-***************************************
-*** The Bugzilla 2.18 Release Notes ***
-***************************************
-
-Introduction
-************
-
-This document contains the release notes for Bugzilla 2.18. In this document
-recently added, changed, and removed features of Bugzilla are described.
-
-The 2.18 release is the first in a new stable series, containing the results
-of over two years of hard and dedicated work by volunteers all over the world
-under the lead of Dave Miller.
-
-This is a preliminary document detailing how we expect things to be in the
-final 2.18 release. The contents of this document are subject to change up
-until the final release. Please file bugs in Bugzilla for any additions or
-corrections needed in this document.
+2.16 has not been released yet - these are prerelease notes.
+
+Insert nice little intro for version 2.16 here.
+
+**************************
+*** ABOUT THIS VERSION ***
+**************************
+
+Bug numbers referenced in this document are all on
+bugzilla.mozilla.org unless otherwise specified.
+
+*** Recommended Practice For The Upgrade ***
+
+As always, please ensure you have ran checksetup.pl after
+replacing the files in your installation.
+
+It is recommended that you view the sanity check page
+(sanitycheck.cgi) both before the upgrade and after running
+checksetup.pl after the upgrade, to see if there are any
+problems with your installation.
+
+It is also recommended that if you can, you immediately fix
+any problems you find. Be aware that if the sanity check page
+contains more errors after an upgrade, it doesn't necessarily
+mean there are more errors in your database, as it is likely
+they weren't being checked for in the old version.
+
+Failure to do this may mean that bugzilla will not
+work correctly.
+
+Administrators must make sure that certain files are
+inaccessible or confidential information might become
+available to enterprising individuals. This includes the
+localconfig file and the entire data directory. Please
+see the Bugzilla Guide for more information.
+
+*** Dependency Requirements ***
+
+MySQL v3.22.5
+Perl v5.005
+DBI v1.13
+DBD::MySQL v1.2209
+AppConfig v1.52
+Template Toolkit v2.07
+Text::Wrap v20001.0131
+File::Spec v0.82
+Data::Dumper, Date::Parse, CGI::Carp (any)
+GD v1.19 (optional)
+Chart::Base v0.99 (optional)
+XML::Parser (any)
+
+*** Deprecated Features ***
+
+- This is possibly the last stable release that will work with
+ MySQL version 3.22. Soon Bugzilla will require at least
+ version 3.23.x. The exact minimum version number required
+ has not yet been decided.
+ (bug 87958)
+
+- This is possibly the last stable release to support the
+ shadow database. The replacement (using MySQL's built in
+ replication) is not present in 2.16, but we expect that
+ very few sites use this feature. If this would cause a
+ problem for you, please comment on the below bug.
+ (bug 124589)
+
+*** Outstanding Issues Of Note ***
+
+- Renaming or removing keywords that are in use will not update
+ the "keyword cache" on bugs, and queries on keywords may not work
+ properly, until you rebuild the cache on the sanity check page
+ (sanitycheck.cgi). The changer will receive a warning to do
+ this when altering the keyword.
+ (bug 69621)
+
+- Email notifications will not work out of the box if you are
+ using Postfix, Exim or possibly other non-SendMail mail
+ transfer agents, as Bugzilla sends mail by default in
+ "deferred" mode using the "-ODeliveryMode=deferred" command
+ line option, which needs to be supported by the sendmail
+ program. To fix this, you can turn on the "sendmailnow"
+ parameter on the Edit Parameters page (editparams.cgi).
+ (bug 37765)
+
+- Users behind rotating transparent proxies or otherwise having
+ an IP that changes each URL fetch will find they need to log in
+ regularly.
+ (bug 20122)
+
+- If you search on any CC or added comments, as well as at least
+ one other of CC, added comments, assignee, reporter, etc, then
+ the search can be very slow. This is because of limitations of
+ the MySQL optimiser.
+ (bug 96101)
+
+- It is recommended you use the high speed XS Stash of the Template
+ Toolkit, in order to achieve best performance. However, there are
+ known problems with XS Stash and Perl 5.005_02 and lower. If you
+ wish to use these older versions of Perl, please use the regular
+ stash. You are asked which stash you want to use at Template Toolkit
+ installation time.
+ (bug 140674)
+
+- This release of Bugzilla uses the Template Toolkit. For speed,
+ compiled templates are cached on disk. If you modify the templates
+ in order to customise the look and feel of your Bugzilla instalation,
+ the toolkit will normally detect the changes, and recompile the
+ changed templates.
