From mkanat at bugzilla.org  Thu Nov  5 16:49:27 2009
From: mkanat at bugzilla.org (Max Kanat-Alexander)
Date: Thu, 05 Nov 2009 08:49:27 -0800
Subject: [ANN] Release of Bugzilla 3.5.1, 3.4.3, and 3.0.10
Message-ID: <4AF30217.7090305@bugzilla.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

  Today the Bugzilla Project is releasing Bugzilla 3.5.1, 3.4.3,
and 3.0.10.

  Bugzilla 3.4.3 is our latest stable release, and contains various
useful bug fixes and minor improvements.

  Bugzilla 3.0.10 fixes a bug introduced in 3.0.9 that made the
Bug.create WebService function fail sometimes.

  Bugzilla 3.5.1 is our first development release toward Bugzilla 3.6.
It contains many exciting new features, which you can read about in
the Bugzilla Update linked below. This release has not received QA
testing from the Bugzilla Project, and should not be used in production
environments. If you find a bug in this development release (or you
don't like how some feature works) please tell us! This code will
eventually become 3.6, and we want it to work well for you.

Download
- --------
Bugzilla is available at:

  http://www.bugzilla.org/download/


Release Notes & Changes
- -----------------------
Before installing or upgrading, you should read the Release Notes for
this version of Bugzilla:

  3.4.3:  http://www.bugzilla.org/releases/3.4.3/release-notes.html
  3.0.10: http://www.bugzilla.org/releases/3.0.10/release-notes.html

It is particularly important to read the Release Notes if you are
upgrading from one major version to another (like 3.2.x to 3.4).

To see a list of all changes between your version of Bugzilla and
the current version of Bugzilla, you can use the chart at:

  http://www.bugzilla.org/status/changes.html


The Bugzilla Update
- -------------------
You can see the latest updates from the Bugzilla Project and
information about the latest development release on the latest
Bugzilla Update:

  http://bugzillaupdate.wordpress.com/2009/11/05/release-3-4-3/

Report Bugs
- -----------
If you find a bug in Bugzilla, please report it! Instructions are
at this URL:

  http://www.bugzilla.org/developers/reporting_bugs.html


Support
- -------
You can ask questions for free on the mailing lists (or in IRC)
about Bugzilla, or you can hire a paid consultant to help you out:

  Free Support: http://www.bugzilla.org/support/
  Paid Support: http://www.bugzilla.org/support/consulting.html


About Bugzilla
- --------------
  Bugzilla is a "Defect Tracking System" or "Bug-Tracking System."
Defect Tracking Systems allow individuals or groups of developers
to keep track of outstanding bugs in their product effectively.
Most commercial defect-tracking software vendors charge enormous
licensing fees. Despite being "free", Bugzilla has many features
its expensive counterparts lack. Consequently, Bugzilla has quickly
become a favorite of thousands of organizations across the globe, and
is widely regarded as one of the top defect-tracking systems available.

  See http://www.bugzilla.org/about/ for more details.

  -Max Kanat-Alexander
  Release Manager, Bugzilla Project
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkrzAhcACgkQaL2D/aEJPK68fACfdjgszlWdQ/4+GS+Oy8u2nAi6
C+oAnRDqW+hq99/Us7CCmJv9mlA1inaC
=4WRV
-----END PGP SIGNATURE-----


From mkanat at bugzilla.org  Thu Nov 19 04:58:10 2009
From: mkanat at bugzilla.org (Max Kanat-Alexander)
Date: Wed, 18 Nov 2009 20:58:10 -0800
Subject: [ANN] Security Advisory for Bugzilla 3.4.3 and 3.5.1
Message-ID: <4B04D062.4010104@bugzilla.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Summary
=======

Bugzilla is a Web-based bug-tracking system used by a large number of
software projects.

* Aliases of hidden bugs would show up in the "Depends On" and "Blocks"
  list of other bugs, even if you didn't have permission to see the
  hidden bugs.

All affected installations are encouraged to upgrade as soon as
possible.

