]>
git.ipfire.org Git - thirdparty/bugzilla.git/log
Dave Lawrence [Wed, 16 Oct 2013 16:00:39 +0000 (12:00 -0400)]
Bug 906745 - In MySQL, tokens are not case-sensitive, reducing total entropy and allowing easier brute force
Frédéric Buclin [Fri, 11 Oct 2013 22:11:07 +0000 (00:11 +0200)]
Bug 912639: Release notes for Bugzilla 4.0.11
Frédéric Buclin [Fri, 9 Aug 2013 09:32:56 +0000 (11:32 +0200)]
Bug 902515: Internet Explorer 11 receives multipart/x-mixed-replace content from buglist.cgi
Sunil Joshi [Wed, 7 Aug 2013 05:29:21 +0000 (15:29 +1000)]
Bug 901620 - Grammar error in the documentation
Dave Lawrence [Wed, 24 Jul 2013 14:21:16 +0000 (10:21 -0400)]
Bug 880653 - Add POD for Bug.possible_duplicates webservice
Dave Lawrence [Mon, 15 Jul 2013 03:54:57 +0000 (23:54 -0400)]
Bug 787328 - xmlrpc.cgi doesn't send any security-related headers
Frédéric Buclin [Mon, 15 Apr 2013 21:28:14 +0000 (23:28 +0200)]
Bug 861528: $user->can_enter_product() now returns the product object instead of 1
Christopher Trom [Tue, 9 Apr 2013 10:28:20 +0000 (12:28 +0200)]
Bug 355620: Lines enclosed in <simplelist> do not wrap in the PDF version of the Bugzilla Guide
Frédéric Buclin [Tue, 26 Mar 2013 11:10:46 +0000 (12:10 +0100)]
Bug 854074: Remove all references to the uwinnipeg.ca PPM repository as it is no longer available
Frédéric Buclin [Wed, 20 Mar 2013 12:12:42 +0000 (13:12 +0100)]
Bug 852560: Bugzilla cannot be installed with MySQL 5.6, because the have_innodb variable no longer exists
Dave Lawrence [Wed, 20 Feb 2013 01:16:16 +0000 (20:16 -0500)]
Bump version post-release
Dave Lawrence [Tue, 19 Feb 2013 18:40:55 +0000 (13:40 -0500)]
Bumped current year
Dave Lawrence [Tue, 19 Feb 2013 17:35:34 +0000 (12:35 -0500)]
Bump version to 4.0.10
Frédéric Buclin [Tue, 19 Feb 2013 17:29:14 +0000 (18:29 +0100)]
Bug 842038: (CVE-2013-0785) [SECURITY] XSS in show_bug.cgi when using an invalid page format
Simon Green [Tue, 19 Feb 2013 17:16:28 +0000 (18:16 +0100)]
Bug 824399: (CVE-2013-0786) [SECURITY] build_subselect() leaks the existence of products and components you cannot access
Frédéric Buclin [Tue, 19 Feb 2013 08:50:32 +0000 (09:50 +0100)]
Bug 832265: Release notes for Bugzilla 4.0.10
Frédéric Buclin [Mon, 21 Jan 2013 12:29:10 +0000 (13:29 +0100)]
Bug 771100: Attaching a file to a bug with Perl 5.16 fails
Frédéric Buclin [Sat, 5 Jan 2013 23:27:35 +0000 (00:27 +0100)]
Bug 826678: Disable warnings about the deprecated Return::Value module when loading Email::Send
Matt Selsky [Thu, 3 Jan 2013 12:27:27 +0000 (13:27 +0100)]
Bug 824616: The urlbase field in global/header.html.tmpl must be filtered
Hugo [Thu, 29 Nov 2012 19:21:19 +0000 (14:21 -0500)]
Bug 579189 - New methods added to Bugzilla/User.pm by bug 24896 have no POD
Dave Miller [Tue, 20 Nov 2012 19:08:58 +0000 (14:08 -0500)]
Bug 640756 - Make the documentation clearer that attachments created with Bug.add_attachment must by of type 'base64' when non-ASCII
Dave Lawrence [Tue, 13 Nov 2012 23:28:42 +0000 (18:28 -0500)]
Bump version post-release
Dave Lawrence [Tue, 13 Nov 2012 19:55:40 +0000 (14:55 -0500)]
Bump version to 4.0.9
Frédéric Buclin [Tue, 13 Nov 2012 17:42:46 +0000 (18:42 +0100)]
Bug 808845 (CVE-2012-5475): [SECURITY] Security vulnerability in YUI's swfstore.swf in YUI 2.8.2 and 2.9.0
