***************************************
-*** The Bugzilla 2.20 Release Notes ***
+*** The Bugzilla 2.18 Release Notes ***
***************************************
-Table of Contents
-*****************
-
-- Introduction
-- Minimum Requirements
- * Perl
- * For MySQL Users
- * For PostgreSQL Users
- * Required Perl Modules
- * Optional Perl Modules
-- What's New?
- * Experimental PostgreSQL Support
- * New User-Interface Color/Style
- * Higher-Level Categorization of Bugs (above "Product")
- * Regular Reports by Email of Complex Queries ("Whining")
- * "Environment Variable" Authentication Method
- * User-List Drop-Down Menus
- * Server-Side Comment Wrapping
- * UI for Editing Priority, OS, Platform, and Severity
- * Bugzilla Queries as RSS
- * Choice of E-Mail Sending Methods
- * "User Preferences"
- * "Large Attachment" Storage
- * Miscellaneous Improvements
- * All Changes
-- Deprecated Features
-- Outstanding Issues (<======================== IMPORTANT, PLEASE READ)
-- How to Upgrade From An Older Bugzilla
- * Steps for Upgrading
-- Code Changes Which May Affect Customizations
- * The New Database-Compatibility Layer
- * If You Customize Your Database...
- * Many Functions Renamed
- * User Preferences
- * Other Changes
-- Security Fixes In 2.20 Releases
-- Release Notes for Previous Versions
-
-
Introduction
************
-This document contains the release notes for Bugzilla 2.20.
-In this document, recently added, changed, and removed features
-of Bugzilla are described. If you are upgrading from an older version,
-you will definitely want to read these release notes in detail, so that
-you have an idea of what has changed.
-
-If you are upgrading from a version before 2.18, also read the 2.18 release
-notes (lower in this file) and any previous release notes.
-
-If you are installing a new Bugzilla, you will still want to look over
-the release notes to see if there is any particularly important information
-that affects your installation.
-
-The 2.20 release is our current stable series. It has had about nine
-months of development since 2.18, but they were nearly the most active
-nine months in Bugzilla's history. We hope that users will appreciate
-our many external changes, and that Bugzilla administators will find
-that our internal changes make their lives easier.
-
-If you would like to contribute code to Bugzilla, read our
-Contributor's Guide at:
-
-http://www.bugzilla.org/docs/contributor.html
-
-
-Minimum Requirements
-********************
-
-Perl
-----
-
- Perl v5.6.1 (changed from 2.18) (Non-Windows platforms)
- ActiveState Perl v5.8.1 (Windows only)
-
-For MySQL Users
----------------
-
- MySQL v3.23.41 (Note: 2.22 will require MySQL 4.x)
- perl module: DBD::mysql v2.9003 (changed from 2.18)
-
-For PostgreSQL Users (new in 2.20)
---------------------
-
- PostgreSQL 7.3.x (8.x has not been tested, but may work)
- perl module: DBD::Pg 1.31
-
-Required Perl Modules
----------------------
-
- AppConfig v1.52
- CGI v2.93
- Data::Dumper (any)
- Date::Format v2.21
- DBI v1.38 (changed from 2.18)
- File::Spec v0.84 (changed from 2.18)
- File::Temp (any)
- Template Toolkit v2.08
- Text::Wrap v2001.0131
- Mail::Mailer 1.65 (new in 2.20)
- Storable (any) (new in 2.20)
-
-Optional Perl Modules
----------------------
-
- Chart::Base v1.0
- GD v1.20
- GD::Graph (any)
- GD::Text::Align (any)
- Net::LDAP (any)
- PatchReader v0.9.4
- XML::Parser (any)
-
-
-What's New?
-***********
-
-Experimental PostgreSQL Support
--------------------------------
-
-In addition to MySQL, Bugzilla now also supports PostgreSQL. PostgreSQL
-support is still somewhat experimental. Although most major features of
-Bugzilla work on PostgreSQL in 2.20, there are probably still a few bugs
-that need to be worked out.
-
-PostgreSQL support in 2.20 is acceptable for smaller production
-environments that don't mind running into a bug or two now and then.
-
-
-New User-Interface Color/Style
-------------------------------
-
-You'll notice that Bugzilla looks a bit nicer, now! We've made a few
-color and style changes to update the overall "feel" of Bugzilla's
-User Inteface. We plan to do even more work on the UI for 2.22.
-
-
-Higher-Level Categorization of Bugs (above "Product")
------------------------------------------------------
-
-Previous Bugzillas had "Products" that you could file bugs in,
-and "Components" for those products. Now, "Products" can be grouped
-into "Classifications."
-
-To enable this, a Bugzilla administrator can turn on the
-"useclassification" parameter, using editparams.cgi.
-
-
-Regular Reports by Email of Complex Queries ("Whining")
--------------------------------------------------------
-
-You can now tell Bugzilla to do a specific query (or set of queries)
-every X minutes/hours/days, and send you the results by email. This is
-great for keeping track on a daily basis of what's going on in
-your Bugzilla.
-
-
-"Environment Variable" Authentication Method
---------------------------------------------
-
-You can now tell Bugzilla to accept a certain value passed in from
-Apache as authentication for Bugzilla users. This means that Bugzilla
-now "supports" any type of authentication that Apache supports.
-
-To use this, FIXME ----- EXPLAIN THIS BEFORE 2.20 RELEASE ----- FIXME
-
-
-User-List Drop-Down Menus
--------------------------
-
-Now, anywhere in Bugzilla where you previously had to type in an
-email address by hand, you have the choice of having Bugzilla instead
-display a drop-down menu of users to pick from.
-
-This feature is best for small installations with few users, because
-on large installations the list grows too large to be useful.
-
-To enable the feature, turn on the "usemenuforusers" parameter in
-editparams.cgi.
-
-
-Server-Side Comment Wrapping
-----------------------------
-
-In older Bugzillas, comments were wrapped to 80 characters by the
-user's web browser, and then stored in the database that way. This caused
-problems because some browsers did not wrap comments properly.
-
-Now, Bugzilla stores comments unwrapped and wraps them at display time, so
-all new comments should be properly wrapped. Also, when you upgrade, Bugzilla
-will look for old "mis-wrapped" comments and attempt to wrap them properly.
-
-Lines beginning with the ">" character are assumed to be quotes, and are
-*not* wrapped.
-
-
-UI for Editing Priority, OS, Platform, and Severity
----------------------------------------------------
-
-Bugzilla now has a User Interface for adding and removing values
-from the OS, Platform, Priority, and Severity fields. You can also
-rename values. Any user in the "editcomponents" group can click
-on the "Field Values" link in their page footer to edit these fields.
-
-Also, the default list of choices for OS and Platform for new
-installations is now much smaller. Old installations will keep
-the same list they have now.
-
-
-Bugzilla Queries as RSS
------------------------
-
-You can now view a Bugzilla query as valid RSS 1.0. This means that you
-could add a particular query to your RSS aggregator, if you wanted, to
-keep track of changes in Bugzilla.
-
-To see a query as RSS, just click on the "RSS" link on the bottom of
-your query results. Your query must return at least 1 result in order
-for you to see the link.
-
-
-Choice of E-Mail Sending Methods
---------------------------------
-
-Bugzilla now uses perl's Mail::Mailer to send e-mail. This means that
-you have several choices of how Bugzilla can send email. By default, it
-still uses sendmail, but it can also use SMTP, qmail, or send all email
-to a file instead of out to users.
-
-A Bugzilla administrator can change which method is used by setting the
-"mail_delivery_method" parameter in editparams.cgi.
-
-
-"User Preferences"
-------------------
-
-Bugzilla users will now notice a section in their Preferences called
-"General Preferences." Administrators will notice a new link called
-"User Preferences."
-
-The Preferences system allows Bugzilla developers to specify arbitrary
-"user preferences" that change the behavior of certain parts of Bugzilla.
-Administrators can control whether or not users are allowed to use these
-preferences, and what the default settings are for a user who is not
-logged in.
-
-The first two preferences that we have implemented are:
- + "Show a quip at the top of each bug list"
- + "When viewing a bug, show comments in this order..."
-
-We plan to implement more preferences in the future.
-
-
-"Large Attachment" Storage
---------------------------
-
-Bugzilla can now store very large attachments on disk instead of in the
-database. These attachments can't be searched with Boolean Charts, but
-they also don't take up database space, and they can be deleted individually
-by the admin.
-
-When uploading an attachment, a user chooses if it's a "Big File." If so,
-it's stored on the disk instead of in the database.
-
-To enable this feature, set the "maxlocalattachmentsize" parameter to
-a non-zero value, in editparams.cgi.
