We released Bugzilla 4.0.1 last night which fixes several annoying bugs, including several regressions. The RPM package should be upgraded to this version.
Assignee: bugsquad => dmorganec
closing *** This bug has been marked as a duplicate of bug 40 ***
Status: NEW => RESOLVEDResolution: (none) => DUPLICATE
No, that's not the swame bug. Bug 40 is about upgrading bugs.mageia.org to 4.0.1. This bug is about upgrading the Bugzilla RPM available in Cauldron.
Status: RESOLVED => REOPENEDResolution: DUPLICATE => (none)
sorry i misread.
CC: (none) => marcello.anni
Bugzilla 4.0.2 contains several security fixes, see the security advisory: http://www.bugzilla.org/security/3.4.11/. So those running bugzilla-4.0-1.mga1.noarch.rpm are vulnerable.
Status: REOPENED => NEWSummary: Upgrade the Bugzilla RPM to 4.0.1 => Upgrade the Bugzilla RPM to 4.0.2
Source RPM: bugzilla-4.0 => bugzilla-4.0-1.mga1.noarch.rpm
dmorgan: not only my comment 4 still stands (security issues in 4.0 and 4.0.1), but I saw that kharec uploaded perl-version-0.930.0-1.mga2, which makes Bugzilla < 4.0.3 to fail. So you have to upgrade to 4.0.2 + apply my patch from https://bugzilla.mozilla.org/show_bug.cgi?id=678772 (checked in upstream yesterday). This patch will be in Bugzilla 4.0.3. Increasing severity (due to security bugs) and priority (because Bugzilla is now broken in Cauldron).
Priority: Normal => HighSeverity: normal => major
dmorgan, instead of the ugly http://svnweb.mageia.org/packages/cauldron/bugzilla/current/SOURCES/bugzilla-4.0-fhs.patch?revision=46838&view=markup patch, you could use my module from https://bugzilla.mozilla.org/show_bug.cgi?id=679965 It doesn't require any code change upstream. You could ship it with the Bugzilla RPM.
Fixed on cauldron, using your patches. thanks
Status: NEW => RESOLVEDResolution: (none) => FIXED
Doesn't work at all. There are several mistakes: - In the fake Bugzilla.pm, $bz_root_dir must be '/usr/share/bugzilla/lib', not '/usr/share/bugzilla'. - checksetup.pl is the only script which doesn't |use Bugzilla;| and so you still have to include /usr/share/bugzilla/lib in its |use lib (. lib);| call. All other scripts (both .pl and .cgi) are fine. - You forgot to fix pathes in Bugzilla::Constants::bz_locations() and so no file can be found by Bugzilla.
Status: RESOLVED => REOPENEDResolution: FIXED => (none)
Assignee: dmorganec => olavTarget Milestone: --- => Mageia 1
Created attachment 808 [details] Fix Filesystem.pm, v1 The t/ xt/ and contrib/ directories do not exist on Mageia, making checksetup.pl to fail.
bugzilla-4.0.2-5.mga2 is working fine. bkor: could you upload it to update_testing for Mageia 1 too, please? :)
Could you check -7 first?
(In reply to comment #12) > Could you check -7 first? Looks good.
Status: REOPENED => ASSIGNED
Pushed -7 to 1/updates_testing. Please check.
Assignee: olav => qa-bugs
Created attachment 814 [details] Screenshot showing bug entered. As shown, bugzilla is working here. I installed bugzilla and bugzilla-contrib. I ran /usr/share/bugzilla/bin/checksetup.pl (ignored the warning about perl-DBD-Oracle not being found). Edited /etc/bugzilla/localconfig to set a password for the bugs user. Used webmin to create a mysql bugs user with all permissions. Confirmed I could access mysql with "mysql -u bugs -p". Ran checksetup.pl again. It created the mysql databases, and I provided and admin email address and password. I then connected to http://hodgins.homeip.net/bugzilla, followed the prompts to update the url-base, etc, and then entered a test bug. Anything further that should be tested? This is on i586, for the srpm bugzilla-4.0.2-7.1.mga1.src.rpm
x86_64: Setup and added a bug, updated and added another one. Added attachments OK. Messed around with the preferences. No obvious faults found. Update validated. Advisory ---------------- This is a security update for the bugzilla package. It provides fixes for several security vulnerabilities including.. * Internet Explorer 8 and older, and Safari before 5.0.6 do content sniffing when viewing a patch in "Raw Unified" mode, which could trigger a cross-site scripting attack due to the execution of malicious code in the attachment. * It is possible to determine whether or not certain group names exist while creating or updating bugs; and in Bugzilla 4.1.1 and 4.1.2, also by using custom searches. * Attachment descriptions with a newline in them could lead to the injection of crafted headers in email notifications sent to the requestee or the requester when editing an attachment flag. * If an attacker has access to a user's session, he can modify that user's email address without that user being notified of the change. * Temporary files for uploaded attachments are not deleted on Windows, which could let a user with local access to the server read them. * Up to Bugzilla 3.4.11, if a BUGLIST cookie is compromised, it can be used to inject HTML code when viewing a bug report, leading to a cross-site scripting attack. For a complete list please see: http://www.bugzilla.org/security/3.4.11/ ---------------- SRPM: bugzilla-4.0.2-7.1.mga1.src.rpm Could sysadmin please push from core/updates_testing to core/updates Thankyou!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsVersion: Cauldron => 1
(In reply to comment #15) > Created attachment 814 [details] > Screenshot showing bug entered. Fortunately Bugzilla looks nicer than that in a "normal" browser. :-p (In reply to comment #16) > Advisory > ---------------- Don't you usually include the CVE references in the security advisories?
We're usually given a suggested advisory to work from. I thought I did well! Feel free to ad them :)
Advisory This is a security update for the bugzilla package. It provides fixes for several security vulnerabilities including.. * Internet Explorer 8 and older, and Safari before 5.0.6 do content sniffing when viewing a patch in "Raw Unified" mode, which could trigger a cross-site scripting attack due to the execution of malicious code in the attachment. CVE-2011-2379 * It is possible to determine whether or not certain group names exist while creating or updating bugs; and in Bugzilla 4.1.1 and 4.1.2, also by using custom searches. CVE-2011-2380, CVE-2011-2979 * Attachment descriptions with a newline in them could lead to the injection of crafted headers in email notifications sent to the requestee or the requester when editing an attachment flag. CVE-2011-2381 * If an attacker has access to a user's session, he can modify that user's email address without that user being notified of the change. CVE-2011-2978 * Temporary files for uploaded attachments are not deleted on Windows, which could let a user with local access to the server read them. CVE-2011-2977 * Up to Bugzilla 3.4.11, if a BUGLIST cookie is compromised, it can be used to inject HTML code when viewing a bug report, leading to a cross-site scripting attack. CVE-2011-2976 For a complete list please see: http://www.bugzilla.org/security/3.4.11/ https://bugs.mageia.org/show_bug.cgi?id=1040 Could someone from the sysadmin team please push the srpm bugzilla-4.0.2-7.1.mga1.src.rpm from core/updates_testing to core/updates
CC: (none) => davidwhodgins
Pushed to updates.
Status: ASSIGNED => RESOLVEDCC: (none) => boklmResolution: (none) => FIXED
CC: boklm => (none)