+
+ However, if you do not set a webservergroup in the localconfig file,
+ (a generally unwise thing on a production installation of Bugzilla)
+ the template directory would have to be world-writable for automatic
+ recompilation to happen.
+
+ Doing that would be a security risk. So, if you modify templates locally
+ and do not have a webservergroup set, you will have to rerun checksetup.pl
+ to recompile the templates manually. If you do not do this, the changes
+ you make will not appear, and an error message will be reported.
+
+ Adding new directories anywhere inside the template directory may cause
+ permission errors. If you see these, rerun checksetup.pl as root. If you
+ do not have root access, or cannot get someone who does to do this for you,
+ you can rename the data/template directory to data/template.old (or any
+ other name bugzilla doesn't use). Then rerun checksetup.pl to regenerate
+ the compiled templates.
+ (bug 97832)
+
+- Querying on CC takes too long on big databases.
+ (bug 127200)
+
+***********************************************
+*** USERS UPGRADING FROM 2.14.1 OR EARLIER ***
+***********************************************
+
+*** SECURITY ISSUES RESOLVED ***
+
+- The bug reporter could set the priority even when
+ 'letsubmitterchoosepriority' was off.
+ (bug 63018)
+- It was possible for random confidential information to be
+ divulged, if the shadow database was in use and became
+ corrupted.
+ (bug 92263)
+- Mass change would set the groupset of every bug to be the
+ groupset of the first bug.
+ (bug 107718)
+- Most CGIs now run in taint mode. This helps to prevent
+ failure to validate errors.
+ (bug 108982)
+- queryhelp.cgi no longer shows confidential products to
+ people it shouldn't.
+ (bug 126801)
+- The bug list sort order could take arbitrary SQL. There
+ are no known exploits for this problem.
+ (bug 130821)
+- It was possible for a user to bypass the IP check by
+ setting up a fake reverse DNS, if the Bugzilla web server
+ was configured to do reverse DNS lookups. Apache is not
+ configured as such by default. This is not a complete
+ exploit, as the user's login cookie would also need to
+ be divulged for this to be a problem.
+ (bug 129466)
+
+*** IMPORTANT CHANGES ***
+
+- 2.16 introduces "templatisation", a new feature that allows
+ administrators to easily customise the HTML output of Bugzilla
+ without altering Perl code. Bugzilla uses the "Template Toolkit"
+ for this. ??? See the Bugzilla Guide?
+
+ Administrators who ran the 2.15 development version and customised
+ templates should check the templates are still valid, as file names
+ and file paths have changed.
+
+ Most output is now templatised. This process will be complete next
+ milestone.
+ (bug 86168)
+
+- Administrators can now configure maximum attachment sizes. These
+ should remain below the maximum size for your MySQL server, or you
+ will get obscure MySQL errors if you attach a bigger attachment.
+
+ To find out the current size attachment that MySQL can accept, type
+ the command 'mysqladmin variables' and find out the value of the
+ 'max_allowed_packet' varible in bytes.
+
+ To change the maximum size that MySQL can accept you can alter this
+ variable in your 'my.cnf' file.
+ (bug 91664)
+
+- Perl 5.004 is no longer supported because the Template Toolkit
+ requires 5.005.
+ (bug 97721)
+
+- New requirements: Text::Wrap, Template [requires AppConfig].
+ (bugs 97784, 84338)
+
+- New version required: Perl v5.005, File::Spec v0.82
+ (bugs 97721, ???)
+
+- The index page is now a CGI instead of an HTML page. You should remove
+ any existing index.html file and make sure your web server allows index.cgi
+ to be the default page in a directory. If you are not able to do that you
+ can instead set index_html in the 'localconfig' file to 1 and checksetup.pl
+ will create a redirect page for you.
+ (bug 80183)
+
+- It is now recommended that administrators run "processmail rescanall"
+ after upgrading to 2.16 or beyond.
+
+ This will send out notification emails for changes that were
+ made but not emailed, due to Bugzilla bugs. All known
+ causes of this have been fixed in this version (bug 104589 and 99519).
+
+ It is also recommended that this be run nightly to avoid
+ lengthy delays in future if this problem reoccurs.
+ (bug 106377)
+
+- If you wish to use ??? webdot htaccess stuff here ???
+
+- In parallel with templatisation, a lot of changes have been made to the HTML
+ output of the Bugzilla CGIs. This could break code that attempts to parse
+ such code. For example, this breaks mozbot.
+ (no bug number)
+
+*** Other changes of note ***
+
+- The query page has been redesigned for better user friendliness.