-
-
-Miscellaneous Improvements
---------------------------
-
-- Marking an attachment as obsolete will now cancel all pending flag
- requests for that attachment. That is, any flag that was set to "?"
- on that attachment will be cleared.
-
-- You can now see which users are "watching" you, on the email
- preferences page.
-
-- You can tell Bugzilla to mark certain comments in a different
- color by adding "&mark=1,2,3,5-7" to the end of the show_bug.cgi URL,
- where "1,2,3,5-7" means "highlight comment 1, comment 2, comment 3, and
- comments 5 through 7."
-
-- "QA Contact" now also appears on the New Bug page, if QA Contacts are
- enabled on your installation.
-
-- Bugzilla email now has the "In-Reply-To" header added to it, so if
- you use an email client that supports threads, you can view your
- Bugzilla email in threads. If you are upgrading to a new version of
- Bugzilla, and you want this support, please see the instructions at:
- https://bugzilla.mozilla.org/attachment.cgi?id=172267
-
-- The email preferences system has been slightly updated. You will notice
- the changes on your Email Preferences page.
-
-- You can now negate individual "boolean charts" (in the
- "Advanced Searching" section at the bottom of the "Advanced
- Search" page). That is, you can add "NOT" to the front of them.
-
-- You can add the words %assignee%, %reporter%, %user% (yourself), or
- %qacontact% on the right-hand side of a Boolean Chart. For example, you
- could make a Boolean Chart which said "Reporter" "does not equal"
- "%assignee%". That would give you all bugs where the Reporter was not
- the same as the Assignee.
-
-- You can now search Boolean Charts by "commenter."
-
-- If you have a group with no name, it will be re-named to "group_#" where
- "#" is the numeric Bugzilla Group ID for that group.
-
-- If you are using time-tracking, you can now see a report of time spent
- on bugs using summarize_time.cgi.
-
-- If you are using time-tracking, bugzilla will now set "hours remaining"
- to "0" automatically if you RESOLVE a bug, whether you are in the
- time-tracking group or not.
-
-
-Deprecated Features
-*******************
-
-- Bugzilla 2.20 is the last Bugzilla version to support MySQL 3.23.x.
- Starting with Bugzilla 2.22, Bugzilla will require MySQL 4.0.x. This will
- allow Bugzilla to take advantage of the advanced features of MySQL 4.
-
-
-Outstanding Issues
-******************
-
-- (No Bug Number) VERY IMPORTANT: If you have customized the values in
- your Status/Resolution field, you must edit checksetup.pl BEFORE YOU
- RUN IT. Find the line that starts like this:
-
- my @states = ("UNCONFIRMED",
-
- That's where you set the values for the Status field.
-
- my @resolutions = ("","FIXED",
-
- And that's where you set values for the Resolution field.
-
- Those are both near line 1786 in checksetup.pl.
-
- If you forget to do this, you will have to manually edit the "bug_status"
- and "resolution" tables in the database to contain the correct values.
-
-- bug 37765: VERY IMPORTANT: If you use the "sendmail" support of Bugzilla,
- and you use an MTA which is *not* Sendmail (such as Postfix, Exim, etc.)
- you MUST turn on the "sendmailnow" parameter or Bugzilla will not send
- e-mail correctly.
-
-- (No Bug Number) If you close your web browser while the process_bug.cgi
- or post_bug.cgi screen is running, not all emails will be sent, and
- the next time that that bug is updated, there will be two updates. This
- is because of a behavior of Apache that is beyond our control.
-
-- bug 276230: The support for restricting access to particular Categories of
- New Charts is not complete. You should treat the 'chartgroup' Param as the
- only access mechanism available. However, additionally, charts migrated from
- Old Charts will be restricted to the groups that are marked MANDATORY for
- the corresponding Product. There is currently no way to change this
- restriction, and the groupings will not be updated if the group configuration
- for the Product changes.
-
-- bug 69621: If you rename or remove a keyword that is in use on bugs, you will
- need to rebuild the "keyword cache" by running sanitycheck.cgi and choosing
- the option to rebuild the cache when it asks. Otherwise keywords may not show
- up properly in search results.
-
-- (No Bug Number) If you have a lot of non-ASCII data in your Bugzilla (for
- example, if you use a translation of Bugzilla), don't enable the XS::Stash
- option when you install the Template Toolkit, or your Bugzilla installation
- may become slow. This problem is fixed in a not-yet-released version of the
- Template Toolkit (after 2.14).
-
-- If at any time you upgraded from a version of Bugzilla between 2.17.4 -
- 2.17.7 to either 2.18rc3 or 2.19.1, you must manually fix your New Charts in
- order for them to work. See the following link for instructions on how to do
- this: https://bugzilla.mozilla.org/show_bug.cgi?id=276237#c18
- If you are using 2.18rc3, but did not upgrade from version 2.17.4 or newer,
- then you don't need to do this.
-
-- (No Bug Number) If your DBI is really, really old, Bugzilla might fail
- with a strange error message when you try to run checksetup.pl. Try
- upgrading your DBI using: perl -MCPAN -e'install DBI'
-
-- Bug 298659: LDAP support may be broken on Windows.
-
-- Bug 126266: Bugzilla does not use UTF-8 to display pages. This means
- that if you enter non-ASCII characters into Bugzilla, they may
- display strangely, or Bugzilla may have other problems. For a workaround,
- see: http://www.bugzilla.org/docs/tip/html/security-bugzilla.html
-
-- Bug 99215: Flags are not protected by "mid-air collision" detection.
- Nor are any attachment changes.
-
-- Bug 89822: When changing multiple bugs at the same time, there is no
- "mid-air collision" protection.
-
-- Bug 285614: importxml.pl may be broken in many different ways.
-
-
-Upgrading From An Older Bugzilla
-************************************
-
-NOTE: Running checksetup.pl to upgrade a large installation (over 10,000 bugs)
- may take a significant amount of time. checksetup will try to let
- you know how long it will take, but expect downtime of an hour or
- more if you have many bugs, many attachments, or many users.
-
-Steps for Upgrading
--------------------
-
-1) View the Sanity Check (sanitycheck.cgi) page on your installation before
- upgrading. Attempt to fix all warnings that the page produces before
- you go any further, or you may experience problems during your upgrade.
-
-2) Make a backup of the Bugzilla database before you upgrade, perhaps
- by using mysqldump.
-
- Example:
-
- mysqldump -u root -p --databases bugs > bugs.db.backup
-
-3) Replace the files in your installation with the new version of Bugzilla,
- or you can try to use CVS to upgrade. The Bugzilla.org website has
- instructions on how to do the actual installation.
-
-4) Make sure that you run checksetup.pl after you install the new version.
-
-5) View the Sanity Check page again after you run checksetup.pl.
-
-6) It is recommended that, if possible, you fix any problems you find
- immediately. Failure to do this may mean that Bugzilla will not work
- correctly. Be aware that if the sanity check page contains more errors after
- an upgrade, it doesn't necessarily mean there are more errors in your
- database, as additional tests are added to the sanity check over time, and
- it is possible that those errors weren't being checked for in the old
- version.
-
-7) If you want threading support on your Bugzilla email (see the
- "Miscellaneous Improvements" section above for a description),
- you need to follow the instructions at:
- https://bugzilla.mozilla.org/attachment.cgi?id=172267
-
-
-Code Changes Which May Affect Customizations
-********************************************
-
-The New Database-Compatibility Layer
-------------------------------------
-
-For most customizations, this should have no effect. However, you should
-be aware that Bugzilla->dbh is now an instance of "Bugzilla::DB" instead
-of being a DBI object directly. In fact, it's actually a
-Bugzilla::DB::Mysql for MySQL users, and a Bugzilla::DB::Pg for
-PostgreSQL users.
-
-Anything called from $dbh (like $dbh->bz_last_key) that starts with
-"bz_" or "sql_" is a custom Bugzilla function. Anything *not* starting
-with those two prefixes is a normal DBI function.
-
-Methods whose names start with "sql_" generate a piece of a SQL statement.
-They generate the correct version of the statement for whichever database
-you are using.
-
-Methods whose names start with "bz_" do something directly.
-
-You can see more documentation about this at:
+This document contains the release notes for Bugzilla 2.18. In this document
+recently added, changed, and removed features of Bugzilla are described.
-http://www.bugzilla.org/docs/2.20/pod/Bugzilla/DB.pm
+The 2.18 release is the first in a new stable series, containing the results
+of over two years of hard and dedicated work by volunteers all over the world
+under the lead of Dave Miller.
