]>
git.ipfire.org Git - thirdparty/bugzilla.git/log
Dave Miller [Tue, 3 Sep 2024 15:25:54 +0000 (11:25 -0400)]
bump version to 4.4.14 for release
Dave Miller [Thu, 29 Aug 2024 11:02:47 +0000 (07:02 -0400)]
Bug
1813629 : Prevent Auth plugins from authenticating usernames with unicode variants
Co-authored-by: David Lawrence <dkl@mozilla.com>
Dave Miller [Thu, 29 Aug 2024 11:02:08 +0000 (07:02 -0400)]
Bug
1439260 : XSS in chart.cgi and report.cgi
Dave Miller [Tue, 3 Sep 2024 11:22:40 +0000 (07:22 -0400)]
Bug
1786715 : Release notes for Bugzilla 4.4.14 (#179)
Dave Miller [Mon, 26 Aug 2024 01:28:20 +0000 (21:28 -0400)]
Bug
1897545 : User-friendly pull request template (#188)
a=dylan
Dave Miller [Tue, 20 Aug 2024 02:45:19 +0000 (22:45 -0400)]
[4.4] Bug
1852154 : Warn admin if end-of-support date is approaching (#190)
Dave Miller [Sat, 11 May 2024 18:10:58 +0000 (14:10 -0400)]
Bug
1851352 : Email::Address dependency missing (#173)
Dave Miller [Sat, 18 Nov 2023 08:33:38 +0000 (03:33 -0500)]
Bug
1560873 : blacklist broken versions of Template-Toolkit (#133)
Dave Miller [Thu, 14 Sep 2023 11:29:58 +0000 (06:29 -0500)]
Bug
1852497 : Use actions/checkout@v4 in GitHub Actions (#151)
Dave Miller [Sat, 10 Sep 2022 20:30:25 +0000 (16:30 -0400)]
Bug
1785938 : Make tests work in GHA on 4.4 branch (#110)
* run tests on 4.4 branch
* fix new perl compat in tests
Dave Miller [Thu, 16 Dec 2021 23:44:27 +0000 (18:44 -0500)]
Bug
1657496 : correctly handle MIME type on single-part email. r=eseyman, a=justdave
David Lawrence [Fri, 16 Feb 2018 19:23:07 +0000 (14:23 -0500)]
Bumped versions post-release
David Lawrence [Fri, 16 Feb 2018 16:31:32 +0000 (11:31 -0500)]
Bumped version to 4.4.13
David Lawrence [Fri, 16 Feb 2018 16:30:53 +0000 (11:30 -0500)]
Bug
1438594 : Release notes for Bugzilla 4.4.13
r/a=dylan
Dylan William Hardison [Fri, 16 Feb 2018 16:29:47 +0000 (11:29 -0500)]
Bug
1433400 (CVE-2018-5123) Prevent cross-site image requests from leaking contents of certain fields due to regex search
r=jfearn,a=dylan
Andrea Orsini [Mon, 19 Sep 2016 15:14:14 +0000 (11:14 -0400)]
Bug
1303702 - bug history table 'when' column shows 00:00 only using sqlite
r/a=dylan
David Lawrence [Wed, 7 Sep 2016 17:53:00 +0000 (13:53 -0400)]
- New CI docker image for testing
David Lawrence [Mon, 16 May 2016 20:04:29 +0000 (20:04 +0000)]
Bumped version post-release
David Lawrence [Mon, 16 May 2016 18:46:54 +0000 (18:46 +0000)]
Bumped version to 4.4.12
Frédéric Buclin [Mon, 16 May 2016 18:24:46 +0000 (20:24 +0200)]
Bug
1253263 - (CVE-2016-2803) [SECURITY] XSS vulnerability in dependency graphs via bug summary
r/a=dkl
Frédéric Buclin [Fri, 13 May 2016 18:34:38 +0000 (20:34 +0200)]
Bug
1269389 - Release notes for Bugzilla 4.4.12
r=dkl
Frédéric Buclin [Fri, 13 May 2016 18:30:42 +0000 (20:30 +0200)]
Bug
1246228 - Email addresses must not be encoded