+ (bug 98707)
+- Users can now change their email account.
+ (bug 23067)
+- "Dependent Bug Changed" notification emails now contain the
+ dependent bug's summary.
+ (bug 28736)
+- Bugs with severity "critical", "blocker", and "enhancement" are
+ visually differentiated on bug lists for browsers with sufficient
+ CSS support.
+ (bug 28884)
+- Bugzilla now has a sidebar for the Mozilla browser.
+ (bug 37339)
+- A link to just created attachments now appears in notification
+ email.
+ (bug 66651)
+- Comments now have numbers and can be referenced with
+ autohyperlinkifying similar to bugs.
+ (bug 71840)
+- The attachment system has been rewritten, supporting new
+ "attachment statuses" (like keywords, but for attachments),
+ the ability to obsolete attachments, edit attachment MIME type,
+ and edit whether the attachment is a patch.
+ (bugs 84338, 75176)
+- syncshadowdb now supports a configurable temp file location,
+ and properly shuts down Bugzilla while running.
+ (bug 75840)
+- Dependency tree now lets you exclude resolved bugs and bugs
+ below a specific depth.
+ (bugs 83058)
+- The "strictvaluechecks" parameter has gone away. These checks
+ are now always done.
+ (bug 119715)
+- The midair collision page now shows all changes since the bug
+ page was loaded, not just the last one.
+ (bug 108312)
+- Added support for making dependency graphs with 'dot', which
+ is better at creating complex graphs than 'webdot'.
+ (bug 120537)
+
+*** Bug fixes of note ***
+
+- Bugzilla scripts are now usually not terminated when the browser
+ window they are running in is closed. This caused hard to
+ reproduce bugs.
+ (bug 104589)
+- On browsers that "reflow" the page, large component / milestone /
+ version fields were extremely slow to reflow when you altered
+ the product field.
+ (bug 96534)
+- The selection in the component / milestone / version fields is
+ no longer lost when you change the selection in the product
+ field or use the back/forward buttons in your browser to return
+ to the page.
+ (bug 97966)
+- You could not reverse dependencies in one step.
+ (bug 82143)
+- Mass reassignment of non-open bugs will no longer reopen them.
+ (bug 30731)
+- Attempting to bulk change no bugs will now give a user-friendly
+ error message.
+ (bug 90333)
+- If you make a change to a bug where you only add yourself to CC,
+ email notifications are now properly sent out for MySQL 3.23.
+ (bug 99519)
+- Bug entry now properly validates the data it has been sent.
+ (bug 107743)
+- Midair collision checks will now properly work in all situations
+ where dependencies have changed.
+ (bug 73502)
+- Browsers can no longer corrupt the params file if they use the "wrong"
+ end-of-line markers.
+ (bug 92500)
+- The MySQL port defined in localconfig is now properly honoured.
+ (bug 98368)
+- Apostrophes in component/milestone/version names no longer cause
+ a problem on the query page.
+ (bug 30689/42810)
+- File attachment comments will now wrap.
+ (bug 52060)
+- Saved queries are no longer mangled if you need to log in again,
+ for example if you had cookies off.
+ (bug 38835)
+- Bug counts (on reports.cgi) were very slow if you had to
+ count a lot of bugs.
+ (bug 63249)
+- 2.14 introduced options to let people see a bug when their name
+ is on it but who aren't in the groups the bug is restricted
+ to. These only allowed the people to view the bugs directly,
+ and not see them on buglists and receive email about them.
+ (bugs 95024, 97469)
+- A new 'cookiepath' parameter on editparams.cgi allows multiple
+ Bugzilla installations to exist on one host without problems.
+ (bug 19910)
+- whineatnews.pl now respects the 'sendmailnow' parameter.
+ (bug 52782)
+- The query page came up even when Bugzilla was shut down.
+ (bug 121747)
+- Quicksearch gave a weird error message when Bugzilla was
+ shut down.
+ (bug 121741)
+- Operating system detection fixes.
+ (bugs 92763, 135666)
+- QA contacts now receive emails when a new bug is created and
+ their only email preference was being added or removed from QA.