+This is a preliminary document detailing how we expect things to be in the
+final 2.18 release. The contents of this document are subject to change up
+until the final release. Please file bugs in Bugzilla for any additions or
+corrections needed in this document.
-If You Customize Your Database...
----------------------------------
-
-In order to support multiple databases, we had to do something sort of
-tricky. Bugzilla now stores what it *thinks* the current database schema
-is, in a table called bz_schema.
-
-This means that when checksetup changes the database, it updates the
-bz_schema table. When *you* update the database, without using
-checksetup to do it, the bz_schema table is *not* updated.
-
-So, if you're going to add/remove a new column/table to Bugzilla, or if you're
-going to change the definition of a column, try to do it by adding code to
-checksetup in the correct place. (It's one of the places where you find
-the word "--TABLE--".)
-
-You can see the documentation on the $dbh functions used to do this at:
-
-http://www.bugzilla.org/docs/2.20/pod/Bugzilla/DB.pm#schema_modification_methods
-
-
-Many Functions Renamed
-----------------------
-
-We are reorganizing the Bugzilla code so that it can support mod_perl. As
-part of this, we are moving all functions out of globals.pl and CGI.pl, and
-into modules in the Bugzilla/ directory.
-
-Sometimes when we moved them, we also renamed them. The new Bugzilla standard
-is to have functions_named_like_this, instead of FunctionsNamedLikeThis.
-
-So if you were using a FunctionNamedLikeThis that no longer works, try just
-using it as function_named_like_this. If that doesn't work, you may have to
-search for where we put it, and what we renamed it to. Most of the functions
-moved to logical places.
-
-If you really can't find it, search bugzilla.mozilla.org using the name
-of the old function. We usually moved one function per bug, so the new
-name will be somewhere in a bug report.
-
-
-User Preferences
-----------------
-
-Bugzilla now has a "User Preferences" system! These preferences are stored
-in the database, and specified by a Bugzilla developer. The Bugzilla
-developers actually call these "settings," but we called them "User
-Preferences" in the UI to make things clearer.
-
-You access a user's settings differently depending on if you are in a
-.cgi file or in a template file:
-
-CGI: Bugzilla->user->settings->{'setting_name'}->value
-Template: Bugzilla.user.settings.setting_name.value
-
-Where "setting_name" is the name of the setting. You can see the current
-setting names in the "setting" table in the database.
-
-Remember that sometimes you may want to check a user's settings when
-making a customization.
-
-To see how to add new settings, search for "add_setting" in checksetup.pl.
-Also see the template: template/en/default/global/setting-descs.none.tmpl.
-
-Other Changes
--------------
-
-- The $::unconfirmedstate variable has been replaced by the actual string
- "UNCONFIRMED" everywhere in Bugzilla code.
-
-- The %::FORM and %::MFORM variables are no longer used to access form
- data. Instead, use $cgi->param(). There are many examples of how to do
- this, all over the Bugzilla code.
-
-- SendSQL() and related calls are deprecated, and the various $dbh methods
- should be used instead, such as $dbh->prepare() and $dbh->execute().
- Bugzilla->dbh is the $dbh handle to use. We expect SendSQL to completely
- disappear by 2.22. For more information on how to use the $dbh methods,
- see: http://search.cpan.org/dist/DBI/DBI.pm
-
-
-Release Notes for Previous Versions
-***********************************
-
-*****************************************
-*** The Bugzilla 2.18.x Release Notes ***
-*****************************************
-
-Table of Contents
-*****************
-
-- Introduction
-- Important Updates In This Point Release
- * Version 2.18.1
- * Version 2.18.2
-- Requirements
- * Dependency Requirements
-- What's New?
- * Generic Reporting
- * Generic Charting
- * Request System
- * Enterprise Group Support
- * User Wildcard Matching
- * Support for "Insiders"
- * Time Tracking
- * Authentication module/LDAP improvements
- * Improved localization support
- * Patch Viewer
- * Comment Reply Links
- * Full-Text Search
- * Email Address Munging
- * Simple Search
- * Miscellaneous Improvements
- * All Changes
-- What's Changed?
- * Flag Names
- * New Saved Search User Interface
- * Rules for changing fields
-- Removed Features
-- Code Changes Which May Affect Customizations
-- Recommended Practice for the Upgrade
- * Note About Upgrading From MySQL With ISAM Tables
- * Steps for Upgrading
-- Outstanding Issues (<======================== IMPORTANT, PLEASE READ)
-- Security Fixes In 2.18 Releases
-- Detailed Version-To-Version Release Notes
-
-
-Introduction
-************
-
-This document contains the release notes for Bugzilla 2.18 and
-the bugfix releases after 2.18. In this document, recently added,
-changed, and removed features of Bugzilla are described.
-
-The 2.18 release is our current stable series, containing the results
-of over two years of hard and dedicated work by volunteers all over
-the world under the lead of Dave Miller.
-
-
-Important Updates In This Point Release
-***************************************
-
-There are usually many other bug fixes than those listed below,
-but the below fixes are the ones that we thought System Administrators
-would like to specifically know about.
-
-To see a listing of all changes in this release, you can use the
-table available at:
-
-http://www.bugzilla.org/status/changes.html
-
-Version 2.18.1
---------------
-
-+ You can now enter a negative time for "Hours Worked"
- in the time-tracking area. (Bug 271276)
-
-+ The BugMail.pm customization required for Windows (as
- described in the Bugzilla Guide) now actually works. (Bug 280911)
-
-+ Users who were using Bugzilla 2.8 can now successfully upgrade
- to 2.18.1 (they couldn't upgrade to 2.18). (Bug 283403)
-
-+ Dependency mails are now properly sent during a mass-change of bugs.
- (Bug 178157)
-
-
-Version 2.18.2
---------------
-
-+ You can now create accounts with createaccount.cgi even
- when the "requirelogin" parameter is turned on. (Bug 294778)
-
-+ Bugs that are in disabled groups may not show a padlock
- on the bug list, or may otherwise behave strangely. You
- can now fix this using sanitycheck.cgi. (Bug 277454)
-
-+ If sendmail dies while you are marking a bug
- as a duplicate, the duplicates table will no longer become
- corrupted. (Bug 225042)
-
-
-Requirements
-************
Dependency Requirements
-----------------------
suitable for saving and then putting into presentations or web pages.
-Generic Charting
-----------------
-
-Bugzilla has a new mechanism for generating charts (graphs over time) of any
-arbitrary search. This is known as "New Charts." Legacy data from the previous
-charting mechanism ("Old Charts") is migrated into the "New Charts" when you
-upgrade. The Old Charts mechanism remains, but is deprecated and will be
-removed in a future version of Bugzilla.
-
-Individual users can see/create charts as long as they are a member of the
-group specified in the Param 'chartgroup'. Data can be collected for
-personal charts every seven days (or a longer period, as set by the user).
-Charts created by an administrator can be made public (visible to all). Data
-is collected for administrator charts every day (or a longer period, as set
-by the admin).
-
-The data is collected by the collectstats.pl script, which an administrator
-will need to arrange to be run once every day (see the manual). Chart data can
-be plotted in a number of different ways, and different data sets can be
-plotted on the same graph for comparison.
-
-Please see the Known Bugs section for some important limitations relating to
-access controls on charts.
-
-
Request System
---------------
they appear in the Bugzilla web pages.
-Google-like Bug Search
-----------------------
+Generic Charting
+----------------
-Bugzilla now includes a very simple, Google-like "Find a Specific Bug" page,
-in addition to its advanced search page.
+Bugzilla's new charting feature allows you to display flexible summary charts,
+based on configurable data sets (bug 16009).
Miscellaneous Improvements
- Mail handling is now between 125% to 175% faster.
-- Guided Bug Entry: You can see a sample enter_bug.cgi template at
- enter_bug.cgi?format=guided that "guides" users through the process of
- filing a "good" bug. It needs to be modified before use in your organization.
-
-- There is now a "Give me some help" link on the Advanced Search page that will
- enable pop-up help for every field on the page.
-
-- The Bugzilla administrator can now forbid users from marking bugs RESOLVED
- when there are unresolved dependencies.
-
-
-All Changes
------------
-
-To see a list of EVERY bug that was fixed between 2.16 and 2.18 (over 1000),
-see: http://tinyurl.com/6m3e4
-
What's Changed?
***************
replacing commas and spaces with underscores.
-New Saved Search User Interface
--------------------------------
-
-In previous Bugzilla versions, you could specify on the search page that you
-wanted to save a search and store it as a link in your footer. This option has
-now moved to the search results page (buglist.cgi), where you will see a
-"Remember search" button with a box next to it to enter the name of the search.