Frédéric Buclin [Tue, 13 Nov 2012 17:37:32 +0000 (18:37 +0100)]
Bug 781850 (CVE-2012-4198): [SECURITY] Do not leak the existence of groups when using User.get()
Frédéric Buclin [Tue, 13 Nov 2012 17:24:24 +0000 (18:24 +0100)]
Bug 802204 (CVE-2012-4197): [SECURITY] Marking an attachment you cannot see as obsolete can disclose its description
Frédéric Buclin [Tue, 13 Nov 2012 17:10:31 +0000 (18:10 +0100)]
Bug 731178 (CVE-2012-4199): [SECURITY] field-events.js.tmpl discloses product and component names that the user is not allowed to see
Frédéric Buclin [Fri, 2 Nov 2012 12:57:27 +0000 (13:57 +0100)]
Fix typo
Koosha Khajeh Moogahi [Fri, 2 Nov 2012 12:47:00 +0000 (13:47 +0100)]
Bug 807937: Fix POD
Frédéric Buclin [Tue, 30 Oct 2012 21:28:12 +0000 (22:28 +0100)]
Bug 805649: Release notes for Bugzilla 4.0.9
Frédéric Buclin [Sat, 13 Oct 2012 21:23:04 +0000 (23:23 +0200)]
Fix typo
Frédéric Buclin [Thu, 4 Oct 2012 15:55:48 +0000 (17:55 +0200)]
Bug 790909: Editing dependencies from the "Change Several Bugs at Once" page does not work as expected (bug IDs are incorrectly parsed)
Frédéric Buclin [Wed, 3 Oct 2012 17:40:17 +0000 (19:40 +0200)]
Bug 757935: Bugs with resolution MOVED cannot be edited
Reed Loden [Tue, 11 Sep 2012 19:17:35 +0000 (12:17 -0700)]
Bug 790215 - Flag names are not properly escaped when displayed on confirm user match page
Dave Lawrence [Thu, 30 Aug 2012 20:24:09 +0000 (16:24 -0400)]
Bumped version post-release
Dave Lawrence [Thu, 30 Aug 2012 19:01:53 +0000 (15:01 -0400)]
Bump version to 4.0.8
Reed Loden [Thu, 30 Aug 2012 18:28:58 +0000 (20:28 +0200)]
Bug 785470: (CVE-2012-3981) [SECURITY] Missing escaping of the username can lead to LDAP injection
Frédéric Buclin [Thu, 30 Aug 2012 18:18:44 +0000 (20:18 +0200)]
Bug 785522: [SECURITY] Block access to templates in extensions/
Frédéric Buclin [Wed, 29 Aug 2012 14:43:00 +0000 (16:43 +0200)]
Bug 786352: Release notes for Bugzilla 4.0.8
Frédéric Buclin [Mon, 27 Aug 2012 18:18:58 +0000 (20:18 +0200)]
Bug 785917: Custom field descriptions are not properly escaped when displayed as bug list column headers
Koosha Khajeh Moogahi [Fri, 3 Aug 2012 16:45:20 +0000 (12:45 -0400)]
Bug 682317 - Bug.create is incorrectly documented as ignoring invalid fields; it should say it produces an error
Dave Lawrence [Thu, 26 Jul 2012 22:45:48 +0000 (18:45 -0400)]
Bumped version post release
Dave Lawrence [Thu, 26 Jul 2012 21:31:09 +0000 (17:31 -0400)]
Bump version to 4.0.7
Frédéric Buclin [Thu, 26 Jul 2012 21:07:23 +0000 (23:07 +0200)]
Bug 777586: (CVE-2012-1969) [SECURITY] The description of private attachments is still visible to unauthorized users when mentioned in a comment
Frédéric Buclin [Thu, 26 Jul 2012 13:51:38 +0000 (15:51 +0200)]
Bug 777675: Release notes for Bugzilla 4.0.7
Koosha Khajeh Moogahi [Wed, 25 Jul 2012 21:39:46 +0000 (17:39 -0400)]
Bug 776103 - Syntax error in Bugzilla::User::Setting API doc
Frédéric Buclin [Wed, 27 Jun 2012 16:13:39 +0000 (18:13 +0200)]
Bug 768870: The "Un-forget the search" link has no token
Reed Loden [Tue, 29 May 2012 14:46:23 +0000 (07:46 -0700)]
Bug 754561 - Escape HTML in keywords in the auto-complete form
Byron Jones [Mon, 28 May 2012 16:54:21 +0000 (00:54 +0800)]
Bug 756314: Fix dropping of unique matches when the "confirm page" page is display.