+ (bug 143091)
-
-Dependency Requirements
------------------------
-
-Minimum software requirements:
-
- MySQL v3.23.41 (changed from 2.16)
- Perl v5.6.0 (changed from 2.16)
-
-Required Perl modules:
-
- AppConfig v1.52
- CGI v2.93 (new since 2.16) (changed from 2.17.7)
- Data::Dumper (any)
- Date::Format v2.21 (changed from 2.16)
- DBI v1.36 (changed from 2.16) (changed from 2.17.7)
- DBD::mysql v2.1010 (changed from 2.16)
- File::Spec v0.82
- File::Temp (any)
- Template Toolkit v2.08 (changed from 2.16)
- Text::Wrap v2001.0131
-
-Optional Perl modules:
-
- Chart::Base v1.0 (changed from 2.16) (changed from 2.17.7)
- GD v1.20 (changed from 2.16)
- GD::Graph (any) (new since 2.16)
- GD::Text::Align (any) (new since 2.16)
- Net::LDAP (any) (new since 2.16)
- PatchReader v0.9.4 (new since 2.16) (changed from 2.17.7)
- XML::Parser (any)
-
-
-What's New?
-***********
-
-Generic Reporting
------------------
-
-Bugzilla has a new mechanism for generating reports of the current state of
-the bug database. It has two related parts: a table-based view, and several
-graphical views.
-
-The table-based view allows you to specify an x, y and z (multiple tables of
-data) axis to plot, and then restrict the bugs plotted using the standard
-query form. You can view the resulting data as an HTML or CSV export (e.g.:
-for importing into a spreadsheet).
-
-There are also bar, line and pie charts, which are defined in a very similar
-way. These views may be more appropriate for particular data types, and are
-suitable for saving and then putting into presentations or web pages.
-
-
-Request System
----------------
-
-The Request System (RS) is a set of enhancements that adds powerful flag
-(superset of the old attachment status) features to the bugs.
-
-RS allows for four states: off, granted, denied, and (optionally) requested,
-where "granted" is the equivalent of "on". These additions mean it is no
-longer necessary to define a status to negate another status (e.g.
-"needs-work" to negate "has-review") because negation is built into each
-status via the status' "denied" state. Bug statuses: Previously only
-attachments could have these kinds of statuses. RS enables them for bugs as
-well. This feature can be used to request and grant/deny certain properties
-for a bug, such as inclusion for a specific milestone or approval for checkin.
-This way, Bugzilla supports the natural decision-making process in your
-organization.
-
-- Requests: Flags can now optionally be made requestable, which means users
- can ask other users to set them. When a user requests a flag, Bugzilla
- emails the requestee and adds the request to a browsable queue so both the
- requester and the requestee can keep track of its status. Once the
- requestee fulfills the request by setting the flag to either granted or
- denied, Bugzilla emails the requestee and removes the request from the
- queue. This feature supports workflow like the mozilla.org code review
- and milestone approval processes, whereby code is peer reviewed before
- being committed and patches get approved by product release managers for
- inclusion in specific product releases.
-
-- Product/component specificity: Previously flags were product-specific, and
- if you wanted the same flag for multiple products you had to define
- multiple flags with the same name. Flags are now
- product/component-specific, and a single flag can be enabled or disabled
- for multiple product/component combinations via inclusions and exclusions
- lists. Flags are enabled for all combinations on their inclusions list
- except those that appear on their exclusions list.
-
-
-Enterprise Group Support
-------------------------
-
-Bugzilla is no longer limited to 55 access control groups. Administrators can
-define an arbitrary number of access groups composed of individual users or
-other groups. The groups can be configured via the web interface to achieve a
-wide variety of access control policies. See the documentation section on
-'Groups And Group Controls' for details.
-
-
-User Wildcard Matching
-----------------------
-
-Sites can now enable the use of wildcards and substrings in bug entry and
-editing forms. If the user enters an incomplete username, he'll get a list of
-users that matched the given username.
-
-
-Support for "Insiders"
-----------------------
-
-If the 'insidergroup' parameter is defined, a specific group of users can be
-designated insiders who can designate comments and attachments as private to
-other insiders. These comments and attachments will be invisible to other
-users who are not members of the insiders group even if the bugs to which they
-apply are visible. Other insiders will see the comments and attachments with a
-visual tinting indicating that they are private.
-
-
-Time Tracking
--------------
-
-Controls for tracking time spent fixing bugs are included in the bug form for
-members of the group specified by the 'timetrackinggroup' parameter. Any time
-comments are added to the bug, members of the time tracking group can add an
-amount of time they spent, and it's figured into the total and displayed at
-the top of the bug. Shown in the bug are your original estimate, the amount of
-time spent so far, the revised estimate of how much time is remaining, and
-your gain/loss on the original estimate.
