - ---------------- If you'd like to test-drive Bugzilla, you can use the demo installations of Bugzilla at: http://landfill.bugzilla.org/ Support - ------- You can ask questions for free on the mailing lists (or in IRC) about Bugzilla, or you can hire a paid consultant to help you out: Free Support: http://www.bugzilla.org/support/ Paid Support: http://www.bugzilla.org/support/consulting.html About Bugzilla - -------------- Bugzilla is a "Defect Tracking System" or "Bug-Tracking System." Defect Tracking Systems allow individuals or groups of developers to keep track of outstanding bugs in their product effectively. Most commercial defect-tracking software vendors charge enormous licensing fees. Despite being "free", Bugzilla has many features its expensive counterparts lack. Consequently, Bugzilla has quickly become a favorite of hundreds of organizations across the globe, and is widely regarded as one of the top defect-tracking systems available. See http://www.bugzilla.org/about/ for more details. -Max Kanat-Alexander Release Manager, Bugzilla Project -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From mkanat at bugzilla.org Fri Nov 7 09:20:58 2008 From: mkanat at bugzilla.org (Max Kanat-Alexander) Date: Fri, 7 Nov 2008 01:20:58 -0800 Subject: [ANN] Security Advisory for Bugzilla 3.2rc1, 3.0.5, 2.22.5, and 2.20.6 Message-ID: <20081107012058.7006fc65@es-compy> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system, used by a large number of software projects. This advisory covers a minor security issue that has recently been fixed in the Bugzilla code: * Unprivileged users can approve/unapprove all quips All affected installations are encouraged to upgrade as soon as possible. Vulnerability Details ===================== Class: Manipulation of Data Versions: 2.17.4 and higher Description: Quips, which are displayed at the top of bug lists, can be suggested by all users, but administrators can control which ones to display. By using a well crafted URL, unprivileged users can bypass access checks and approve or disapprove quips themselves. Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=449931 Vulnerability Solutions ======================= The fix for the security bug mentioned in this advisory is included in the 3.2 RC2, 3.0.6, 2.22.6, and 2.20.7 releases. Upgrading to these releases will protect installations from possible exploits of this issue. Full release downloads, patches to upgrade Bugzilla from previous versions, and CVS upgrade instructions are available at: http://www.bugzilla.org/download/ Credits ======= The Bugzilla team wish to thank the following people for their assistance in locating, advising us of, and assisting us to fix these issues: Robin H. Johnson Fr?d?ric Buclin Alexander F?r?y General information about the Bugzilla bug-tracking system can be found at: http://www.bugzilla.org/ Comments and follow-ups can be directed to the mozilla.support.bugzilla newsgroup or the support-bugzilla mailing list. http://www.bugzilla.org/support/ has directions for accessing these forums. - -Max Kanat-Alexander Release Manager, Bugzilla Project -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkkUCH4ACgkQaL2D/aEJPK7Q2wCgtljg+P2IQXD2e4GTJAbPA+0r lS4AoPCl7E4f/w7JJCUzidSeIIlxfH/t =fgrr -----END PGP SIGNATURE----- From mkanat at bugzilla.org Sun Nov 30 02:49:26 2008 From: mkanat at bugzilla.org (Max Kanat-Alexander) Date: Sat, 29 Nov 2008 18:49:26 -0800 Subject: [ANN] Release of Bugzilla 3.2! Message-ID: <20081129184926.228a1874@es-compy> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Today we have a new major release of Bugzilla, Bugzilla 3.2! Bugzilla 3.2 has an enormous number of new features, including some great user interface enhancements, custom statuses, new custom field types, Oracle support, and lots of other improvements. Note that Oracle support is only experimental in this release. You can see our latest Status Update to find out more about what that means. The Status Update also tells all about what's going on in the Bugzilla Project lately, and our plans for Bugzilla 4.0. The release of Bugzilla 3.2 means that the Bugzilla 2.20 series has now reached End-Of-Life. This means that no development will be done on the 2.20 series anymore, and no new 2.20 releases will be made, even if there are security holes in the 2.20 series. This means that if you are using version 2.20.7 or older, you REALLY need to upgrade. We hope that you enjoy Bugzilla 3.2! Download - -------- Bugzilla is available at: http://www.bugzilla.org/download/ Release Notes & Changes - ----------------------- Before installing or upgrading, it is VERY IMPORTANT to read the Release Notes: http://www.bugzilla.org/releases/3.2/release-notes.html To see a list of all changes between your version of Bugzilla and the current version of Bugzilla, you can use the chart at: http://www.bugzilla.org/status/changes.html Status Update - ------------- Our latest Status Update has all kinds of useful information about our latest release, and some information about where we're headed in the future with Bugzilla: http://www.bugzilla.org/status/2008-11-29.html Report Bugs - ----------- If you find a bug in Bugzilla, please report it! Instructions are at this URL: http://www.bugzilla.org/developers/reporting_bugs.html Try Out Bugzilla - ---------------- If you'd like to test-drive Bugzilla, you can use the demo installations of Bugzilla at: http://landfill.bugzilla.org/ Support - ------- You can ask questions for free on the mailing lists (or in IRC) about Bugzilla, or you can hire a paid consultant to help you out: Free Support: http://www.bugzilla.org/support/ Paid Support: http://www.bugzilla.org/support/consulting.html About Bugzilla - -------------- Bugzilla is a "Defect Tracking System" or "Bug-Tracking System." Defect Tracking Systems allow individuals or groups of developers to keep track of outstanding bugs in their product effectively. Most commercial defect-tracking software vendors charge enormous licensing fees. Despite being "free", Bugzilla has many features its expensive counterparts lack. Consequently, Bugzilla has quickly become a favorite of hundreds of organizations across the globe, and is widely regarded as one of the top defect-tracking systems available. See http://www.bugzilla.org/about/ for more details. -Max Kanat-Alexander Release Manager, Bugzilla Project -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkkx/zoACgkQaL2D/aEJPK7LugCg8rqmlZ7tGmZH6dd06deMxaZS zF0AoOWGZ/VQFkxKmme02FDrteZ5cQyM =tiJ7 -----END PGP SIGNATURE-----