As described in bug 480001, MySQL 5.1.31 and newer no longer let you write ‘SET SESSION max_allowed_packet = xxxx’ (this variable is now read-only, unless set globally). As we are calling it from two different places in Bugzilla 3.2, 3.2.1 and 3.2.2, those versions won’t work together. I hope this problem will be fixed in Bugzilla 3.2.3.
Update: this bug has been fixed and will be available in Bugzilla 3.2.3, which should be released very soon now (probably next week).
On February 2, around 17:40 PST (Feb 3, 1:40 GMT), we happily released Bugzilla 3.3.2, 3.2.1, 3.0.7 and 2.22.7, which fixed several security issues. Less than 3 hours later, bug 476594 was filed on b.m.o, reporting a problem with srand() on mod_perl (read details in the bug), which is called when you call rand() in your code. This bug was undetected while writing security patches and while reviewing them, because most developers don’t use mod_perl on their test installations. Also, this problem hasn’t been detected on our "secret" mod_perl test installation, probably because race conditions couldn’t occur due to the low number of testers playing with it at the same time. But as soon as b.m.o upgraded to Bugzilla 3.2.1, the problem became very clear, and we have to address a big THANK YOU to Philippe M. "gozer" Chiasson to help us debug and fix the problem very quickly. Only 9 hours after the releases mentioned above, i.e. on February 3 around 2:40 PST (Feb 3, 10:40 GMT), Max Kanat-Alexander, our release manager, uploaded new tarballs on the FTP server, and the website was updated to announce the immediate release of Bugzilla 3.3.3, 3.2.2 and 3.0.8, with this single change in them (it’s actually a single line change). We didn’t release Bugzilla 2.22.8 as 2.22 doesn’t support mod_perl, and so is not affected by the problem.
That was a pretty intense and busy evening/night/morning (depends where you live on the planet) for Bugzilla developers: first, we had to commit 20 security patches (backports included) to CVS, then fix some QA scripts which were affected by the security fixes above, create and upload tarballs, update the website, then track the problem with srand() on mod_perl, review the patch, write and review the new security advisory and new release notes (it was the first time I had to do reviews from work…. you know, I’m teaching ;)), recreate and upload tarballs again, and finally update the website once more. Wow! But things seem to be going well now; no regression has been reported to b.m.o (yet).
As announced last Saturday, we released Bugzilla 3.3.2, 3.2.1, 3.0.7 and 2.22.7 today! Read the Security Advisory and the Status Update for more information. If you want to keep informed about the Bugzilla activity, you should know that there is now a "Bugzilla Community" group on Facebook. Feel free to join! :)
Max is a bit more verbose than me today. You can read his article here.