-
-
-Authentication module/LDAP improvements
----------------------------------------
-
-Bugzilla's authentication mechanisms have been modularized, making pluggable
-authentication schemes for Bugzilla a reality. Both the existing database and
-LDAP systems were ported as part of modularization process. Additionally, the
-CGI portion of the backend was redesigned to allow for authentication from
-other sources, including (theoretically) email, which will help Bug 94850.
-
-As part of this conversion, LDAP logins now use Perl's standard Net::LDAP
-module, which has no external library dependencies.
-
-
-Improved localization support
------------------------------
-
-Bugzilla administrators can now configure which languages are supported by
-their installations and automatically serve correct, localized content to
-users based on the HTTP 'Accept-Language' header sent from users' browsers.
-
-There are currently localized templates available for: Arabic, Belarusian,
-Chinese, French, German, Italian, Korean, Portuguese (Brazil) Spanish (Spain
-or Mexico) and Russian. These localized template packs are third-party
-contributions, may only be available for specific versions, and may not be
-supported in the future. (http://www.bugzilla.org/download/#localizations)
-
-
-Patch Viewer
-------------
-
-Viewing and reviewing patches in Bugzilla is often difficult due to lack of
-context, improper format and the inherent readability issues that raw patches
-present. Patch Viewer is an enhancement to Bugzilla designed to fix that by
-offering increased context, linking to sections, and integrating with Bonsai,
-LXR and CVS.
-
-
-Comment Reply Links
--------------------
-
-In Edit Bug, each bug comment now includes a convenient (reply) link that
-quotes the comment text into the textarea. This feature is only enabled in
-Javascript-capable browsers, but causes no inconvenience to other user agents.
-
-
-Full-Text Search
-----------------
-
-It is now possible to query the Bugzilla database using full-text searching,
-which spans comments and summaries, and which searches for substrings and stem
-variations of the search term. Basically, it's like using Google.
-
-
-Email Address Munging
----------------------
-
-The fact that raw email addresses are displayed in Bugzilla makes it trivial
-for bots that spamharvest to spider through Bugzilla, in particular, through
-Bugzilla's buglists. This change adds HTML obfuscation of email addresses as
-they appear in the Bugzilla web pages.
-
-
-Generic Charting
-----------------
-
-Bugzilla's new charting feature allows you to display flexible summary charts,
-based on configurable data sets (bug 16009).
-
-
-Miscellaneous Improvements
---------------------------
-
-- The "Assigned To" field on the new bug page is now prefilled with the default
- component owner.
-
-- A bug alias column is now available in the buglist page.
-
-- Lists of bugs containing errors in the sanity check page now have a "view as
- buglist" link in addition to the individual bug links.
-
-- Autolinkification Page - It's now possible to apply Bugzilla's comment
- hyperlinking algorithm to any text you like. This should be useful for status
- updates and other web pages which give lists of bugs. The bug links created
- include the subject, status and resolution of the bug as a tooltip.
-
-- There are more <link> tags on the links toolbar for navigating quickly between
- different areas.
-
-- Buglists are now available as comma-separated value files (CSV) and JavaScript
- (JS) as well as HTML and RDF.
-
-- Keywords and dependencies can now be entered during initial bug entry.
-
-- A CSS id signature unique to each Bugzilla installation is now added to the
- <body> tag on Bugzilla pages to allow custom end-user CSS to explicitly affect
- Bugzilla.
-
-- Perl's path has been changed to a normal /usr/bin/perl from the original
- legacy "bonsaitools" path specifier.
-
-- A new "always-require-login" parameter allows administrators to require a
- login before being able to view any page, except the front page.
-
-- A developer may add an attachment, and also reassign a bug to himself as part
- of that single action.
-
-- Bugzilla is now able to use the replication facilities provided by the
- MySQL database to handle updates from the main database to the secondaries.
-
-- Mail handling is now between 125% to 175% faster.
-
-
-Code Changes Which May Affect Customizations
+********************************************
+*** USERS UPGRADING FROM 2.14 OR EARLIER ***
********************************************
-- A mechanism (called "Template Hooks") for third party extensions to plug into
- existing templates without having to patch or replace distributed templates
- has been added. More information on this can be found in the documentation.
+The 2.14.1 release fixes several security issues that became
+known to us after the Bugzilla 2.14 release.
-- Header output now uses CGI.pm, in a step towards enabling mod_perl
- compatibility. This change will affect users that had customized charsets in
- their CGI files: previously the charset had to be added everywhere that
- printed the Content-Type header; now it only needs changing in one spot, in
- Bugzilla/CGI.pm.