r/a=dkl
Dylan William Hardison [Fri, 13 May 2016 17:34:19 +0000 (13:34 -0400)]
Bug
1250114 - XSS possible in extensions calling global/tabs.html.tmpl if tab.link is user-controlled
David Lawrence [Mon, 2 May 2016 14:30:07 +0000 (10:30 -0400)]
Add build.platform = linux64, machine.platform = linux64 to taskgraph.json to remove b2gtest from Treeherder results
Frédéric Buclin [Mon, 25 Apr 2016 21:39:50 +0000 (23:39 +0200)]
Bug
1259881 - CSV export vulnerable to formulae injection (again)
r=sgreen a=dkl
David Lawrence [Mon, 22 Feb 2016 20:48:37 +0000 (20:48 +0000)]
- task.expires needs to be greater than artifacts.expires
David Lawrence [Mon, 22 Feb 2016 15:24:52 +0000 (15:24 +0000)]
- Update artifact expiration date
David Lawrence [Tue, 22 Dec 2015 21:50:40 +0000 (21:50 +0000)]
Bumped version post-release
David Lawrence [Tue, 22 Dec 2015 20:58:40 +0000 (20:58 +0000)]
Revert "Bug
1230932 - Providing a condition as an ID to the webservice results in a taint error"
This reverts commit
fc5cdf3a7f7b40faca8c0efeb567cdd21376460a .
David Lawrence [Tue, 22 Dec 2015 19:15:25 +0000 (19:15 +0000)]
Bumped version to 4.4.11
Dylan Hardison [Tue, 22 Dec 2015 18:34:38 +0000 (13:34 -0500)]
Bug
1232785 - [SECURITY] Buglists in CSV format can be parsed as valid javascript in some browsers
r=dkl,a=dkl
Frédéric Buclin [Tue, 22 Dec 2015 17:59:31 +0000 (18:59 +0100)]
Bug
1221518 : (CVE-2015-8508) [SECURITY] XSS in dependency graphs when displaying the bug summary
r/a=dkl
Dylan Hardison [Tue, 22 Dec 2015 16:53:56 +0000 (11:53 -0500)]
Bug
1230932 - Providing a condition as an ID to the webservice results in a taint error
r=dkl,a=dkl
Frédéric Buclin [Tue, 22 Dec 2015 15:47:10 +0000 (16:47 +0100)]
Update release notes
Matt Tyson [Wed, 16 Dec 2015 00:38:41 +0000 (00:38 +0000)]
Bug
1160394 - Products.get_products is missing from PUBLIC_METHODS (for backwards compatibility)
r=LpSolit,a=dkl
Frédéric Buclin [Fri, 11 Dec 2015 18:47:50 +0000 (19:47 +0100)]
Release notes for Bugzilla 4.4.11
Frédéric Buclin [Tue, 1 Dec 2015 23:14:53 +0000 (00:14 +0100)]
Back out bug
1138463 . This fix is actually incorrect and the bug was correctly fixed by bug
1223790
a=dkl on IRC
Frédéric Buclin [Thu, 19 Nov 2015 23:45:35 +0000 (00:45 +0100)]
Bug
1223790 : "AllowOverride AuthConfig" is required to use the "Require" directive in .htaccess
r=gerv a=dkl
David Lawrence [Thu, 10 Sep 2015 21:39:08 +0000 (17:39 -0400)]
Bumped version post-release
David Lawrence [Thu, 10 Sep 2015 17:44:09 +0000 (13:44 -0400)]
Bumped version to 4.4.10
Byron Jones ‹:glob› [Thu, 10 Sep 2015 17:27:44 +0000 (13:27 -0400)]
Bug
1202447 : [SECURITY] The email address is not properly validated during registration if longer than 127 characters
r=LpSolit,a=justdave
Frédéric Buclin [Wed, 9 Sep 2015 22:02:37 +0000 (00:02 +0200)]
Bug
