Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=9088#c14

Whiteboard: (none) => has_procedure

*** Bug 16775 has been marked as a duplicate of this bug. ***

CC: (none) => bjarne.thomsen

Am I missing something? After running checksetup.pl http://localhost/bugzilla appears as text down the left hand side of the browser, as if theme or css is missing.

Apache error log shows numerous..
[cgi:error] [pid 2751] [client 127.0.0.1:42488] AH01215: (13)Permission denied: exec of .. for various files in /usr/share/bugzilla/www/ for skins and js.

File and directory read permissions seem ok, with read permission and +x on directories, and /etc/httpd/conf/sites.d/bugzilla.conf has..

Alias /bugzilla/data /var/lib/bugzilla/
ScriptAlias /bugzilla /usr/share/bugzilla/www

<Directory /usr/share/bugzilla/www>
    Require all granted

    Options ExecCGI
    DirectoryIndex index.cgi
    AddHandler cgi-script .cgi .pl
</Directory>

Whiteboard: has_procedure => has_procedure feedback

(In reply to Thomas Backlund from comment #2)
> *** Bug 16775 has been marked as a duplicate of this bug. ***

Well, not exactly, since that bug was about updating our infrastructure and this one was about our package, but that's OK :o)  Fortunately for us, this bug doesn't affect us the way we have our private list set up, if I understand correctly.

MGA5 on HP Probook 6555b KDE
Encountered installation issues: installing bugzilla draws in (amongst others) apache as one of its dependencies, but it misses out perl-carp and perl-cgi and mysql (mariadb).
After that, there still seem to be some issues with the default configuration settings of bugzilla. I didn't get to the bottom of these yet.

CC: (none) => herman.viaene

(In reply to Herman Viaene from comment #6)
> MGA5 on HP Probook 6555b KDE
> Encountered installation issues: installing bugzilla draws in (amongst
> others) apache as one of its dependencies, but it misses out perl-carp and
> perl-cgi and mysql (mariadb).

mariadb cant be a dep as the user might want to use another db or have mariadb installed on another server, so we cant force it.

CC: (none) => tmb

@Thomas: the default config file states mysql, so why should a default not be configured properly by default? I think this discussion goes beyond the update approval question here.
By checking the bugzilla documentation, I found I had to manually install mod_perl as well.
But now I get stuck: at the end of the checksetup.pl I get an error for the mysql connection, but at the CLI I can connect. See below:
Can't connect to the database.
Error: Access denied for user 'bugs'@'localhost' (using password: YES)
  Is your database installed and up and running?
  Do you have the correct username and password selected in localconfig?
[root@mach5 ~]# mysql -u bugs/bugger@localhost
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 82
Server version: 10.0.21-MariaDB Mageia MariaDB Server

Copyright (c) 2000, 2015, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> 

the password is allright in localconfig.

(In reply to Herman Viaene from comment #8)
> @Thomas: the default config file states mysql, so why should a default not
> be configured properly by default? I think this discussion goes beyond the
> update approval question here.


Yes, default config states mysql, but not that it have to be installed on same local server... that was my point about not hard requiring it. 

but the other deps that must be installed on same server as bugzilla to make it work should probably  be proper deps

Does Bugzilla have a configuration option specifically for MariaDB?  Moodle didn't used to, but because of the changes in MariaDB 10 (which we have in Mageia 5), they made one, since the MySQL driver didn't quite work correctly.

(In reply to David Walser from comment #10)
> Does Bugzilla have a configuration option specifically for MariaDB?

No. And it doesn't need one. Bugzilla works fine with MariaDB.

CC: (none) => LpSolit

The pb here is that apache tells that /usr/share/bugzilla/www/js ( and skins) have permission denied.

CC: (none) => mageia

Fedora has issued an advisory for this on October 28:
https://lists.fedoraproject.org/pipermail/package-announce/2015-October/169983.html

Preparing to try Mageia 5 x64, using Postgres database.

Installed bugzilla-4.4.9-1.mga5 & bugzilla-contrib-4.4.9-1.mga5 from normal repos. No dependancy problems as reported by others; the things probably already in place.
The following Bugzilla installation-configuration pages are good:
 https://bugzilla.readthedocs.org/en/5.0/installing/linux.html
from 3.2.4 noting that the scripts directory is /usr/share/bugzilla/bin/
 https://bugzilla.readthedocs.org/en/5.0/installing/apache.html
 https://bugzilla.readthedocs.org/en/5.0/installing/mysql.html
 https://bugzilla.readthedocs.org/en/5.0/installing/postgresql.html

So, I first set up the Postgres Bugzilla *user* 'bugs' (no need to set up the database):
# su - postgres
[postgres@localhost ~]$ createuser -U postgres -dRSP bugs    [-d allows D/B creation]
Enter password for new role: 
Enter it again: 
[postgres@localhost ~]$ exit

I then edited /var/lib/pgsql/data/pg_hba.conf as Bugzilla advise:
# vi /var/lib/pgsql/data/pg_hba.conf           [to add the line:
host   all    bugs   127.0.0.1    255.255.255.255  md5
However, I did *not* edit any Apache files. Should I have?

Ran for the first time:
# /usr/share/bugzilla/bin/checksetup.pl
which finishes "Please edit the file /etc/bugzilla/localconfig and then re-run checksetup.pl to complete your installation."
# vi /etc/bugzilla/localconfig                 [altered lines:
$db_driver = 'Pg';                            [from Mysql]
$db_user
$db_pass
Ran for the second time:
# /usr/share/bugzilla/bin/checksetup.pl
...
Enter the e-mail address of the administrator: <valid e-mail address>
Enter the real name of the administrator: <apparently first & second names>
Enter a password for the administrator account:
Please retype the password to verify:
<the given e-mail address> is now set up as an administrator.   [The LOGIN NAME]
...
"checksetup.pl complete."