-
-You can manage your saved searches on the Preferences page.
-
-
Rules for changing fields
-------------------------
to the 'everconfirmed' flag.
-Removed Features
-****************
-
-- Please note that Bugzilla no longer supports MySQL 3.22. The minimum required
- version is now 3.23.41.
-
-- The "shadow database" mechanism is no longer used. Instead, use MySQL's
- built-in replication feature.
-
-- If you have placed any comments in the localconfig file, they may be removed
- by checksetup.pl.
-
-
Code Changes Which May Affect Customizations
********************************************
- Use Bugzilla->user->login in place of $::COOKIE{Bugzilla_login}
-- You can tell if there's a user logged in or not by using
- Bugzilla->user rather than looking for $::userid==0.
- In new 2.18 code, use defined(Bugzilla->user) && (Bugzilla->user->id)
- In 2.20, this will become just (Bugzilla->user->id)
- In templates, always test [% IF user.id %] rather than [% IF user %]
-
-- SendSQL() and related calls are deprecated, and the various $dbh methods
- should be used instead, such as $dbh->prepare() and $dbh->execute().
- Bugzilla->dbh is the $dbh handle to use.
+- You can tell if there's a user logged in or not by checking if
+ Bugzilla->user->id != 0 rather than looking for $::userid != 0
Recommended Practice for the Upgrade
************************************
-Note About Upgrading From MySQL With ISAM Tables
-------------------------------------------------
-As previously noted in the Dependency Requirements MySQL is now required
-to be at least version 3.23.41. This implies that all tables of type ISAM will
-be converted by the checksetup.pl script to MyISAM.
-
-
-Steps for Upgrading
--------------------
-
-1) View the Sanity Check (sanitycheck.cgi) page on your installation before
- upgrading.
-
-2) As with any upgrade it is recommended that you make a backup of the
- Bugzilla database before you upgrade, perhaps by using mysqldump.
-
- Example:
-
- mysqldump -u root -p --databases bugs > bugs.db.backup
-
-3) Replace the files in your installation, or you can try to use CVS to upgrade.
- The Bugzilla.org website has instructions on how to do the actual
- installation.
-
-4) Make sure that you run checksetup.pl after you install the new version.
-
-5) View the Sanity Check page again after you run checksetup.pl.
-
-6) It is recommended that, if possible, you fix any problems you find
- immediately. Failure to do this may mean that Bugzilla will not work
- correctly. Be aware that if the sanity check page contains more errors after
- an upgrade, it doesn't necessarily mean there are more errors in your
- database, as additional tests are added to the sanity check over time, and
- it is possible that those errors weren't being checked for in the old
- version.
-
-
-Outstanding Issues
-******************
-
-These are known problems with the release that we think you should know about.
-They each have a bug number for http://bugzilla.mozilla.org/
-
-- If at any time you upgraded from a version of Bugzilla between 2.17.4 -
- 2.17.7 to either 2.18rc3 or 2.19.1, you must manually fix your New Charts in
- order for them to work. See the following link for instructions on how to do
- this: https://bugzilla.mozilla.org/show_bug.cgi?id=276237#c18
- If you are using 2.18rc3, but did not upgrade from version 2.17.4 or newer,
- then you don't need to do this.
-
-- bug 37765: If you use an MTA other than sendmail (such as Postfix, Exim,
- etc.) you MUST turn on the "sendmailnow" parameter or Bugzilla will not send
- e-mail correctly.
-
-- bug 276230: The support for restricting access to particular Categories of
- New Charts is not complete. You should treat the 'chartgroup' Param as the
- only access mechanism available. However, additionally, charts migrated from
- Old Charts will be restricted to the groups that are marked MANDATORY for
- the corresponding Product. There is currently no way to change this
- restriction, and the groupings will not be updated if the group configuration
- for the Product changes.
-
-- bug 69621: If you rename or remove a keyword that is in use on bugs, you will
- need to rebuild the "keyword cache" by running sanitycheck.cgi and choosing
- the option to rebuild the cache when it asks. Otherwise keywords may not show
- up properly in search results.
-
-- (No Bug Number) If you have a lot of non-ASCII data in your Bugzilla (for
- example, if you use a translation of Bugzilla), don't enable the XS::Stash
- option when you install the Template Toolkit, or your Bugzilla installation
- may become slow. This problem is fixed in a not-yet-released version of the
- Template Toolkit (after 2.14).
-
-- bug 266579: Users may be able to circumvent not having "canconfirm" privileges
- in some circumstances. This is fixed starting with 2.19.3, but will not
- be fixed in any 2.18 release, as the changes required to fix it are quite
- large.
-
-- bug 99215: Attachment changes have no mid-air collision detection, unlike bug
- changes.
-
-- bug 57350: Searching using the "commenter is" option may be VERY slow. Note
- that searching for "field: comment, changed by: user@domain.com" is fast,
- though.
-
-- bug 151509: Using the boolean chart option "contains the string" with the
- "flag name" field or certain other fields will cause Bugzilla to emit an
- error. This is fixed in 2.20rc1, but will not be fixed in the 2.18 series.
-
-- bug 234159: Bugzilla may sometimes send multiple notices in one email.
-
-- bug 237107: If you search for attachment information using the Boolean Charts
- at the bottom of the Advanced Query page, bugs without attachments will not
- show up in the result list.
-
-
-Security Fixes In 2.18 Releases
-*******************************
-
-Version 2.18
-------------
-
-Summary: XSS in Internal Error messages in Bugzilla 2.16.7 and 2.18rc3
-CVE Name: CAN-2004-1061
-Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=272620
-Details:
- It is possible to send a carefully crafted URL to Bugzilla designed to
-trigger an error message. The Internal Error message includes javascript code
-which displays the URL the user is visiting. The javascript code does not
-escape the URL before displaying it, allowing scripts contained in the URL to
-be executed by the browser. Many browsers do not allow unescaped URLs to be
-sent to a webserver (thus complying with RFC 2616 section 2.3.1 and RFC 2396
-section 2.4.3), and are thus immune to this issue.
- Browsers which are known to be immune: Firefox 1.0, Mozilla 1.7.5,
-Camino 0.8.2, Netscape 7.2, Safari 1.2.4
- Browsers known to be susceptible: Internet Explorer 6 SP2,
-Konqueror 3.2
- Browsers not listed here have not been tested.
-
-
-Version 2.18.1
---------------
-
-Two security issues were fixed in Bugzilla 2.18.1, neither of them
-critical.
-
-See http://www.bugzilla.org/security/2.16.8/ for details.
-
-
-Version 2.18.2
---------------
+As always, please ensure you have run checksetup.pl after replacing the
+files in your installation.
-Two security issues were fixed in Bugzilla 2.18.2. One of them
-is a major Information Leak/Unauthorized Bug Change. The other
-is a minor Information Leak.
+It is recommended that you view the sanity check page (sanitycheck.cgi) both
+before the upgrade and after running checksetup.pl after the upgrade, to see
+if there are any problems with your installation.
-See http://www.bugzilla.org/security/2.18.1/ for details.
+It is also recommended that, if possible, you fix any problems you find
+immediately. Failure to do this may mean that Bugzilla will not work correctly.
+Be aware that if the sanity check page contains more errors after an upgrade,
+it doesn't necessarily mean there are more errors in your database, as
+additional tests are added to the sanity check over time, and it is possible
+that those errors weren't being checked for in the old version.
+As previously noted in the Dependency Requirements MySQL is now required to be
+at least version 3.23.41. This implies that all tables of type ISAM will be
+converted by the checksetup.pl script to MyISAM. As with any upgrade it is
+recommended to make a backup of the database, perhaps by using mysqldump.
-Detailed Version-To-Version Release Notes
-*****************************************
-
-*********************************************************
-*** USERS UPGRADING FROM ALL VERSIONS PRIOR TO 2.16.7 ***
-*********************************************************
-
-*** Security fixes ***
-
-- It is possible to send a carefully crafted HTTP POST message to
- process_bug.cgi which will remove keywords from a bug even if you don't have
- permissions to edit all bug fields (the "editbugs" permission). Such changes
- are reported in "bug changed" email notifications, so they are easily
- detected and reversed if someone abuses it. Users are now prevented from
- making changes to keywords if they do not have editbugs privileges. (bug
- 252638)
-
-*** Bug fixes of note ***
-
-- Enforce a minimum of 10 minutes between attempts to reset a password, so
- we don't mailbomb the user if someone submits the form many times in a
- row. (bug 250897)
-
-- Put products in alphabetical order on the create attachment status page.