+*** SECURITY ISSUES RESOLVED ***
-- $::FORM{} and $::COOKIE{} are deprecated. Use the $cgi methods to access
- them.
+- If LDAP Authentication was being used, Bugzilla would allow
+ you to log in as anyone if you left the password blank.
+ (bug 54901)
-- $::userid is gone in favor of Bugzilla->user->id
+- It was possible to add comments or file a bug as someone else
+ by editing the HTML on the appropriate submission page before
+ submitting the form. User identity is checked now, and the
+ form values suggesting the user are now ignored.
+ (bug 108385, 108516)
-- ConnectToDatabase() is gone (it's done automatically when you initialize the
- Bugzilla object)
+- The Product popup menu on the show_bug form listed all
+ products, even if the user didn't have access to all of them.
+ It now only shows products the user has access to (and the
+ product the bug is in, if the user is viewing it because of
+ some other override).
+ (bug 102141)
-- quietly_check_login() and confirm_login() are gone, use Bugzilla->login()
- with parameters for whether the login is required or not.
+- If a user had any blessgroupset privileges (the ability to
+ change only specific privileges for other users), it was
+ possible to change your own groupset (privileges) by
+ altering the page HTML before submitting on editusers.cgi.
+ (bug 108821)
-- Use Bugzilla->user->login in place of $::COOKIE{Bugzilla_login}
+- An untrusted variable was echoed back to user in the HTML
+ output if there was a login error while editing votes.
+ (bug 98146)
-- You can tell if there's a user logged in or not by checking if
- Bugzilla->user exists rather than looking for $::userid==0
+- buglist.cgi had an undocumented parameter that allowed you
+ to pass arbitrary SQL for the "WHERE" part of a query.
+ This has been disabled. (bug 108812)
+- It was possible for a user to send arbitrary SQL by inserting
+ single quotes in the "mybugslink" field in the user
+ preferences. (bug 108822)
-Recommended Practice for the Upgrade
-************************************
+- buglist.cgi was not validating that the field names being
+ passed from the "boolean chart" query form were valid field
+ names, thus allowing arbitrary SQL to be inserted if you
+ edited the HTML by hand before submitting the form.
+ (bug 109679)
-As always, please ensure you have run checksetup.pl after replacing the
-files in your installation.
+- long_list.cgi was not validating that the bug ID parameter
+ was actually a number, allowing arbitrary SQL to be inserted
+ if you edited the HTML by hand. (bug 109690)
-It is recommended that you view the sanity check page (sanitycheck.cgi) both
-before the upgrade and after running checksetup.pl after the upgrade, to see
-if there are any problems with your installation.
+********************************************
+*** USERS UPGRADING FROM 2.12 OR EARLIER ***
+********************************************
-It is also recommended that, if possible, you fix any problems you find
-immediately. Failure to do this may mean that Bugzilla will not work correctly.
-Be aware that if the sanity check page contains more errors after an upgrade,
-it doesn't necessarily mean there are more errors in your database, as
-additional tests are added to the sanity check over time, and it is possible
-that those errors weren't being checked for in the old version.
+*** IMPORTANT CHANGES ***
+
+- Bugzilla 2.14 no longer supports old email tech. Upon
+ upgrading, all users will be moved over to new email tech.
+ This should speed up upgrading for installations with
+ a large number of bugs.
+ (bug 71552)
+
+- There is new functionality for people to see why they are
+ receiving notification mails.
+
+ Previously, some people filtered old email tech
+ notifications depending on whether they were in the To or the
+ CC header, in order to get a limited way of determining why
+ they were receiving the notification for filtering purposes.
+
+ Existing installations will need to make changes to support
+ this feature. The receive reasons can be added to the
+ notifications as a header and/or in the body. To add these
+ you will need to modify your newchangedmail parameter on
+ editparams.cgi, either by resetting it or appropriately
+ modifying it. The header value is specified by
+ %reasonsheader% and the body by %reasonsbody%. For example,
+ the new default parameter is:
+
+ --------------------------------------------------
+ From: bugzilla-daemon
+ To: %to%
+ Subject: [Bug %bugid%] %neworchanged%%summary%
+ X-Bugzilla-Reason: %reasonsheader%
+
+ %urlbase%show_bug.cgi?id=%bugid%
+
+ %diffs%
+
+
+
+ %reasonsbody%
+ --------------------------------------------------
+
+ (bug 26194)
+
+- Very long fields (especially multi-valued fields like keywords,
+ CCs, dependencies) on bug activity and notifications previously
+ could get truncated, resulting in useless notifications and data
+ loss on bug activity. Now the multi-valued fields only show
+ changes, and very big changes are split into multiple lines.