Going to http://localhost/bugzilla/index.cgi showed the introductory page, but with no formatting, visual effects. Had lots of trouble to log in, but did eventually. Logout left Bugzilla showing a blank page
 http://localhost/bugzilla/index.cgi?logout=1.

Tried:
# /usr/share/bugzilla/bin/testserver.pl http://localhost/bugzilla/
TEST-OK Webserver is running under group id in $webservergroup.
TEST-FAILED Fetch of images/padlock.png failed
Your web server could not fetch http://localhost/bugzilla/images/padlock.png.
Check your web server configuration and try again.

Like Comment 4, most things in /usr/share/bugzilla/www/ are root/root with correct permissions. Just skins/ and its subdirectories are different, root/apache with read restricted to user & group.

I found that my *home directory* had been hijacked to something like owner root group bugzilla! All the lower levels were still correct. Had to chown & chgroup it back to myself.

Need to sort the crude Bugzilla pages, and finish the post-install "last steps".

CC: (none) => lewyssmith

I am not keen on advancing with this until the visual aspect is sorted. Can anyone advise what to look at in the light of Comment 4 & Comment 14? What information to furnish? what permissions to fiddle? Once it is running correctly, the update should be easy to test.

I have been able to log in, and out, correctly. Perhaps the re-boot helped. I did not koww what to put in the parameters page for base URL for bugs, so tried http://localhost/bugzilla/. And added a bug. It is difficult to use largely unformatted.

I am looking to this. I hope to finish this week

MGA5-32 on Acer D620 Xfce
Tested on this laptop using mariadb and run into same problem as in my Comment 8.

Assigning back to Nicolas. Please reassign when ready. Thanks.

CC: (none) => qa-bugs
Assignee: qa-bugs => mageia
Whiteboard: has_procedure feedback => has_procedure

We just released Bugzilla 4.4.11 with 2 new security issues:

https://www.bugzilla.org/security/4.2.15/
http://seclists.org/bugtraq/2015/Dec/131

Thanks Frédéric!

The issues with the Apache config should, in theory, now be fixed.

Advisory:
========================

Updated bugzilla packages fix security vulnerabilities:

Login names (usually an email address) longer than 127 characters are silently
truncated in MySQL which could cause the domain name of the email address to
be corrupted. An attacker could use this vulnerability to create an account
with an email address different from the one originally requested. The login
name could then be automatically added to groups based on the group's regular
expression setting (CVE-2015-4499).

During the generation of a dependency graph, the code for the HTML image map
is generated locally if a local dot installation is used. With escaped HTML
characters in a bug summary, it is possible to inject unfiltered HTML code in
the map file which the CreateImagemap function generates. This could be used
for a cross-site scripting attack (CVE-2015-8508).

If an external HTML page contains a <script> element with its src attribute
pointing to a buglist in CSV format, some web browsers incorrectly try to
parse the CSV file as valid JavaScript code. As the buglist is generated
based on the privileges of the user logged into Bugzilla, the external page
could collect confidential data contained in the CSV file (CVE-2015-8509).

The bugzilla package has been updated to version 4.4.11, fixing these issues
and a few other bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4499
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8508
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8509
https://www.bugzilla.org/security/4.2.14/
https://www.bugzilla.org/security/4.2.15/
https://www.bugzilla.org/releases/4.4.10/release-notes.html
https://www.bugzilla.org/releases/4.4.11/release-notes.html
========================

Updated packages in core/updates_testing:
========================
bugzilla-4.4.11-1.mga5.noarch.rpm
bugzilla-contrib-4.4.11-1.mga5.noarch.rpm

from bugzilla-4.4.11-1.mga5.src.rpm

Summary: bugzilla new security issue CVE-2015-4499 => bugzilla new security issues CVE-2015-4499, CVE-2015-8508, and CVE-2015-8509
CC: qa-bugs => (none)
Assignee: mageia => qa-bugs

Testing MGA5 x64 with Postgres - OK

This bug is curious in that no-one (myself Comments 14/15, Claire, Herman) got a satisfactory working Bugzilla installation from the issued version. After updating to:
 bugzilla-4.4.11-1.mga5
 bugzilla-contrib-4.4.11-1.mga5
the whole system suddenly seems to work *and look* as it should. I added to an existing bug, added a second one, did typical routine things like 'my bugs'.
So I am OKing this; but it would be better if a MariaDB/MySQL tester confirmed things.

Whiteboard: has_procedure => has_procedure MGA5-64-OK

(In reply to Lewis Smith from comment #21)
> This bug is curious in that no-one (myself Comments 14/15, Claire, Herman)
> got a satisfactory working Bugzilla installation from the issued version.

That's because there were problems in the package, which I have since fixed.

Fedora has issued an advisory for this on January 7:
https://lists.fedoraproject.org/pipermail/package-announce/2016-January/175113.html

LWN reference for CVE-2015-8508 and CVE-2015-8509:
http://lwn.net/Vulnerabilities/671083/

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0006.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

(In reply to Mageia Robot from comment #24)
> http://advisories.mageia.org/MGASA-2016-0006.html

Truncated advisory?

(In reply to Frédéric Buclin from comment #25)
> (In reply to Mageia Robot from comment #24)
> > http://advisories.mageia.org/MGASA-2016-0006.html
> 
> Truncated advisory?

Looks like mgarepo choked on "<script>": http://svnweb.mageia.org/advisories/16776.adv?view=markup

s/mgarepo/mgaadv/

Created bug 17478 for the parser issue. I'll fix the advisory by dropping the "<" and ">" in the evening (or try if escaping them is enough).