1202464 : Release notes for Bugzilla 4.4.10
r=dkl
Byron Jones [Sat, 29 Aug 2015 09:46:40 +0000 (11:46 +0200)]
Bug
1031035 : xmlrpc can be DoS'd with billion laughs attack
r=LpSolit a=justdave
David Lawrence [Tue, 11 Aug 2015 21:57:09 +0000 (17:57 -0400)]
Taskcluster infrastructure improvements and cleanup
Frédéric Buclin [Fri, 5 Jun 2015 09:07:24 +0000 (11:07 +0200)]
Bug
1124401 : Explicitly depend on DateTime::TimeZone::Local::Win32 on Windows
r=dylan a=glob
Byron Jones [Thu, 4 Jun 2015 13:46:42 +0000 (21:46 +0800)]
Bug
1134743 : javascript filter should escape unicode line and paragraph separators (causes "Unterminated string literal" javascript error)
r=dylan,a=glob
Jeff Fearn [Mon, 18 May 2015 04:38:47 +0000 (12:38 +0800)]
Bug
1162334 : email_enabled value inverted in User.update RPC call
r=glob,a=glob
Frédéric Buclin [Fri, 24 Apr 2015 16:48:33 +0000 (18:48 +0200)]
Bug
1157405 : Bugzilla.parameters is not accessible when requirelogin = 1 and the user is not logged in
r=dkl a=glob
David Lawrence [Wed, 15 Apr 2015 19:33:11 +0000 (20:33 +0100)]
Bump version post-release
David Lawrence [Wed, 15 Apr 2015 16:00:49 +0000 (17:00 +0100)]
Bumped version to 4.4.9
David Lawrence [Wed, 15 Apr 2015 03:02:59 +0000 (04:02 +0100)]
Bug
1154316 : Release notes for 4.4.9
r=LpSolit,a=dkl
Matt Tyson [Tue, 14 Apr 2015 23:39:13 +0000 (01:39 +0200)]
Bug
1154099 : Bug.get_bugs and Bug.get_history are missing from PUBLIC_METHODS (for backwards compatibility)
r=LpSolit a=glob
Simon Green [Mon, 13 Apr 2015 20:35:28 +0000 (21:35 +0100)]
Bug
1151290 : It is possible to tell if someone made a private comment on a bug even if you are not an 'insider'
r=dkl,a=glob
Frédéric Buclin [Mon, 16 Mar 2015 17:18:49 +0000 (18:18 +0100)]
Bug
1137669 : 003safesys.t doesn't test any file due to a missing -T argument
r=dylan a=glob
Frédéric Buclin [Wed, 11 Mar 2015 17:26:25 +0000 (18:26 +0100)]
Bug
1138463 : mod_perl does not support Apache 2.4 directives
r=dkl a=glob
David Lawrence [Tue, 3 Mar 2015 20:00:56 +0000 (15:00 -0500)]
(TaskCluster) Allow retrieval of the selenium.log for Selenium tests
David Lawrence [Tue, 24 Feb 2015 23:28:28 +0000 (23:28 +0000)]
Intial checking of taskgraph.json for TaskCluster CI
Frédéric Buclin [Fri, 20 Feb 2015 12:05:19 +0000 (13:05 +0100)]
Bug
1133690 : .htaccess incorrectly assumes that Apache 2.2.x can read new 2.4 directives
r=dkl a=glob
Frédéric Buclin [Tue, 17 Feb 2015 20:36:30 +0000 (21:36 +0100)]
Bug
1132887 : When starting a sudo session, the password is not validated
r=dkl a=glob
Frédéric Buclin [Tue, 17 Feb 2015 20:30:05 +0000 (21:30 +0100)]
Bug
1112181 : Relative dates in the future involving months are incorrectly converted
r=dylan a=glob
Gervase Markham [Tue, 17 Feb 2015 17:21:48 +0000 (17:21 +0000)]
Bug
1132862 - Update README; add LICENSE file. r,a=glob