- (bug 251427)
-
-- Specify MyISAM as the table type when creating new tables. MySQL 4.1 and
- up default to InnoDB, which doesn't support some of the indexing methods
- that we use. (bug 263165)
-
-*********************************************************
-*** USERS UPGRADING FROM ALL VERSIONS PRIOR TO 2.16.6 ***
-*********************************************************
-
-*** Security fixes ***
-
-- If Bugzilla is configured to hide entire products from some users, both
- duplicates.cgi and the form for mass-editing a list of bugs in buglist.cgi
- can disclose the names of those hidden products to such users.
- (bugs 234825 and 234855)
-
-- Several administration CGIs echo invalid data back to the user without
- escaping it. (bug 235265)
-
-- A user with privileges to grant membership to any group (i.e. usually an
- administrator) can trick editusers.cgi into executing arbitrary SQL.
- (bug 244272)
-
-*** Bug fixes of note ***
-
-- Allow XML import to function when there are regexp metacharacters in product
- names (bug 237591)
-
-- Allow the bug_email.pl contrib script to work with useqacontact (bug 239912)
-
-- Improve the error message used by checksetup.pl when the MySQL requirements
- are not met (bug 240228)
-
-- Elimnate the warning in checksetup.pl about the minimum sendmail version (bug
- 240060)
-
-- $webservergroup now defaults to group 'apache' in new installations (bug
- 224477)
-
-- Correct a situation where a bugmail message could be sent twice to a user
- being added to the CC list if the address was entered in a different case
- than the user registered with. (bug 117297)
-
-- Various documentation updates
-
-*********************************************************
-*** USERS UPGRADING FROM ALL VERSIONS PRIOR TO 2.16.4 ***
-*********************************************************
-
-*** Bug fixes of note ***
-
-- Fix a "used only once" warning that ocurred only in perl 5.00503
- (bug 2321691)
-
-- When a user is creating a new account and enters an invalid email
- address, the error page sent the "Content-type" header twice, causing
- the second one to be visible at the top of the page.
- (bug 137121)
-
-- An HTML encoding issue which only affected Internet Explorer was
- corrected in the "Change several bugs at once" page.
- (bug 181106)
-
-- During initial setup, using invalid characters in the administrator
- password would present an error message stating your password was
- too long or too short instead of telling you it had invalid
- characters.
- (bug 166755)
-
-- When a user reset their own password via an emailed token, the new
- password in the first field would be accepted if the second password
- field was left blank.
- (bug 123077)
-
-- Reopening bugs from the "change several bugs at once" page now works.
- (bug 95430)
-
-- Fix a regression in xml.cgi caused by the previous bugfix for MySQL
- SUM() changes. The original fix didn't work properly either.
- (bug 225474)
-
-- No longer use server push with the "Safari" browser, which claims to
- use the Mozilla layout engine but doesn't.
- (bug 188712)
-
-- Creating a shadow database no longer fails with taint mode errors.
- (bug 227510)
-
-- If you change your cookiepath setting at some stage (because you have
- moved the directory Bugzilla resides on your webserver), users can
- have login cookies with the old cookiepath, and their browsers will
- send multiple logincookies. Bugzilla now uses the first rather than
- the last in order to get the most specific cookie which will be the
- correct one.
- (bug 121419)
-
-- Fixed a regression caused by the previous DBD::mysql fixes, that
- caused older versions of DBD::mysql to break due to not supporting
- the new DBI syntax.
- (bug 224815)
-
-- Bugzilla no longer sends out invalid dates for cookie expiry. This
- bug had no known user visible ramifications.
- (bug 228706)
-
-- Update the shadow database parameters description to tell the user
- about permissions requirements for creating a shadow database.
- (bug 227513)
-
-- Various documentation updates.
-
-*********************************************************
-*** USERS UPGRADING FROM ALL VERSIONS PRIOR TO 2.16.3 ***
-*********************************************************
-
-*** SECURITY ISSUES RESOLVED ***
-
-- A user with 'editproducts' privileges (i.e. usually an administrator)
- can select arbitrary SQL to be run by the nightly statistics cron job
- (collectstats.pl), by giving a product a special name.
- (bug 214290)
-
-- A user with 'editkeywords' privileges (i.e. usually an administrator)
- can inject arbitrary SQL via the URL used to edit an existing keyword.
- (bug 219044)
-
-- When deleting products and the 'usebuggroups' parameter is on, the
- privilege which allows someone to add people to the group which is
- being deleted does not get removed, allowing people with that
- privilege to get that privilege for the next group that is created
- which reuses that group ID. Note that this only allows someone who
- had been granted privileges in the past to retain them.
- (bug 219690)
-
-- If you know the email address of someone who has voted on a secure
- bug, you can access the summary of that bug even if you do not have
- sufficient permissions to view the bug itself.
- (bug 209376)
-
-*** Bug fixes of note ***
-
-Perl 5.8.0 Compatibility fixes:
-
-- Two taint errors were fixed, one in process_bug.cgi, and
- another in post_bug.cgi.
- (bugs 220332 and 177828)
-
-MySQL 4.0 Compatibility fixes:
-
-- A cosmetic fix was applied to votes.cgi (if there were no
- votes, the "0" was not displayed) due to a change in semantics
- in SUM() in MySQL 4.0.
- (bug 217422)
-
-DBD::mysql > 2.1026 Compatibility fixes:
-
-- DBD::mysql versions after 2.1026 return the table list quoted, which
- broke the existing "table exists" check in checksetup.pl, which caused
- the second and subsequent attempts to run checksetup.pl to fail.
- (bug 212095)
-
-Miscellaneous bug fixes:
-
-- A Mozilla-specific reference was removed from one of the report
- templates.
- (bug 221626)
-
-- It was possible to enter a situation where you were unable to get to
- editparams.cgi to turn the shutdownhtml param back off after you
- turned it on when Apache was configured to run Bugzilla in suexec
- mode.
- (bug 213384)
-
-- The processmail rescanall task would not send e-mails about more than
- one bug to the same address.
- (bug 219508)
-
-- If Bugzilla hadn't been accessed in the last hour when the
- collectstats.pl or whineatnews.pl cron jobs ran, the versioncache
- would get recreated with the file owner being the user the cron job
- was running as (usually not the webserver user), causing subsequent
- access to Bugzilla by the webserver to fail until the permissions were
- fixed. Now if versioncache isn't readable when accessing from the
- webserver, we pretend it doesn't exist and recreate it again.
- (bug 160422)
-
-- The 'sendmailnow' param is now on by default in new installations
- (this does not affect existing installations).
- (bug 146087)
-
-- The 008filter.t test would fail if you had multiple language packs
- installed. It now properly tests all of the installed language packs.
- (bug 203318)
-
-- A few minor documentation changes were committed.
-
-*********************************************************
-*** USERS UPGRADING FROM ALL VERSIONS PRIOR TO 2.16.2 ***
-*********************************************************
-
-*** SECURITY ISSUES RESOLVED ***
-
-- A cross site scripting (XSS) vulnerability was fixed in which bug
- summaries were not properly filtered when a user viewed a dependency graph
- allowing JavaScript to be embedded on that page.
- (bug 192661)
-
-- Several XSS vulnerabilities were fixed in which user
- input was not escaped when being displayed. A new
- test has been added to warn about unfiltered data in template
- files (t/008filter.t).
- (bug 192677)
-
-- An issue was fixed in which the QA contact was still treated as the QA
- contact even after the 'useqacontact' setting was turned off. This also
- allowed the QA contact to edit the security groups and view secured bugs that
- he/she was allowed to access prior to the 'useqacontact' setting being
- deactivated.
- (bug 194394)
-
-- Fixed a situation where an attacker (with local access to the webserver)
- could overwrite any file on the webserver to which the webserver user
- has write access by creating appropriately named symbolic links in the
- data and webdot directories (world-writable in many configurations).
- Bugzilla now uses File::Temp to create secure temporary files. File::Temp
- is part of the Perl distribution for Perl 5.6.1 and later, but if you're
- using an older version of Perl you'll need to install it with CPAN.
- (bug 197153)
-
-** IMPORTANT CHANGES ***
-
-- New module requirement: File::Temp, as mentioned above.
-
-*** Bug fixes of note ***
-
-- An issue was fixed in which administrator rights could be removed from an
- administrator who deleted a product while the 'usebuggroups' setting is
- activated.
- (bug 157704)
-
-- Fixed an issue in which importxml.pl would fail the test suite when running
- under perl 5.8.0 with the optional XML::Parse module.
- (bug 172331)
-
-- There was previously a bug in CGI.pl in which the following warning
- would be given under certain conditions:
- "Character in "c" format wrapped at CGI.pl..."