+ Where data loss has already occurred on bug activity, it is
+ indicated using question marks.
+ (bug 55161, 92266)
+
+- Previously, when a product's voting preferences changed all
+ votes were removed from all the bugs in the product. Also,
+ when a bug was moved to another product, all of its votes
+ were removed. This no longer occurs.
+
+ Instead, if the action would leave one or more bugs with
+ greater than the maximum number of votes per person per bug,
+ the number of votes will be reduced to the maximum. The
+ person will still be notified of this as before.
+
+ If the action would leave a user with more votes in a product
+ than is allowed, the limit will be breached so as to not lose
+ votes. However the user will not be able to update their
+ votes except to fix this situation. No further action is taken
+ in this version to make sure that the user does this.
+ (bug 28882, 92593)
+
+*** SECURITY ISSUES RESOLVED ***
+
+- Multiple instances of unauthorised access to confidential
+ bugs has been fixed.
+ (bug 39524, 39526, 39527, 39531, 39533, 70189, 82781)
+- Multiple instances of untrusted parameters not being
+ checked/escaped was fixed. These included definite security
+ holes.
+ (bug 38854, 38855, 38859, 39536, 87701, 95235)
+- After logging in passwords no longer appear in the URL.
+ (bug 15980)
+- Procedures to prevent unauthorised access to confidential
+ files are now simpler. In particular the shadow directory
+ no longer exists and the data/comments file no longer needs
+ to be directly accessible, so the entire data directory can
+ be blocked. However, no changes are required here if you
+ have a properly secured 2.12 installation as no new files
+ must be protected.
+ (bug 71552, 73191)
+- If they do not already exist, checksetup.pl will attempt to
+ write Apache .htaccess files by default, to prevent
+ unauthorised access to confidential files. You can turn this
+ off in the localconfig file.
+ (bug 76154)
+- Sanity check can now only be run by people in the 'editbugs'
+ group. Although it would be better to have a separate
+ group, this is not possible until the limitation on the
+ number of groups allowed has been removed.
+ (bug 54556)
+- The password is no longer stored in plaintext form. It will
+ be eradicated next time you run checksetup.pl. A user must
+ now change their password via a password change request that
+ gets validated at their e-mail account, rather than have it
+ mailed to them.
+ (bug 74032)
+- When you are using product groups and you move a bug between
+ products (single or mass change), the bug will no longer be
+ restricted to the old product's group (if it was) and will
+ be restricted to the new product's group.
+ (bug 66235)
+- There are now options on a bug to choose whether the
+ reporter, and CCs can access a bug even if they aren't in
+ groups the bug it is restricted to.
+ (bug 39816)
+- You can no longer mark a bug as a duplicate of a bug you
+ can't see, and if you mark a bug a duplicate of a bug
+ the reporter cannot see you will be given options as to
+ what to do regarding adding the reporter of the resolved
+ bug to the CC of the open bug.
+ (bug 96085)
+
+*** Other changes of note ***
+
+- Groups can now be marked inactive, so you can't add a new
+ restriction on that group to a bug, while leaving bugs that
+ were previously restricted on that group alone.
+ (bug 75482)
+- backdoor.cgi has been removed from the installation. It was
+ old code that was Netscape-specific and its name was scaring
+ people.
+ (bug 87983)
+- You can now add or remove from CC on the bulk change page.
+ (bug 12819)
+- New users created by administrators are now automatically
+ inserted into groups according to the group's regular
+ expression. Administrators must edit the user in a second
+ step to override these choices. Previously the
+ administrator specified these explicitly which could lead
+ to incorrect settings.
+ (bug 45164)
+- The userregexp of system groups can now be edited without
+ resorting to direct database access.
+ (bug 65290)
+
+
+*** Bug fixes of note ***
+
+- The bug list page was sometimes bringing up a not logged in
+ footer when the user was logged in and the installation was
+ using a shadow database.
+ (bug 47914)
+- You can now view the bug summary in your browser title for
+ a group-restricted bug if you have proper permissions.
+ (bug 71767)
+- Quick search for search terms did not work in IE5.
+ This has been worked around.
+ (bug 77699)
+- Quick search for search terms crashed NN4.76/4.77 for Unix.
+ This has been worked around.
+ (bug 83619)
+- Queries on bugs you have commented on using the "added
+ comment" feature should be a lot faster and not time out
+ on large installations due to the addition of an index.