Dave Lawrence [Wed, 18 Apr 2012 22:27:51 +0000 (15:27 -0700)]
Bumping the version post-release
Dave Lawrence [Wed, 18 Apr 2012 18:00:13 +0000 (11:00 -0700)]
Bump version to 4.0.6
Frédéric Buclin [Wed, 18 Apr 2012 17:02:22 +0000 (19:02 +0200)]
Bug 745397: (CVE-2012-0466) [SECURITY] The JS template for buglists permits attackers to access all bugs that the victim can see
Frédéric Buclin [Wed, 18 Apr 2012 16:51:47 +0000 (18:51 +0200)]
Bug 728639: (CVE-2012-0465) [SECURITY] User lockout policy can be bypassed by altering the X-FORWARDED-FOR header
Frédéric Buclin [Wed, 18 Apr 2012 14:51:25 +0000 (16:51 +0200)]
Bug 746547: SMALLSERIAL is of type INT2, not INT1
Frédéric Buclin [Tue, 17 Apr 2012 19:17:13 +0000 (21:17 +0200)]
Bug 741077: Update relnotes for 4.0.6
Frédéric Buclin [Thu, 12 Apr 2012 19:01:38 +0000 (21:01 +0200)]
Bug 741077: Release notes for Bugzilla 4.0.6
Matt Selsky [Thu, 22 Mar 2012 18:57:25 +0000 (19:57 +0100)]
Bug 733458: The "creator" argument is listed twice for the Bug.search WebService method
Emmanuel Seyman [Thu, 1 Mar 2012 22:54:24 +0000 (17:54 -0500)]
Bug 731725 - In the documentation license, the address of the FSF is incorrect
Byron Jones [Wed, 29 Feb 2012 04:47:25 +0000 (12:47 +0800)]
Bug 731219: Fix XMLRPC breakage when content-type contains a charset
Michal 'hramrach' Suchanek [Sat, 25 Feb 2012 14:21:17 +0000 (15:21 +0100)]
Bug 696352: Required fields have broken colors
Dave Lawrence [Wed, 22 Feb 2012 15:29:58 +0000 (10:29 -0500)]
Bumped the version number post-release
Dave Lawrence [Wed, 22 Feb 2012 15:28:03 +0000 (10:28 -0500)]
Bumped version to 4.0.5
Dave Lawrence [Wed, 22 Feb 2012 15:19:27 +0000 (10:19 -0500)]
Bug 725663 - (CVE-2012-0453) [SECURITY] CSRF vulnerability in the XML-RPC API when using mod_perl
Frédéric Buclin [Fri, 17 Feb 2012 20:12:07 +0000 (21:12 +0100)]
Bug 727893: Release notes for Bugzilla 4.0.5
Marc Schumann [Wed, 15 Feb 2012 17:53:56 +0000 (18:53 +0100)]
Test 1 fails if PERLLIB contains paths with whitespace.
Frédéric Buclin [Tue, 14 Feb 2012 22:03:37 +0000 (23:03 +0100)]
Bug 727240: The POD for Bug.attachments is wrong about the format of the returned data
Frédéric Buclin [Wed, 8 Feb 2012 15:55:03 +0000 (16:55 +0100)]
Bug 722161: Clickjacking is possible in "View All" with HTML attachments
Dave Lawrence [Tue, 31 Jan 2012 23:49:05 +0000 (18:49 -0500)]
Bump the version number post-release
Dave Lawrence [Tue, 31 Jan 2012 17:16:01 +0000 (12:16 -0500)]
Bumped to correct date
Dave Lawrence [Tue, 31 Jan 2012 16:43:19 +0000 (11:43 -0500)]
Bumped to version 4.0.4
Frédéric Buclin [Tue, 31 Jan 2012 16:03:30 +0000 (17:03 +0100)]
Bug 718319: (CVE-2012-0440) [SECURITY] JSON-RPC permits to bypass token checks and can lead to CSRF (no victim's action required)
Frédéric Buclin [Tue, 31 Jan 2012 15:43:18 +0000 (16:43 +0100)]
Bug 714472: (CVE-2012-0448) [SECURITY] utf8 homoglyphs are allowed in email addresses, which could allow an attacker to be CC'ed to private bugs by accident
Dave Lawrence [Fri, 27 Jan 2012 22:04:01 +0000 (17:04 -0500)]
Bug 720752 - Release notes for Bugzilla 4.0.4
Matt Selsky [Sat, 21 Jan 2012 11:06:31 +0000 (12:06 +0100)]
Bug 469068: SMTP parameters not documented
Dave Lawrence [Thu, 12 Jan 2012 22:11:56 +0000 (17:11 -0500)]
Bug 715733 - When deleting a user account, related data in the profile_search table is not removed
A. Shimono [Wed, 11 Jan 2012 12:23:34 +0000 (13:23 +0100)]
Bug 591638: In the admin page, the link to edit field values is named 'Field Values', not 'Legal Values'
Dave Lawrence [Wed, 11 Jan 2012 06:01:19 +0000 (01:01 -0500)]