- This is now fixed. In some cases the warning was filling up web server log
- files.
- (bug 194125)
-
-- Fixed a bug in which long component names (in excess of 50 characters) would
- be accepted when creating the component but would cause problems when trying
- to use that component on a bug because it would get truncated. It is now no
- longer possible to create components with names in excess of 50 characters.
- (bug 197180)
-
-- Fixed a bug in checksetup.pl in which permissions were not being fixed
- on the 'data/comments' file, the quip file.
- (bug 160279)
-
-*****************************************************************
-*** USERS UPGRADING FROM 2.16.1 OR EARLIER, 2.14.4 OR EARLIER ***
-*****************************************************************
-
-*** SECURITY ISSUES RESOLVED ***
-
-- Fixed a cross site scriptability issue in quips. This is only a problem
- if quips with HTML could have been inserted into your quips files. Bugzilla
- has not allowed this since 2.12.
- (bug 179329)
-- checksetup.pl will now attempt to prevent access to "editor backups" of
- localconfig.
- (bug 186383)
-- collectstats.pl no longer makes data/mining (which contains graphing
- information) world writeable.
- (bug 183188)
-
-***********************************************
-*** USERS UPGRADING FROM 2.16.0 OR EARLIER ***
-***********************************************
-
-*** SECURITY ISSUES RESOLVED ***
-
-- Apostrophes were not properly handled in email addresses. This was a
- regression introduced in 2.16. It is not known whether this was
- exploitable.
- (bug 165221)
-
-See also next major section.
-
-*** Bug fixes of note ***
-
-- The VERSION cookie which allowed the previously entered version of a product
- to be remembered was not correctly set. It was only set as a session
- cookie, and under some circumstances could interfere with other cookies
- (such as the login information) send at the same time.
- (bug 160227)
-
-- importxml.pl would fail if the versioncache needed to be updated.
- (bug 164464)
-
-- Bug changes going through intermediate pages would munge fields with
- multiple fields, such as CCs.
- (bug 161203)
-
-- On failure in template->new, Bugzilla will now die rather than futilely
- attempt to use an error template.
- (bug 166023)
-
-- Fixed a problem where checksetup had problems converting old installations
- that didn't have a duplicates table.
- (bug 151619)
-
-- Fixed a problem that caused taint errors when viewing or editing user
- preferences with Perl 5.005 and Template 2.08.
- (bug 160710)
-
-See also next section.
-
-******************************************************
-*** USERS UPGRADING FROM 2.16.0, 2.14.3 OR EARLIER ***
-******************************************************
-
-*** SECURITY ISSUES RESOLVED ***
-
-- When a new product is added to an installation with 47 groups or more and
- "usebuggroups" is enabled, the new group will be assigned a groupset bit
- using Perl math that is not exact beyond 2^48. This results in the new
- group being defined with a "bit" that has several bits set. As users are
- given access to the new group, those users will also gain access to
- spurious lower group privileges. Also, group bits were not always reused
- when groups were deleted.
- (bug 167485)
-
-- The email interface had another insecure single parameter system call. This
- could potentially allow arbitrary shell commands to be run. This file is
- not supported at this time, but as long as we knew about the problem, we
- couldn't overlook it.
- (bug 163024)
-
-*** Bug fixes of note ***
-
-- The email interface was broken. This was a 2.14.3 regression. This file
- is not supported at this time, but as long as we knew about the problem, we
- couldn't overlook it.
- (bug 160631)
-
-***********************************************
-*** USERS UPGRADING FROM 2.14.5 OR EARLIER ***
-***********************************************
-
-*** SECURITY ISSUES RESOLVED ***
-
-- The bug reporter could set the priority even when
- 'letsubmitterchoosepriority' was off.
- (bug 63018)
-
-- Most CGIs are now templatised. This helps to make it
- easier to remember to HTML filter values and easier to spot
- when they are not, preventing cross site scripting attacks.
- (bug 86168)
-
-- Most CGIs now run in taint mode. This helps to prevent
- failure to validate errors.
- (bug 108982)
-
-*** IMPORTANT CHANGES ***
-
-- 2.16 introduces "templatisation", a new feature that allows
- administrators to easily customise the HTML output (the "look and feel")
- of Bugzilla without altering Perl code. Bugzilla uses the
- "Template Toolkit" for this. Please see the "Template Customisation"
- section of the Bugzilla Guide for more details.
-
- Administrators who ran the 2.15 development version and customised
- templates should check the templates are still valid, as file names
- and file paths have changed.
-
- Most output is now templatised. This process will be complete next
- milestone.
-
- For speed, compiled templates are cached on disk. If you modify the
- templates, the toolkit will normally detect the changes, and recompile the
- changed templates.
-
- Adding new directories anywhere inside the template directory may cause
- permission errors if you don't have a webservergroup specified in
- localconfig. If you see these, rerun checksetup.pl as root. If you do not
- have root access, or cannot get someone who does to do this for you, you can
- rename the data/template directory to data/template.old (or any other name
- Bugzilla doesn't use). Then rerun checksetup.pl to regenerate the compiled
- templates.
- (bug 86168, 97832)
-
-- Administrators can now configure maximum attachment sizes. These
- should remain below the maximum size for your MySQL server, or you
- will get obscure MySQL errors if you attach a bigger attachment.
-
- To find out the current size attachment that MySQL can accept, type
- the command 'mysqladmin variables' and find out the value of the
- 'max_allowed_packet' varible in bytes.
-
- To change the maximum size that MySQL can accept you can alter this
- variable in your 'my.cnf' file.
- (bug 91664)
-
-- Perl 5.004 is no longer supported because the Template Toolkit
- requires 5.005.
- (bug 97721)
-
-- New module requirements: Text::Wrap, Template [requires AppConfig],
- File::Spec.
- (bugs 97784, 84338, 103778)
-
-- The index page is now a CGI instead of an HTML page. You should remove
- any existing index.html file and make sure your web server allows index.cgi
- to be the default page in a directory. If you are not able to do that you
- can instead set index_html in the 'localconfig' file to 1 and checksetup.pl
- will create a redirect page for you.
- (bug 80183)
-
-- It is now recommended that administrators run "processmail rescanall"
- after upgrading to 2.16 or beyond.
-
- This will send out notification emails for changes that were
- made but not emailed, due to Bugzilla bugs. All known
- causes of this have been fixed in this version (bug 104589 and 99519).
-
- It is also recommended that this be run nightly to avoid
- lengthy delays in future if this problem reoccurs.
- (bug 106377)
-
-- In parallel with templatisation, a lot of changes have been made to the HTML
- output of the Bugzilla CGIs. This could break code that attempts to parse
- such code. For example, this breaks mozbot.
- (no bug number)
-
-- The "HTML template" parameters (headerhtml, bodyhtml, footerhtml,
- errorhtml, bannerhtml, blurbhtml, mostfreqhtml, entryheaderhtml) have now
- been moved to Template Toolkit templates. If you have modified these
- parameters you will need to make corresponding changes to the corresponding
- templates. Your old parameter values will be moved to a file called
- old-params.txt by checksetup.pl.
-
- The old parameters correspond to files in template/en/default as follows:
-
- headerhtml: global/header.html.tmpl
- footerhtml: global/footer.html.tmpl
- bannerhtml: global/banner.html.tmpl
- blurbhtml: global/banner.html.tmpl
- mostfreqhtml: reports/duplicates*.html.tmpl
- entryheaderhtml: bug/create/user-message.html.tmpl
-
- (bug 140437)
-
-*** Other changes of note ***
-
-- The query page has been redesigned for better user friendliness.
- (bug 98707)
-- Users can now change their email account.
- (bug 23067)
-- "Dependent Bug Changed" notification emails now contain the
- dependent bug's summary and URL.
- (bug 28736, 113383)
-- Bugs with severity "critical", "blocker", and "enhancement" are
- visually differentiated on bug lists for browsers with sufficient
- CSS support.
- (bug 28884)
-- Bugzilla now has a sidebar for the Mozilla browser.
- (bug 37339)
-- A link to just created attachments now appears in notification
- email.
- (bug 66651)
-- Comments now have numbers and can be referenced with
- autohyperlinkifying similar to bugs.
- (bug 71840)
-- The attachment system has been rewritten, supporting new
- "attachment statuses" (like keywords, but for attachments),
- the ability to obsolete attachments, edit attachment MIME type,
- and edit whether the attachment is a patch.
- (bugs 84338, 75176)
-- syncshadowdb now supports a configurable temp file location,
- and properly shuts down Bugzilla while running.
