Change log for bugzilla package in Ubuntu

bugzilla (3.6.3.0-2) unstable; urgency=medium

  * Support for noninteractive mode in Debconf. Closes: #602738
  * Added missing package dependency against liburi-perl. Removed non exsiting
    package option libgd-noxpm-perl.
  * Urgency set to medium because previous version is not accepted for
    testing.
  * Parallel build for Makefiles is working now.
  * Surrpress error messages for non existing template directories if
    checksetup fails (in noninteractive mode).
  * Extensions are not installed by default. They exist as documentation.
 -- Ubuntu Archive Auto-Sync <email address hidden>   Mon,  22 Nov 2010 10:15:07 +0000

Available diffs

• diff from 3.6.3.0-1 to 3.6.3.0-2 (3.1 KiB)

bugzilla (3.6.3.0-1) unstable; urgency=medium

  * New upstream release. Closes: #602420
  * Fixed vulnerability CVE-2010-3172:
    By inserting a certain string into a URL, it was possible
    to inject both headers and content to any browser that
    supported "Server Push" (mostly only Gecko-based browsers
    like Firefox). This could lead to Cross-Site Scripting
    vulnerabilities, and possibly other more dangerous security
    issues as well.
  * Fixed vulnerability CVE-2010-3764:
    The Old Charts system generated graphs with
    predictable names into the "graphs/" directory,
    which also could be browsed to see its contents.
    This allowed unauthorized users to see product
    names and charted information about those
    products over time.
  * Fixed references to YUI components used by language templates.
  * Fixed missing images.
  * Surrpress error messages at installation stage.
 -- Ubuntu Archive Auto-Sync <email address hidden>   Tue,  16 Nov 2010 10:05:41 +0000

Available diffs

• diff from 3.6.2.0-4 to 3.6.3.0-1 (6.0 MiB)

bugzilla (3.6.2.0-4) unstable; urgency=low

  * Upgrade from Lenny to Squeeze fixed. Closes: #600170
  * Password may contain special charactres. Closes: #594583
  * Suppress cron messages for non existing directories. Closes: #595489
  * Suppress Germzilla (German translation) version warning.
  * [Debconf translation updates]
    - Vietnamese (Clytie Siddall) Closes: #598479
 -- Ubuntu Archive Auto-Sync <email address hidden>   Thu,  28 Oct 2010 11:46:40 +0000

Available diffs

• diff from 3.6.2.0-3 to 3.6.2.0-4 (5.9 KiB)

bugzilla (3.6.2.0-3) unstable; urgency=low

  * [Debconf translation updates]
    - Spanish (Francisco Javier Cuadrado). Closes: #594766, #595230
    - German (Helge Kreutzmann). Closes: #595186
    - French (Christian Perrier). Closes: #594929
    - Russian (Yuri Kozlov). Closes: #595261
    - Czeck (Michal Simunek). Closes: #595277
    - Swedish (Martin Bagge). Closes: #595350
    - Italian (Vincenzo Campanella).
    - Danish (Joe Dalton). Closes: #595383
    - Basque (Iñaki Larrañaga Murgoitio).
    - Brazilian Portuguese (Adriano Rafael Gomes). Closes: #596436
    - Portuguese (Miguel Figueiredo). Closes: #596279

Available diffs

• diff from 3.6.2.0-1 to 3.6.2.0-3 (25.2 KiB)

bugzilla (3.6.2.0-1) unstable; urgency=low

  * New upstream release. Closes: #592212
  * Increased Standards-Version to 3.9.1; no changes.
  * Due to tons of bug reports with missconfigured database server environment
    I've disabled the DB check at installation time ($db_check=0) and added
    more code to handle database connect errors at installation/configuration
    time.
    LP: #584827, #546954, #584819
  * Bugzilla will be disabled if configuration/installation failes.
    Closes: #557357
  * [Debconf translation updates]
    - Czech (Slavko). Closes: #591943
    - Swedish (Martin Bagge). Closes: #592036
    - Portuguese. Closes: #592160
 -- Micah Gersten <email address hidden>   Sun, 08 Aug 2010 15:38:06 +0200

