Err…. new Bugzilla releases only 9 hours after the old ones
On February 2, around 17:40 PST (Feb 3, 1:40 GMT), we happily released Bugzilla 3.3.2, 3.2.1, 3.0.7 and 2.22.7, which fixed several security issues. Less than 3 hours later, bug 476594 was filed on b.m.o, reporting a problem with srand() on mod_perl (read details in the bug), which is called when you call rand() in your code. This bug was undetected while writing security patches and while reviewing them, because most developers don’t use mod_perl on their test installations. Also, this problem hasn’t been detected on our "secret" mod_perl test installation, probably because race conditions couldn’t occur due to the low number of testers playing with it at the same time. But as soon as b.m.o upgraded to Bugzilla 3.2.1, the problem became very clear, and we have to address a big THANK YOU to Philippe M. "gozer" Chiasson to help us debug and fix the problem very quickly. Only 9 hours after the releases mentioned above, i.e. on February 3 around 2:40 PST (Feb 3, 10:40 GMT), Max Kanat-Alexander, our release manager, uploaded new tarballs on the FTP server, and the website was updated to announce the immediate release of Bugzilla 3.3.3, 3.2.2 and 3.0.8, with this single change in them (it’s actually a single line change). We didn’t release Bugzilla 2.22.8 as 2.22 doesn’t support mod_perl, and so is not affected by the problem.
That was a pretty intense and busy evening/night/morning (depends where you live on the planet) for Bugzilla developers: first, we had to commit 20 security patches (backports included) to CVS, then fix some QA scripts which were affected by the security fixes above, create and upload tarballs, update the website, then track the problem with srand() on mod_perl, review the patch, write and review the new security advisory and new release notes (it was the first time I had to do reviews from work…. you know, I’m teaching ;)), recreate and upload tarballs again, and finally update the website once more. Wow! But things seem to be going well now; no regression has been reported to b.m.o (yet).