Bug 715650 - User auto-completion does not work in request.cgi for requester and requestee as expected
Frédéric Buclin [Tue, 10 Jan 2012 00:03:49 +0000 (01:03 +0100)]
Bug 716283: Clickjacking in the attachment "Details" page allows to bypass token checks
Matt Selsky [Fri, 6 Jan 2012 10:02:33 +0000 (11:02 +0100)]
Bug 319684: The documentation is unclear about how to disable quips
Matt Selsky [Fri, 6 Jan 2012 09:48:15 +0000 (10:48 +0100)]
Bug 641957: The documentation should mention that the voting system is now an extension
Frédéric Buclin [Fri, 6 Jan 2012 09:33:16 +0000 (10:33 +0100)]
Bug 715705: User auto-completion doesn't work for watched users in the email prefs tab
Frédéric Buclin [Fri, 6 Jan 2012 00:06:06 +0000 (01:06 +0100)]
Bug 714664: The content of the "emailregexpdesc" parameter is not escaped when displayed to the user
Frédéric Buclin [Thu, 5 Jan 2012 00:46:36 +0000 (01:46 +0100)]
Bug 706753: Bugzilla will not work with newest version of JSON::RPC 1.01 due to non-backward compatibility
Dave Lawrence [Thu, 29 Dec 2011 17:58:14 +0000 (12:58 -0500)]
Bump the version number post-release
Dave Lawrence [Wed, 28 Dec 2011 23:09:51 +0000 (18:09 -0500)]
Bump version for 4.0.3
Frédéric Buclin [Wed, 28 Dec 2011 22:16:57 +0000 (23:16 +0100)]
Bug 711714: (CVE-2011-3667) [SECURITY] The User.offer_account_by_email WebService method lets you create new user accounts independently of the value of Bugzilla::Auth::Verify::*::user_can_create_account
Byron Jones [Wed, 28 Dec 2011 21:57:33 +0000 (16:57 -0500)]
Bug 697699 - (CVE-2011-3657) [SECURITY] XSS when viewing new charts or tabular and graphical reports in debug mode
Frédéric Buclin [Wed, 28 Dec 2011 16:44:20 +0000 (17:44 +0100)]
Bug 713345: Release notes for Bugzilla 4.0.3
Frédéric Buclin [Thu, 15 Dec 2011 15:19:10 +0000 (16:19 +0100)]
Bug 707428: Custom field values whose visibility depends on another field value do not remain selected after editing a bug
Frédéric Buclin [Thu, 8 Dec 2011 23:20:02 +0000 (00:20 +0100)]
Bug 644281: When the sort order of a buglist is modified, the "Show next bug in my list" user pref still uses the original sort order to decide which bug to display next
Frédéric Buclin [Thu, 8 Dec 2011 22:48:37 +0000 (23:48 +0100)]
Bug 707170: Several features about custom fields are missing in the documentation
Frédéric Buclin [Tue, 6 Dec 2011 12:00:50 +0000 (13:00 +0100)]
Bug 657290: Bug.add_attachment() stores truncated timestamps in the DB (seconds are missing)
Frédéric Buclin [Tue, 6 Dec 2011 11:51:39 +0000 (12:51 +0100)]
Bug 550299: User fields are left blank in buglists and whines when local user accounts are used (i.e. they have no @company.com suffix)
Matt Selsky [Mon, 5 Dec 2011 21:27:18 +0000 (22:27 +0100)]
Bug 692354: Incorrect parameter type in WebServices documentation for Bug.add_comment
Byron Jones [Mon, 5 Dec 2011 16:43:18 +0000 (00:43 +0800)]
Bug 707594: Fix broken account lockout notifications
Frédéric Buclin [Mon, 5 Dec 2011 16:15:26 +0000 (17:15 +0100)]
Bug 701350: Oracle crashes if the 'maxattachmentsize' parameter is set to a too small value
Frédéric Buclin [Fri, 2 Dec 2011 16:36:05 +0000 (17:36 +0100)]
Bug 591610: Custom field doc doesn't include 'Bug ID' type
Frédéric Buclin [Fri, 2 Dec 2011 16:31:35 +0000 (17:31 +0100)]
Bug 591636: "is mandatory" is not documented in the Custom Fields section
Frédéric Buclin [Tue, 29 Nov 2011 16:03:36 +0000 (17:03 +0100)]
Bug 706118: Session token not deleted during a bug mass-change
Frédéric Buclin [Sun, 27 Nov 2011 23:00:20 +0000 (00:00 +0100)]
Bug 277073: Make whining trap errors thrown by Search.pm
projects / thirdparty / bugzilla.git / log
