o Users whose login name is not an email address could not log in on
installations which use LDAP to authenticate users.
o If a mandatory custom field was hidden, it was not possible to create a
new bug or to edit existing ones.
o A user editing his login name to point to a non-existent email address
could cause Bugzilla to stop working, causing a denial of service.
o Emails generated during a transaction made PostgreSQL stop working.
o Bugs containing a comment with a reference to a bug ID larger than 2^31
could not be displayed anymore using PostgreSQL.
o Emails sent by Bugzilla are now correctly encoded as UTF-8.
o The date picker in the "Time Summary" page was broken.
o If Test::Taint or any other Perl module required to use the JSON-RPC API
was not installed or was too old, the UI to tag comments was displayed
anyway, you could tag comments, but tags were not persistent (they were
lost on page reload). Now the UI to tag comments is not displayed at all
until the missing Perl modules are installed and up-to-date.
o Custom fields of type INTEGER now accept negative integers.
MFH: 2015Q3
Security: CVE-2015-4499
Security: ea893f06-5a92-11e5-98c0-20cf30e32f6d
- Replace ${MASTER_SITE_FOO} with FOO.
- Merge MASTER_SITE_SUBDIR into MASTER_SITES when possible. (This means 99.9%
of the time.)
- Remove occurrences of MASTER_SITE_LOCAL when no subdirectory was present and
no hint of what it should be was present.
- Fix some logic.
- And generally, make things more simple and easy to understand.
While there, add magic values to the FESTIVAL, GENTOO, GIMP, GNUPG, QT and
SAMBA macros.
Also, replace some EXTRACT_SUFX occurences with USES=tar:*.
Checked by: make fetch-urlall-list
With hat: portmgr
Sponsored by: Absolight
- use PKGNAMESUFFIX instead LATEST_LINK
- whitespace cleanup
- svn mv */bugzilla to */bugzilla40
- add vuxml entry
4.4.1, 4.2.7, and 4.0.11 Security Advisory
Wednesday Oct 16th, 2013
Summary
=======
Bugzilla is a Web-based bug-tracking system used by a large number of
software projects. The following security issues have been discovered
in Bugzilla:
* A CSRF vulnerability in process_bug.cgi affecting Bugzilla 4.4 only
can lead to a bug being edited without the user consent.
* A CSRF vulnerability in attachment.cgi can lead to an attachment
being edited without the user consent.
* Several unfiltered parameters when editing flagtypes can lead to XSS.
* Due to an incomplete fix for CVE-2012-4189, some incorrectly filtered
field values in tabular reports can lead to XSS.
All affected installations are encouraged to upgrade as soon as
possible.
[1] even bugzilla40 gets upstream fixes an upgrade to bugzilla42/44 is recommend
Security: vid e135f0c9-375f-11e3-80b7-20cf30e32f6d
CVE-2013-1733
CVE-2013-1734
CVE-2013-1742
CVE-2013-1743