Available diffs

• diff from 3.6.1.0-0.1 to 3.6.2.0-1 (946.6 KiB)

bugzilla (3.6.1.0-0.1) experimental; urgency=low

  * New upstream release.
 -- Micah Gersten <email address hidden>   Sun, 18 Jul 2010 22:33:21 +0200

Available diffs

• diff from 3.4.7.0-3 to 3.6.1.0-0.1 (7.1 MiB)

bugzilla (3.4.7.0-3) unstable; urgency=low

  * Fixed permissions on /usr/share/perl5/Bugzilla for old installations.
    Closes: #571107
  * Fixed access rights for /etc/bugzilla3/localconfig. Closes: #571107
  * Using database administrator account to run sanitycheck.pl from daily cron
    job; maintainer field is not used anymore. Closes: #560140
  * [Debconf translation updates]
    - Czech (Jan Outrata). Closes: #590084
    - Japanese (Hideki Yamane). Closes: #590228
    - Portuguese (Miguel Figueiredo). Closes: #590187

Available diffs

• diff from 3.4.7.0-1 to 3.4.7.0-3 (10.2 KiB)

bugzilla (3.4.7.0-1) unstable; urgency=medium

  * New upstream release. Closes: #544367 LP: #415451
  * Security fixes CVE-2010-1204 CVE-2010-0180; set urgency to medium.
    Closes: #587663
  * Fixed typo. Closes: #568110, #576350
  * Fixed translations. Closes: #561518, #561517
  * Increased Standards-Version to 3.9.0; no changes.
  * Switch to dpkg-source 3.0 (quilt) format.
 -- Artur Rona <email address hidden>   Tue, 13 Jul 2010 14:56:34 +0200

Available diffs

• diff from 3.2.5.1-3 to 3.4.7.0-1 (7.1 MiB)

bugzilla (3.2.5.1-3) unstable; urgency=low

  * Syntax and spelling corrections to the README.Debian file. Closes: #568110
  * Typo on bugzilla3.templates and update of translations. Closes: #576350, #561517
 -- Ubuntu Archive Auto-Sync <email address hidden>   Sun,  20 Jun 2010 02:59:38 +0100

Available diffs

• diff from 3.2.5.1-2 to 3.2.5.1-3 (6.6 KiB)

bugzilla (3.2.5.1-2) unstable; urgency=low

  * Fixed dash compatibility within ../bugzilla3/lib/checksetup.pl.
    Closes: #558238

Available diffs

• diff from 3.2.4.0-3ubuntu1 to 3.2.5.1-2 (1.4 MiB)

bugzilla (3.2.4.0-3ubuntu1) karmic; urgency=medium

  * Fix installable problem (LP: #414985):
    - Depend on libjs-yui, not yui.
    - Fix typo in Recommends on imagemagick.

 -- Artur Rona <email address hidden>   Mon, 17 Aug 2009 21:47:47 +0200

Available diffs

• diff from 3.2.4.0-3 to 3.2.4.0-3ubuntu1 (816 bytes)

bugzilla (3.2.4.0-3) unstable; urgency=medium

  * Changed processing of Status/Resolution field changes. I hope this
    modification is less disturbing for 99% of typical installations.
  * Fixed ucf warning. Closes: #521855
  * (Ubuntu) Fixed processing of manual checksetup.pl execution.
    LP: #398892, #394972, #394846, #367476, #301909, #317963, #313310
  * (Ubuntu) Installation of outstanding packages is not supported.
    LP: #389962 
  * (Ubuntu) perl-modules=5.10.0-24 provides the CGI package of version 3.29
    which is not enought to bugzilla. For Perl 5.10 version 3.33 of CGI
    package is required. LP: #386620
  * (Ubuntu) Added cvs and imagepagick to Recommends. LP: #386598
  * (Ubuntu) Applied example from Rolf Leggewie for vh-basic.conf. LP: #386608
  * (Ubuntu) Restart of apache2 added. LP: #300566
  * (Ubuntu) Processing of templates fixed by pre-checksetup.d script.
    LP: #302192
  * (Ubuntu) The sym-link /usr/share/bugzilla3/web/data ->
    /var/lib/bugzilla3/data is valid. LP: #386592
  * (Ubuntu) Sendmail support is fixed upstream. LP: #281379
  * (Ubuntu) Change file permissions for skins after checksetup.pl call.
    LP: #314123
  * (Ubuntu) Fixed file permissions in /etc/bugzilla3. LP: #386604