+ (bug 57350)
+- You can now alter group settings on bulk change for groups
+ that aren't on for all bugs or off for all bugs.
+ (bug 84714)
+- New bug notifications now include the CC and QA fields.
+ (bug 28458)
+- Bugzilla is now more Windows friendly, although it is still
+ not an official platform.
+ (bug 88179, 29064)
+- Passwords are now encrypted using Perl's encrypt function.
+ This makes Bugzilla more portable to more operating systems.
+ (bug 77473)
+- Bugzilla didn't properly shut down when told to - some
+ queries could still be sent to the database.
+ (bug 95082)
-As previously noted in the Dependency Requirements MySQL is now required to be
-at least version 3.23.41. This implies that all tables of type ISAM will be
-converted by the checksetup.pl script to MyISAM. As with any upgrade it is
-recommended to make a backup of the database, perhaps by using mysqldump.
+********************************************
+*** USERS UPGRADING FROM 2.10 OR EARLIER ***
+********************************************
-Example:
+*** IMPORTANT CHANGES ***
+
+- There is now a facility for users to choose the sort of
+ notifications they wish to receive. This facility will
+ probably be improved in future versions.
+ (bug 17464)
+
+- "Changed" will no longer appear on the subject line of
+ change notification emails. Because of this, you should
+ change the subject line in your 'changedmail' and
+ 'newchangedmail' params on editparams.cgi. The subject
+ line needs to be changed from
+
+ Subject: [Bug %bugid%] %neworchanged% - %summary%
+
+ to
+
+ Subject: [Bug %bugid%] %neworchanged%%summary%
+
+ or whatever is appropriate for the subject you are using
+ on your system. Note the removal of the " - " in the
+ middle.
+ (bug 29820)
+
+- Some security holes have been fixed where shell escape characters
+ could be passed to Bugzilla, allowing remote users to execute
+ system commands on the web server.
+
+*** Other changes of note ***
+
+- Bug titles now appear in the page title, and will hence
+ display in the user's browser's bookmarks and history.
+ (bug 22041)
+- Edit groups functionality (editgroups.cgi).
+ (bug 25010)
+- Support for moving bugs to other Bugzilla databases.
+ (bug 36133)
+- Bugzilla now can generate a frequently reported bugs list
+ based on what duplicates you receive.
+ (bug 25693)
+- When installing Bugzilla fresh, the administrator account is
+ now created in checksetup.pl.
+ (bug 17773)
+- Stored queries now show their name above the bug list, which
+ helps the user when they have multiple bug lists in multiple
+ browser windows. It also appears in the page title, and will
+ hence display in the user's browser's bookmarks and history.
+ (bug 52228)
+- All states and resolutions can now be collected for charting.
+ (bug 6682)
+- A new search-engine-like "quick search" feature appears on
+ the front page to try and making searching easier.
+ (bug 69793)
+- Querying on dependencies now works in the advanced query
+ section of the query page.
+ (bug 30823)
+- When a bug is marked as a duplicate, the reporter of the
+ resolved bug is automatically added to the CC list of the
+ open bug.
+ (bug 28676)
+
+
+*** Bug fixes of note ***
+
+- Notification emails will now always be sent to QA contacts.
+ Previously they wouldn't if you were using new email tech.
+ (bug 30826)
+- When marking a bug as a duplicate, the duplicate stamp marked
+ on the open bug will no longer be written too early (such as
+ on mid-air collisions).
+ (bug 7873)
+- Various bug fixes were made to the initial assignee and QA
+ of a component. It is no longer possible to enter an
+ invalid address. They will also now properly update when
+ a user's email address is changed. Sanity check will now
+ check these.
+ (bug 66876)
+- Administrators can no longer create an email accounts that do
+ not match the global email regular expression parameter.
+ Previously this could occur and would cause sanity check
+ errors.
+ (bug 32971)
+- The resolution field can no longer become empty when the
+ bug is resolved. This occurred because of midair collisions.
+ (bug 49306)
+
+
+*******************************************
+*** USERS UPGRADING FROM 2.8 OR EARLIER ***
+*******************************************
+
+Release notes were not compiled for versions of Bugzilla before
+2.12.
+
+The file 'UPGRADING-pre-2.8' contains instructions you may
+need to perform in addition to running 'checksetup.pl' if you
+are running a pre 2.8 version.
- mysqldump -u root -p --databases bugs > bugs.db.backup
projects / thirdparty / bugzilla.git / commitdiff