- (bug 75840)
-- Dependency tree now lets you exclude resolved bugs and bugs
- below a specified depth.
- (bugs 83058)
-- The "strictvaluechecks" parameter has gone away. These checks
- are now always done.
- (bug 119715)
-- The midair collision page now shows all changes since the bug
- page was loaded, not just the last one.
- (bug 108312)
-- Added support for making dependency graphs with 'dot', which
- is better at creating complex graphs than 'webdot'.
- (bug 120537)
-
-*** Bug fixes of note ***
-
-- Bugzilla scripts are now usually not terminated when the browser
- window they are running in is closed. This caused hard to
- reproduce bugs.
- (bug 104589)
-- On browsers that "reflow" the page, large component / milestone /
- version fields were extremely slow to reflow when you altered
- the product field.
- (bug 96534)
-- The selection in the component / milestone / version fields is
- no longer lost when you change the selection in the product
- field or use the back/forward buttons in your browser to return
- to the page.
- (bug 97966)
-- You could not reverse dependencies in one step.
- (bug 82143)
-- Mass reassignment of non-open bugs will no longer reopen them.
- (bug 30731)
-- Attempting to bulk change no bugs will now give a user-friendly
- error message.
- (bug 90333)
-- If you make a change to a bug where you only add yourself to CC,
- email notifications are now properly sent out for MySQL 3.23.
- (bug 99519)
-- Bug entry now properly validates the data it has been sent.
- (bug 107743)
-- Midair collision checks will now properly work in all situations
- where dependencies have changed.
- (bug 73502)
-- Browsers can no longer corrupt the params file if they use the "wrong"
- end-of-line markers.
- (bug 92500)
-- The MySQL port defined in localconfig is now properly honoured.
- (bug 98368)
-- Apostrophes in component/milestone/version names no longer cause
- a problem on the query page.
- (bug 30689/42810)
-- File attachment comments will now wrap.
- (bug 52060)
-- Saved queries are no longer mangled if you need to log in again,
- for example if you had cookies off.
- (bug 38835)
-- Bug counts (on reports.cgi) were very slow if you had to
- count a lot of bugs.
- (bug 63249)
-- 2.14 introduced options to let people see a bug when their name
- is on it but who aren't in the groups the bug is restricted
- to. These only allowed the people to view the bugs directly,
- and not see them on buglists and receive email about them.
- (bugs 95024, 97469)
-- A new 'cookiepath' parameter on editparams.cgi allows multiple
- Bugzilla installations to exist on one host without problems.
- (bug 19910)
-- whineatnews.pl now respects the 'sendmailnow' parameter.
- (bug 52782)
-- The query page came up even when Bugzilla was shut down.
- (bug 121747)
-- Quicksearch gave a weird error message when Bugzilla was
- shut down.
- (bug 121741)
-- Operating system detection fixes.
- (bugs 92763, 135666)
-- QA contacts now receive emails when a new bug is created and
- their only email preference was being added or removed from QA.
- (bug 143091)
-
-***********************************************
-*** USERS UPGRADING FROM 2.14.4 OR EARLIER ***
-***********************************************
-
-See section above about users upgrading from 2.16.1 or earlier,
-2.14.4 or earlier.
-
-***********************************************
-*** USERS UPGRADING FROM 2.14.3 OR EARLIER ***
-***********************************************
-
-See section above about users upgrading from 2.16.0 or earlier.
-
-***********************************************
-*** USERS UPGRADING FROM 2.14.2 OR EARLIER ***
-***********************************************
-
-*** SECURITY ISSUES RESOLVED ***
-
-- Basic maintenance on contrib/bug_email.pl and
- contrib/bugzilla_email_append.pl which also fixes a
- possible security hole with a misuse of a system() call.
- These files are not supported at this time, but as long
- as we knew about the problem, we couldn't overlook it.
- (bug 154008)
-
-*** Bug fixes of note ***
-
-- The fix for bug 130821 in 2.14.2 broke being able to sort
- bug lists on more than one field. buglist.cgi now allows
- you to sort on more than one field again.
- (bug 152138)
-
-***********************************************
-*** USERS UPGRADING FROM 2.14.1 OR EARLIER ***
-***********************************************
-
-*** SECURITY ISSUES RESOLVED ***
-
-- queryhelp.cgi no longer shows confidential products to
- people it shouldn't.
- (bug 126801)
-
-- It was possible for a user to bypass the IP check by
- setting up a fake reverse DNS, if the Bugzilla web server
- was configured to do reverse DNS lookups. Apache is not
- configured as such by default. This is not a complete
- exploit, as the user's login cookie would also need to
- be divulged for this to be a problem.
- (bug 129466)
-
-- In some situations the data directory became world writeable.
- (bug 134575)
-
-- Any user with access to editusers.cgi could delete a user
- regardless of whether 'allowuserdeletion' is on.
- (bug 141557)
-
-- Real names were not HTML filtered, causing possible cross
- site scripting attacks.
- (bug 146447, 147486)
-
-- Mass change would set the groupset of every bug to be the
- groupset of the first bug.
- (bug 107718)
-
-- Some browsers (eg NetPositive) interacted with Bugzilla
- badly and could have various form problems, including
- removing group restrictions on bugs.
- (bug 148674)
-
-- It was possible for random confidential information to be
- divulged, if the shadow database was in use and became
- corrupted.
- (bug 92263)
-
-- The bug list sort order is now stricter about the SQL it will accept,
- ensuring you use correct column name syntax. Before this, there were
- some syntax checks, so it is not known whether this problem was
- exploitable.
- (bug 130821)
-
-********************************************
-*** USERS UPGRADING FROM 2.14 OR EARLIER ***
-********************************************
-
-The 2.14.1 release fixes several security issues that became
-known to us after the Bugzilla 2.14 release.
-
-*** SECURITY ISSUES RESOLVED ***
-
-- If LDAP Authentication was being used, Bugzilla would allow
- you to log in as anyone if you left the password blank.
- (bug 54901)
-
-- It was possible to add comments or file a bug as someone else
- by editing the HTML on the appropriate submission page before
- submitting the form. User identity is checked now, and the
- form values suggesting the user are now ignored.
- (bug 108385, 108516)
-
-- The Product popup menu on the show_bug form listed all
- products, even if the user didn't have access to all of them.
- It now only shows products the user has access to (and the
- product the bug is in, if the user is viewing it because of
- some other override).
- (bug 102141)
-
-- If a user had any blessgroupset privileges (the ability to
- change only specific privileges for other users), it was
- possible to change your own groupset (privileges) by
- altering the page HTML before submitting on editusers.cgi.
- (bug 108821)
-
-- An untrusted variable was echoed back to user in the HTML
- output if there was a login error while editing votes.
- (bug 98146)
-
-- buglist.cgi had an undocumented parameter that allowed you
- to pass arbitrary SQL for the "WHERE" part of a query.
- This has been disabled.
- (bug 108812)
-
-- It was possible for a user to send arbitrary SQL by inserting
- single quotes in the "mybugslink" field in the user
- preferences.
- (bug 108822)
-
-- buglist.cgi was not validating that the field names being
- passed from the "boolean chart" query form were valid field
- names, thus allowing arbitrary SQL to be inserted if you
- edited the HTML by hand before submitting the form.
- (bug 109679)
-
-- long_list.cgi was not validating that the bug ID parameter
- was actually a number, allowing arbitrary SQL to be inserted
- if you edited the HTML by hand.
- (bug 109690)
-
-********************************************
-*** USERS UPGRADING FROM 2.12 OR EARLIER ***
-********************************************
-
-*** SECURITY ISSUES RESOLVED ***
-
-- Multiple instances of unauthorised access to confidential
- bugs has been fixed.
- (bug 39524, 39526, 39527, 39531, 39533, 70189, 82781)
-
-- Multiple instances of untrusted parameters not being
- checked/escaped was fixed. These included definite security
- holes.
- (bug 38854, 38855, 38859, 39536, 87701, 95235)
-
-- After logging in passwords no longer appear in the URL.
- (bug 15980)
-
-- Procedures to prevent unauthorised access to confidential
- files are now simpler. In particular the shadow directory
- no longer exists and the data/comments file no longer needs
- to be directly accessible, so the entire data directory can
- be blocked. However, no changes are required here if you
- have a properly secured 2.12 installation as no new files
- must be protected.
- (bug 71552, 73191)
-
-- If they do not already exist, checksetup.pl will attempt to
- write Apache .htaccess files by default, to prevent
- unauthorised access to confidential files. You can turn this
- off in the localconfig file.