Available diffs

• diff from 3.2.0.1-1 to 3.2.4.0-3 (5.4 MiB)

bugzilla (3.2.0.1-1) unstable; urgency=low

  * Debconf templates and debian/control reviewed by the debian-l10n-
    english team as part of the Smith review project. Closes: #507533
  * [Debconf translation updates]
    - German. Closes: #507594
    - Swedish. Closes: #506601
    - Japanese. Closes: #507773
    - Portuguese. Closes: #507813, #508317
    - French. Closes: #508164
    - Russian. Closes: #508290
    - Italian. Closes: #508530
    - Basque. Closes: #508892
  * Fixed skin support. Closes: #509020
  * checksetup.pl is now a wrapper shell script which run-parts
    /usr/share/bugzilla3/debian/{pre,post}-checksetup.d directories. Scripts
    in those directories take care about the configuration. The configuration
    variable webdotbase is preset to the right value. Closes: #494091
  * If Status/Resolution filds were modified, checksetup.pl is *not* started
    but installation procedure is finished successful. The user have to
    restart dpkg-reconfigure bugzilla3 after modified checksetup_nondebian.pl.
  * If package is installed from scratch the /etc/apache2/conf.d/bugzilla3 is
    sym-linked to /usr/share/doc/bugzilla3/examples/basic.conf. Bugzilla works
    out of the box in this case.
  * Support for PostgreSQL is missing right now (see bug 511331) but it's
    possible right now to install this package without db-config support and do
    everthing manually. Closes: #507555

 -- Iain Lane <email address hidden>   Wed,  21 Jan 2009 11:38:57 +0000

Available diffs

• diff from 3.2.0.0~rc2-1 to 3.2.0.1-1 (4.4 MiB)

bugzilla (3.0.4.1-2ubuntu1.1) intrepid-security; urgency=low

  * SECURITY UPDATE: Directory traversal vulnerability in importxml.pl in
    Bugzilla before 2.22.5, and 3.x before 3.0.5, when --attach_path
    is enabled, allows remote attackers to read arbitrary files via an
    XML file with a .. (dot dot) in the data element.(LP: #281915)
    - debian/maintenance/33_CVE-2008-4437.sh: upstream patch with regex
      to remove any leading path data from the filename.
    - CVE-2008-4437

 -- Stefan Lesicnik <email address hidden>   Mon, 13 Oct 2008 11:52:24 +0200

Available diffs

• diff from 3.0.4.1-2ubuntu1 (in Ubuntu) to 3.0.4.1-2ubuntu1.1 (975 bytes)

bugzilla (2.22.1-2.2ubuntu1.8.04.1) hardy-security; urgency=low

  * SECURITY UPDATE: Directory traversal vulnerability in importxml.pl in
    Bugzilla before 2.22.5, and 3.x before 3.0.5, when --attach_path
    is enabled, allows remote attackers to read arbitrary files via an
    XML file with a .. (dot dot) in the data element.(LP: #281915)
    - debian/patches/CVE-2008-4437.dpatch: upstream patch with regex
      to remove any leading path data from the filename.
    - CVE-2008-4437

 -- Stefan Lesicnik <email address hidden>   Sat, 11 Oct 2008 21:56:21 +0200

Available diffs

• diff from 2.22.1-2.2ubuntu1 (in Ubuntu) to 2.22.1-2.2ubuntu1.8.04.1 (1.0 KiB)

bugzilla (2.22.1-2.2ubuntu1.7.10.1) gutsy-security; urgency=low

  * SECURITY UPDATE: Directory traversal vulnerability in importxml.pl in
    Bugzilla before 2.22.5, and 3.x before 3.0.5, when --attach_path
    is enabled, allows remote attackers to read arbitrary files via an
    XML file with a .. (dot dot) in the data element.(LP: #281915)
    - debian/patches/CVE-2008-4437.dpatch: upstream patch with regex
      to remove any leading path data from the filename.
    - CVE-2008-4437

 -- Stefan Lesicnik <email address hidden>   Sat, 11 Oct 2008 21:56:21 +0200

Available diffs

• diff from 2.22.1-2.2ubuntu1 (in Ubuntu) to 2.22.1-2.2ubuntu1.7.10.1 (1.0 KiB)

bugzilla (3.2.0.0~rc2-1) unstable; urgency=low

  * Update to new release.