David Lawrence [Tue, 17 Feb 2015 02:31:17 +0000 (21:31 -0500)]
- Force use of PostgreSQL 9.1
Byron Jones [Mon, 16 Feb 2015 04:17:48 +0000 (12:17 +0800)]
Bug 651786: Modifying the default user object modifies the DEFAULT_USER constant
Jochen Wiedmann [Mon, 2 Feb 2015 16:34:21 +0000 (16:34 +0000)]
Bug
1121477 : Support for Apache HTTPD 2.4
r=dkl,a=glob
Frédéric Buclin [Wed, 28 Jan 2015 16:06:01 +0000 (17:06 +0100)]
Fix typo
David Lawrence [Tue, 27 Jan 2015 20:01:23 +0000 (20:01 +0000)]
Bump version post-release
David Lawrence [Tue, 27 Jan 2015 15:53:10 +0000 (15:53 +0000)]
Bumped version to 4.4.8
David Lawrence [Tue, 27 Jan 2015 15:43:02 +0000 (15:43 +0000)]
Bug
1125186 : Release notes for 4.4.8
r=justdave,a=dkl
David Lawrence [Fri, 23 Jan 2015 17:13:32 +0000 (17:13 +0000)]
Bug
1124716 : regression caused by bug
1090275 to whitelist webservice methods causes test failures with t/012throwables.t
r=dylan,a=glob
Albert Ting [Thu, 22 Jan 2015 12:10:44 +0000 (12:10 +0000)]
Bug
1116614 : checksetup "use lib" called too late. r=gerv, a=glob.
David Lawrence [Wed, 21 Jan 2015 22:30:09 +0000 (22:30 +0000)]
Bump version post-release
David Lawrence [Wed, 21 Jan 2015 21:09:16 +0000 (21:09 +0000)]
Bumped version to 4.4.7
David Lawrence [Wed, 21 Jan 2015 20:41:11 +0000 (20:41 +0000)]
Bug
1090275 : WebServices modules should maintain a whitelist of methods that are allowed instead of allowing access to any function imported into its namespace
r=dylan,a=glob
Gervase Markham [Wed, 21 Jan 2015 20:22:21 +0000 (20:22 +0000)]
Bug
1079065 : [SECURITY] Always use the 3 arguments form for open() to prevent shell code injection
r=dylan,a=simon
Frédéric Buclin [Mon, 19 Jan 2015 21:33:04 +0000 (22:33 +0100)]
Fix an obsolete ID
David Lawrence [Mon, 19 Jan 2015 20:33:44 +0000 (20:33 +0000)]
Bug
1118984 : Release notes for 4.4.7
r=LpSolit,a=glob
Frédéric Buclin [Mon, 5 Jan 2015 18:30:57 +0000 (19:30 +0100)]
Bug
1085182 : Bugzilla::Bug->check must check that a bug ID is defined when it gets a hashref
r=dkl a=glob
Frédéric Buclin [Tue, 23 Dec 2014 10:02:20 +0000 (11:02 +0100)]
Bug
1106653 : Truncate the field-* and type-* values in error messages
r=dkl a=glob
Frédéric Buclin [Wed, 17 Dec 2014 19:42:10 +0000 (20:42 +0100)]
Bug
1111043 : Bug.add_comment returns the wrong comment ID
r/a=dkl
David Lawrence [Thu, 20 Nov 2014 15:16:33 +0000 (15:16 +0000)]
Bug
1101151 : OS sniffing should detect Windows 10 from "Windows NT 6.4" instead of detecting Windows NT
r=LpSolit,a=glob
Frédéric Buclin [Wed, 19 Nov 2014 17:23:22 +0000 (18:23 +0100)]
Bug
1097798 : Do not display the resolution in the dependency tree for open bugs, nor the target milestone if usetargetmilestone is off
r=dkl a=glob
David Lawrence [Wed, 12 Nov 2014 16:58:12 +0000 (16:58 +0000)]
Bug
1001462 : Bug.search causes error when using simple token auth and specifying 'token' instead of 'Bugzilla_token'