Vulnerability Details
=====================

Class:       Information Leak
Versions:    3.3.2 to 3.4.3, 3.5 to 3.5.1
Fixed In:    3.4.4, 3.5.2
Description: When a bug is in a group, none of its information
             (other than its status and resolution) should be visible
             to users outside that group. It was discovered that
             as of 3.3.2, Bugzilla was showing the alias of the bug
             (a very short string used as a shortcut for looking up
             the bug) to users outside of the group, if the protected
             bug ended up in the "Depends On" or "Blocks" list of any
             other bug.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=529416
CVE Number:  CVE-2009-3386

Vulnerability Solutions
=======================

The fix for this issue is included in the 3.4.4 and 3.5.2
releases. Upgrading to a release with the relevant fix will protect
your installation from possible exploits of this issue.

If you are unable to upgrade but would like to patch just the
individual security vulnerability, there is a patch available for
the issue in the Reference URL of the advisory.

Full release downloads, patches to upgrade Bugzilla from previous
versions, and CVS upgrade instructions are available at:

  http://www.bugzilla.org/download/


Credits
=======

The Bugzilla team wish to thank the following people/organizations for
their assistance in locating, advising us of, and assisting us to fix
this issue:

Dave Miller
Fr?d?ric Buclin
Max Kanat-Alexander
Jesse Ruderman

General information about the Bugzilla bug-tracking system can be found
at:

  http://www.bugzilla.org/

Comments and follow-ups can be directed to the mozilla.support.bugzilla
newsgroup or the support-bugzilla mailing list.
http://www.bugzilla.org/support/ has directions for accessing these
forums.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAksE0GIACgkQaL2D/aEJPK7YjgCg4tdSxOuUzG9NYOIJimRyVgzg
laQAoO/qmGujdW8vd4SoZI1mEMztezX3
=PTfL
-----END PGP SIGNATURE-----


From mkanat at bugzilla.org  Thu Nov 19 05:01:19 2009
From: mkanat at bugzilla.org (Max Kanat-Alexander)
Date: Wed, 18 Nov 2009 21:01:19 -0800
Subject: [ANN] Release of Bugzilla 3.4.4 and 3.5.2
Message-ID: <4B04D11F.9000000@bugzilla.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

  Today the Bugzilla Project is releasing Bugzilla 3.4.4 and 3.5.2,
both to fix one security issue.

  Bugzilla 3.4.4 is our latest stable release, and contains a few
minor bug fixes in addition to the security fix.

  Bugzilla 3.5.2 is our our latest development release toward Bugzilla
3.6, and contains various new features in addition to the security
fix. This release has not received QA testing from the Bugzilla
Project, and should not be used in production environments. If you
find a bug in this development release (or you don't like how some
feature works) please tell us! This code will eventually become 3.6,
and we want it to work well for you.

Download
- --------
Bugzilla is available at:

  http://www.bugzilla.org/download/


Release Notes & Changes
- -----------------------
Before installing or upgrading, you should read the Release Notes for
this version of Bugzilla:

  3.4.4:  http://www.bugzilla.org/releases/3.4.4/release-notes.html

It is particularly important to read the Release Notes if you are
upgrading from one major version to another (like 3.2.x to 3.4).

To see a list of all changes between your version of Bugzilla and
the current version of Bugzilla, you can use the chart at:

  http://www.bugzilla.org/status/changes.html


Report Bugs
- -----------
If you find a bug in Bugzilla, please report it! Instructions are
at this URL:

  http://www.bugzilla.org/developers/reporting_bugs.html


Support
- -------
You can ask questions for free on the mailing lists (or in IRC)
about Bugzilla, or you can hire a paid consultant to help you out:

  Free Support: http://www.bugzilla.org/support/
  Paid Support: http://www.bugzilla.org/support/consulting.html


About Bugzilla
- --------------
  Bugzilla is a "Defect Tracking System" or "Bug-Tracking System."
Defect Tracking Systems allow individuals or groups of developers
to keep track of outstanding bugs in their product effectively.
Most commercial defect-tracking software vendors charge enormous
licensing fees. Despite being "free", Bugzilla has many features
its expensive counterparts lack. Consequently, Bugzilla has quickly
become a favorite of thousands of organizations across the globe, and
is widely regarded as one of the top defect-tracking systems available.

  See http://www.bugzilla.org/about/ for more details.

  -Max Kanat-Alexander
  Release Manager, Bugzilla Project
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAksE0R8ACgkQaL2D/aEJPK4czQCeJO2He9OAPaEzier7eScIodzb
jwoAnRmPugCU9E3Q5jzQqWQf+y/HfG6V
=cj1e
-----END PGP SIGNATURE-----