Available diffs

• diff from 3.0.4.1-2ubuntu1 to 3.2.0.0~rc2-1 (5.6 MiB)

bugzilla (3.0.4.1-2ubuntu1) intrepid; urgency=low

  * Merge from debian unstable, remaining changes:
    - added Homepage field.

 -- Emanuele Gentili <email address hidden>   Thu, 14 Aug 2008 20:43:29 +0200

Available diffs

• diff from 3.0.4.1-1ubuntu1 to 3.0.4.1-2ubuntu1 (2.7 KiB)

bugzilla (3.0.4.1-1ubuntu1) intrepid; urgency=low

  * debian/control:
   + added Homepage field.

 -- Emanuele Gentili <email address hidden>   Tue, 12 Aug 2008 17:47:15 +0200

Available diffs

• diff from 3.0.4.1-1 to 3.0.4.1-1ubuntu1 (656 bytes)

bugzilla (3.0.4.1-1) unstable; urgency=low

  * Update of French, Russian and German translations. (closes: #488251)
  * Added Bulgarian and Belarusian translations.

Available diffs

• diff from 3.0.4-0ubuntu1 to 3.0.4.1-1 (5.9 MiB)

bugzilla (3.0.4-0ubuntu1) intrepid; urgency=low

  * New upstream release (LP: #138886, #235701).
  * Removed "CVS" directories and ".cvsignore" files from upstream tarball.
  * Added patches/ubuntu_01_bugzilla_libpath.dpatch - newly updated as necessary
    version of old 01_libpath.dpatch patch.
  * Added patches/01_debian_package_version.dpatch - replaces old patch
    01_VERSION.dpatch, simply changes the version of Bugzilla to show the
    Debian packaging's versioning.
  * Added patches/ubuntu_05_makefile_install.dpatch - Use a Makefile to
    install Bugzilla to the correct locations. Based on Makefile in old
    package but in patch form.
  * Removed 02_checksetup.dpatch - fixed upstream.
  * Removed 101_Config.diff - upstream has changed codebase.
  * Renamed 06_contrib.dpatch to ubuntu_02_contrib_shebang_fixes.dpatch -
    corrects 'shebangs' which point to /usr/local/bin/ to /usr/bin/.
  * Renamed 08_showdependencygraph.dpatch to
    ubuntu_03_showdependencygraph_url_fixes.dpatch and updated code as
    necessary - fixes graph URL to make the webdot generation possible.
  * Removed CVE-2007-0791.dpatch - applied to upstream code.
  * Removed CVE-2007-4543.dpatch - applied to upstream code.
  * Renamed 09_homelink.dpatch to ubuntu_04_fixed_homepage_linked.dpatch -
    upstream now has links in
    'template/en/default/global/common-links.html.tmpl' instead of
    'useful-links.html.tmpl'.
  * Removed 03_webpath.dpatch - upstream has changed stylesheet layout.
  * Updated 10_perl_scripts_shebang.dpatch and removed part on "globals.pl" -
    no longer in source.
  * Removed Debian vhost support patches (see docs/html/multiple-bz-dbs.html
    for how to run multiple Bugzilla instances):
    - Removed 04_Config.pm.dpatch - duplicate patch and unable to adapt it to
      new upstream code.
    - Removed 07_virtualhosting.dpatch - duplicate patch of
      04_Config.pm.dpatch.
    - Removed 'debian/examples' - contained Apache VHost example setup files
      for Bugzilla.
    - Removed section about vhosts from README.Debian.
  * debian/rules:
    - Removed rules for "vhost conf dir", "examples" and "101_Config.diff"
      installation rules.
    - Removed part about bugzilla-fr package.
    - Remved part about "whine.pl" - now in Makefile.
    - Added rules to check the setup with upstream's "checksetup.pl" script.
  * debian/control:
    - Updated Standards-Version to 3.7.3.
    - Updated compatibity level and debhelper build dependency version to 6.
    - Added Homepage field to source package stanza.
    - Added part about seeing 'bugzilla' package for more info to
      'bugzilla-docs'.
    - Added libapache2-mod-perl2, libtemplate-perl, libmime-perl,
      libappconfig-perl, libdbd-mysql-perl, libtimedate-perl, libgd-gd2-perl,
      libgd-text-perl, libxml-twig-perl, perlmagick, libemail-send-perl,
      libemail-mime-modifier-perl, libchart-perl, libgd-graph-perl,
      libhtml-scrubber-perl, libdbi-perl, libfile-spec-perl, libgd-graph-perl,
      libgd-text-perl, libnet-ldap-perl, libxml-parser-perl: to build
      dependencies with the necessary versions as stated by upstream in
      docs/html/installation.html - in order to check packaging correctly with
      'checksetup.pl' in rules. Also updated the 'bugzilla' dependencies with
      the above (LP: #235461).
    - Removed dependencies on old "apache" packages as they are no longer in
      the archives.
    - Moved mail transport agents on 'bugzilla' from Depends to
      Suggests (LP: #156405).
  * debian/copyright: Updated the downloaded from link.
  * debian/bugzilla.docs: Added "QUICKSTART", "rel_notes.txt" and "UPGRADING"
    documentation from source tarball for inclusion in package.
  * debian/bugzilla-doc.doc-base: Corrected some spelling mistakes.
  * debian/bugzilla.postinst: Removed sections about 101_Config.diff.
  * Changed 'X_BUGZILLA_SITE' in bugzilla.cron.daily and bugzilla.postinst to
    'PROJECT'.