- (bug 76154)
-
-- Sanity check can now only be run by people in the 'editbugs'
- group. Although it would be better to have a separate
- group, this is not possible until the limitation on the
- number of groups allowed has been removed.
- (bug 54556)
-
-- The password is no longer stored in plaintext form. It will
- be eradicated next time you run checksetup.pl. A user must
- now change their password via a password change request that
- gets validated at their e-mail account, rather than have it
- mailed to them.
- (bug 74032)
-
-- When you are using product groups and you move a bug between
- products (single or mass change), the bug will no longer be
- restricted to the old product's group (if it was) and will
- be restricted to the new product's group.
- (bug 66235)
-
-- There are now options on a bug to choose whether the
- reporter, and CCs can access a bug even if they aren't in
- groups the bug it is restricted to.
- (bug 39816)
-
-- You can no longer mark a bug as a duplicate of a bug you
- can't see, and if you mark a bug a duplicate of a bug
- the reporter cannot see you will be given options as to
- what to do regarding adding the reporter of the resolved
- bug to the CC of the open bug.
- (bug 96085)
-
-*** IMPORTANT CHANGES ***
-
-- Bugzilla 2.14 no longer supports old email tech. Upon
- upgrading, all users will be moved over to new email tech.
- This should speed up upgrading for installations with
- a large number of bugs.
- (bug 71552)
-
-- There is new functionality for people to see why they are
- receiving notification mails.
-
- Previously, some people filtered old email tech
- notifications depending on whether they were in the To or the
- CC header, in order to get a limited way of determining why
- they were receiving the notification for filtering purposes.
-
- Existing installations will need to make changes to support
- this feature. The receive reasons can be added to the
- notifications as a header and/or in the body. To add these
- you will need to modify your newchangedmail parameter on
- editparams.cgi, either by resetting it or appropriately
- modifying it. The header value is specified by
- %reasonsheader% and the body by %reasonsbody%. For example,
- the new default parameter is:
-
- --------------------------------------------------
- From: bugzilla-daemon
- To: %to%
- Subject: [Bug %bugid%] %neworchanged%%summary%
- X-Bugzilla-Reason: %reasonsheader%
-
- %urlbase%show_bug.cgi?id=%bugid%
-
- %diffs%
-
-
-
- %reasonsbody%
- --------------------------------------------------
-
- (bug 26194)
-
-- Very long fields (especially multi-valued fields like keywords,
- CCs, dependencies) on bug activity and notifications previously
- could get truncated, resulting in useless notifications and data
- loss on bug activity. Now the multi-valued fields only show
- changes, and very big changes are split into multiple lines.
- Where data loss has already occurred on bug activity, it is
- indicated using question marks.
- (bug 55161, 92266)
-
-- Previously, when a product's voting preferences changed all
- votes were removed from all the bugs in the product. Also,
- when a bug was moved to another product, all of its votes
- were removed. This no longer occurs.
-
- Instead, if the action would leave one or more bugs with
- greater than the maximum number of votes per person per bug,
- the number of votes will be reduced to the maximum. The
- person will still be notified of this as before.
-
- If the action would leave a user with more votes in a product
- than is allowed, the limit will be breached so as to not lose
- votes. However the user will not be able to update their
- votes except to fix this situation. No further action is taken
- in this version to make sure that the user does this.
- (bug 28882, 92593)
-
-*** Other changes of note ***
-
-- Groups can now be marked inactive, so you can't add a new
- restriction on that group to a bug, while leaving bugs that
- were previously restricted on that group alone.
- (bug 75482)
-- backdoor.cgi has been removed from the installation. It was
- old code that was Netscape-specific and its name was scaring
- people.
- (bug 87983)
-- You can now add or remove from CC on the bulk change page.
- (bug 12819)
-- New users created by administrators are now automatically
- inserted into groups according to the group's regular
- expression. Administrators must edit the user in a second
- step to override these choices. Previously the
- administrator specified these explicitly which could lead
- to incorrect settings.
- (bug 45164)
-- The userregexp of system groups can now be edited without
- resorting to direct database access.
- (bug 65290)
-
-*** Bug fixes of note ***
-
-- The bug list page was sometimes bringing up a not logged in
- footer when the user was logged in and the installation was
- using a shadow database.
- (bug 47914)
-- You can now view the bug summary in your browser title for
- a group-restricted bug if you have proper permissions.
- (bug 71767)
-- Quick search for search terms did not work in IE5.
- This has been worked around.
- (bug 77699)
-- Quick search for search terms crashed NN4.76/4.77 for Unix.
- This has been worked around.
- (bug 83619)
-- Queries on bugs you have commented on using the "added
- comment" feature should be a lot faster and not time out
- on large installations due to the addition of an index.
- (bug 57350)
-- You can now alter group settings on bulk change for groups
- that aren't on for all bugs or off for all bugs.
- (bug 84714)
-- New bug notifications now include the CC and QA fields.
- (bug 28458)
-- Bugzilla is now more Windows friendly, although it is still
- not an official platform.
- (bug 88179, 29064)
-- Passwords are now encrypted using Perl's encrypt function.
- This makes Bugzilla more portable to more operating systems.
- (bug 77473)
-- Bugzilla didn't properly shut down when told to - some
- queries could still be sent to the database.
- (bug 95082)
-
-********************************************
-*** USERS UPGRADING FROM 2.10 OR EARLIER ***
-********************************************
-
-*** SECURITY ISSUES RESOLVED ***
-
-- Some security holes have been fixed where shell escape characters
- could be passed to Bugzilla, allowing remote users to execute
- system commands on the web server.
-
-*** IMPORTANT CHANGES ***
-
-- There is now a facility for users to choose the sort of
- notifications they wish to receive. This facility will
- probably be improved in future versions.
- (bug 17464)
-
-- "Changed" will no longer appear on the subject line of
- change notification emails. Because of this, you should
- change the subject line in your 'changedmail' and
- 'newchangedmail' params on editparams.cgi. The subject
- line needs to be changed from
-
- Subject: [Bug %bugid%] %neworchanged% - %summary%
-
- to:
-
- Subject: [Bug %bugid%] %neworchanged%%summary%
-
- or whatever is appropriate for the subject you are using
- on your system. Note the removal of the " - " in the
- middle.
- (bug 29820)
-
-*** Other changes of note ***
-
-- Bug titles now appear in the page title, and will hence
- display in the user's browser's bookmarks and history.
- (bug 22041)
-- Edit groups functionality (editgroups.cgi).
- (bug 25010)
-- Support for moving bugs to other Bugzilla databases.
- (bug 36133)
-- Bugzilla now can generate a frequently reported bugs list
- based on what duplicates you receive.
- (bug 25693)
-- When installing Bugzilla fresh, the administrator account is
- now created in checksetup.pl.
- (bug 17773)
-- Stored queries now show their name above the bug list, which
- helps the user when they have multiple bug lists in multiple
- browser windows. It also appears in the page title, and will
- hence display in the user's browser's bookmarks and history.
- (bug 52228)
-- All states and resolutions can now be collected for charting.
- (bug 6682)
-- A new search-engine-like "quick search" feature appears on
- the front page to try and making searching easier.
- (bug 69793)
-- Querying on dependencies now works in the advanced query
- section of the query page.
- (bug 30823)
-- When a bug is marked as a duplicate, the reporter of the
- resolved bug is automatically added to the CC list of the
- open bug.
- (bug 28676)
-
-*** Bug fixes of note ***
-
-- Notification emails will now always be sent to QA contacts.
- Previously they wouldn't if you were using new email tech.
- (bug 30826)
-- When marking a bug as a duplicate, the duplicate stamp marked
- on the open bug will no longer be written too early (such as
- on mid-air collisions).
- (bug 7873)
-- Various bug fixes were made to the initial assignee and QA
- of a component. It is no longer possible to enter an
- invalid address. They will also now properly update when
- a user's email address is changed. Sanity check will now
- check these.
- (bug 66876)
-- Administrators can no longer create an email accounts that do
- not match the global email regular expression parameter.
- Previously this could occur and would cause sanity check
- errors.
- (bug 32971)
-- The resolution field can no longer become empty when the
- bug is resolved. This occurred because of midair collisions.
- (bug 49306)
-
-*******************************************
-*** USERS UPGRADING FROM 2.8 OR EARLIER ***
-*******************************************
-
-Release notes were not compiled for versions of Bugzilla before
-2.12.
-
-The file 'UPGRADING-pre-2.8' contains instructions you may
-need to perform in addition to running 'checksetup.pl' if you
-are running a pre 2.8 version.
+Example:
+ mysqldump -u root -p --databases bugs > bugs.db.backup
projects / thirdparty / bugzilla.git / commitdiff