r=glob,a=glob
David Lawrence [Tue, 4 Nov 2014 19:21:11 +0000 (19:21 +0000)]
Bug
1082106 : $dbh->bz_add_columns creates a foreign key constraint causing failure in checksetup.pl when it tries to re-add it later
r=glob,a=glob
Frédéric Buclin [Mon, 27 Oct 2014 10:47:25 +0000 (11:47 +0100)]
Bug
1087400 : CGI 4.05 throws tons of "CGI::param called in list context" warnings
r/a=glob
Frédéric Buclin [Mon, 27 Oct 2014 10:44:53 +0000 (11:44 +0100)]
Bug
1088483 : Remove references to the "enable bug tagging" preference from the documentation
r=gerv a=glob
Frédéric Buclin [Wed, 22 Oct 2014 01:15:20 +0000 (03:15 +0200)]
Bug
1033068 : The "unknown_action" error message could confuse the user
r=dkl a=sgreen
David Lawrence [Tue, 21 Oct 2014 13:58:58 +0000 (13:58 +0000)]
Bug
1082882 : custom date field not recognized as date type in advanced search
r=glob,a=glob
Frédéric Buclin [Tue, 21 Oct 2014 10:09:31 +0000 (12:09 +0200)]
Bug
1083737 : Validate the smtpserver parameter
r=dkl a=glob
Byron Jones [Thu, 16 Oct 2014 07:31:53 +0000 (15:31 +0800)]
Bug
1082887 : comments made when setting a flag from the attachment details page are not included in the "flag updated" email
r=dkl,a=glob
Simon Green [Wed, 8 Oct 2014 03:02:24 +0000 (13:02 +1000)]
Bug
1009406 - A user with local editcomponents privs cannot update the inclusion and exclusion lists when the flagtype is already restricted to products the user cannot edit
r=dkl, a=simon
David Lawrence [Mon, 6 Oct 2014 18:36:39 +0000 (18:36 +0000)]
Bump version post-release
David Lawrence [Mon, 6 Oct 2014 15:24:58 +0000 (15:24 +0000)]
Bump version to 4.4.6
Simon Green [Mon, 6 Oct 2014 15:03:41 +0000 (15:03 +0000)]
Bug
1054702 : CSV export vulnerable to formulae injection
r=glob,a=glob
Simon Green [Mon, 6 Oct 2014 14:47:38 +0000 (14:47 +0000)]
Bug
1064140 : [SECURITY] Private comments can be shown to flagmail recipients who aren't in the insider group
r=glob,a=glob
Frédéric Buclin [Mon, 6 Oct 2014 14:35:25 +0000 (14:35 +0000)]
Bug
1074980 : Forbid the { foo => $cgi->param() } syntax to prevent data override
r=dkl,a=sgreen
Frédéric Buclin [Mon, 6 Oct 2014 14:27:01 +0000 (14:27 +0000)]
Bug
1075578 : [SECURITY] Improper filtering of CGI arguments
r=dkl,a=sgreen
David Lawrence [Mon, 6 Oct 2014 14:16:24 +0000 (14:16 +0000)]
Bug
1072490 : Release notes for 4.4.6
r=LpSolit,a=sgreen
Simon Green [Wed, 1 Oct 2014 11:00:23 +0000 (21:00 +1000)]
Bug
1069760 - Cannot use 'component' in a template
r=gerv, a=justdave
Frédéric Buclin [Wed, 1 Oct 2014 10:07:34 +0000 (12:07 +0200)]
Fix bustage due to bug
1061247
Reed Loden [Wed, 1 Oct 2014 05:37:11 +0000 (22:37 -0700)]
Bug
1061247 - Successfully using a password change token should invalidate all other password change tokens for that user
r=gerv a=glob
projects / thirdparty / bugzilla.git / log