 -- Jonathan Patrick Davies <email address hidden>   Thu, 29 May 2008 17:20:32 +0200

Available diffs

• diff from 2.22.1-2.2ubuntu1 to 3.0.4-0ubuntu1 (2.5 MiB)

bugzilla (2.22.1-2.2ubuntu1) gutsy; urgency=low

  * Merge from Debian unstable, remaining changes:
    - debian/rules: Install whine.pl in /usr/share/bugzilla/lib.
    - debian/control: Update maintainer field.

bugzilla (2.22.1-2.1ubuntu1) gutsy; urgency=low

  * Merge from Debian unstable, remaining changes:
    - debian/rules: Install whine.pl in /usr/share/bugzilla/lib
    - Upate maintainer field in debian/control.

bugzilla (2.22.1-2ubuntu1) gutsy; urgency=low

  * debian/rules: install whine.pl in /usr/share/bugzilla/lib
    * Closes (LP#: 65682)

 -- Barry deFreese <email address hidden>   Sat, 11 Aug 2007 23:44:06 -0400

bugzilla (2.22.1-2) unstable; urgency=high

  * Depends on mysql-client as we provide mysql support with dbconfig-common.
    (closes: #398621)
  * Urgency set to high to fix the etch RC bug.
  * Updated the Bugzilla version (debian minor) in Bugzilla/Config.pm.

 -- Ubuntu Archive Auto-Sync <email address hidden>   Thu,  16 Nov 2006 17:01:41 +0000

bugzilla (2.22.1-1) unstable; urgency=high

  * New upstream release (2.22.1) fixes several security issues (hence the
    high priority)
    + CVE-2006-5455:
      Cross-site request forgery (CSRF) vulnerability in `editversions.cgi'.
    + CVE-2006-5454:
      Previous versions allow remote attackers to obtain the description
      of arbitrary attachments.
    + CVE-2006-5453:
      Multiple cross-site scripting (XSS) vulnerabilities.
    (bug #395094 now affects only sarge)
  * Depends on libtemplate-perl (>= 2.10)
  * Depends on libmailtools-perl (>= 1.67)

bugzilla (2.22-1) unstable; urgency=low

  * New upstream release (2.22).
    (closes: #365304)
  * Tempaltes moved to `/var/lib/bugzilla' instead of `/usr/share/bugzilla'
    which is more appropriate, and compliant with README.Debian.
    (closes: #368605)
  * Doesn't overwrite `/etc/bugzilla/localconfig' silently, uses ucf for
    replacing this file so the local administrator can check if he wants to
    update the DB access or not. It's then possible to upgrade from version
    prior to 2.22 with denying to use dbconfig-common.
    (closes: #366961)

bugzilla (2.20-1) unstable; urgency=low


  * New upstream release.
    (closes: #331242)
  * New dependency: libmailtools-perl for Mail/Mailer.pm
  * New dutch po-debconf translation (Thanks to Luk Claes).
    (closes: #328675)
  * New catalan po-debconf translation (Thanks to Miguel Gea Milvaques).
    (closes: #328930)
  * New spanish po-debconf translation (Thanks to César Gómez Martín).
    (closes: #333900)
  * New german po-debconf translation (Thanks to Jens Nachtigall).
    (closes: #326794)
  * Added debconf-2.0 dependency.
    (closes: #331769)

 -- Alexis Sukrieh <email address hidden>  Sat, 15 Oct 2005 18:55:24 +0200

bugzilla (2.18.4-1) unstable; urgency=high


  * New upstream minor release
    + Fixed a security issue: It was possible to bypass the "user
      visibility groups" restrictions if user-matching was turned on
      in "substring" mode.
    + Fixed a security issue: config.cgi exposed information to users who
      weren't logged in, even when "requirelogin" was turned on in Bugzilla.
    (closes: #331206)

 -- Alexis Sukrieh <email address hidden>  Mon,  3 Oct 2005 16:51:01 +0200

bugzilla (2.16.7-0.2ubuntu0.1) hoary-security; urgency=high


  * SECURITY UPDATE: cross-site scripting (XSS)
  * CGI.pl:
    - Applied patch from upstream.
  * template/en/default/global/code-error.html.tmpl:
    - Applied patch from upstream.
  * References:
    CAN-2004-1061

 -- Christian Bjälevik <email address hidden>  Fri,  6 May 2005 09:56:00 +0200

bugzilla (2.16.7-0.2) unstable; urgency=medium


  * NMU 0-days due to serious/important bug solving which prevents
    bugzilla entering testing.

  [ Alexis Sukrieh ]

  * Post-inst won't fail anymore when no MySQL server is
    available. Added an automatic way of setting up the MySQL server if
    /etc/mysql/debian.cnf exists, will read values from it then.
    (closes: #250638)
  * Using a MySQL user with '-' inside its name won't fail anymore.
    (closes unreported bug)
  * Better handling on DBI connection errors. When DBI complains about
    something, user is not confused anymore by ugly error messages.
    (closes: #154249)
  * Running checksetup.pl by hand won't break the Bugzilla's installation
    anymore. User can use it as he want without running dpkg-reconfigure.
    (closes: #200707)

  [ Francesco P. Lovergine ]

  * Now rules removes .cvsignore file which trashes /usr/share/bugzilla/template.
  * Added virtual package httpd to the list of web server.
    (closes: #213784)

 -- Francesco Paolo Lovergine <email address hidden>  Tue,  7 Dec 2004 22:54:45 +0100

bugzilla (2.16.5-2ubuntu0.2) warty-security; urgency=high


  * SECURITY UPDATE: multiple vulnerabilities
  * CGI.pl, template/en/default/global/code-error.html.tmpl:
    - Substitute <, > and & with their HTML alternatives to prevent XSS.
    - CAN-2004-1061
  * editgroups.cgi, editusers.cgi:
    - Rewrite of the SQL querys for grouphandling to prevent SQL injection.
    - CAN-2004-0707
  * editgroups.cgi, editusers.cgi, editcomponents.cgi, editmilestones,
    editproducts.cgi, editversions.cgi:
    - Removed un-needed form value display code to fix an XSS vulnerability.
    - CAN-2004-0705
  * buglist.cgi, duplicates.cgi:
    - Added a check to see if the user is priviledged to see a hidden product.
      This prevents an information leak that showed the user all products by
      visiting duplicates.cgi. Also the check was needed for buglist.cgi.
    - CAN-2004-0704
  * References:
    http://www.bugzilla.org/security/2.16.5/

 -- Christian Bjälevik <email address hidden>  Thu, 14 Jun 2005 11:06:00 +0200

bugzilla (2.16.5-2) unstable; urgency=low


  * Duplicate table creation is now also fixed in bugzilla.postinst
    (closes: #224288)

 -- Rémi Perrot <email address hidden>  Fri,  2 Apr 2004 01:13:32 +0200