Archive for août 2009

Latest news from Bugzilla 3.5 (unstable)

Now that Bugzilla 3.4.1 has been released earlier this month, we can focus on development again. I’m going to give you a brief overview of new features and major changes we did in our code recently:

  • Bug 214861: You can now use your saved searches to generate new series for New Charts. Till now, you had to create series from scratch.
  • Bug 349336: When you create a new user account and choose your password, you are now automatically logged in.
  • Bug 471620: Passwords are no longer limited to 16 characters. They can be as long as you want.
  • Bug 480986: The Bitmap (BMP)-to-PNG conversion tool which was based on Image::Magick is no longer in the core code of Bugzilla. It has been moved into an extension which will be shipped with Bugzilla 3.6 (this extension is accessible using CVS, in the extensions/bmp_convert/ directory). To enable this extension, delete the extensions/bmp_convert/disabled file.
  • Bug 507493:’s output now uses colors to highlight missing or too old Perl modules. This should prevent a large number of questions we got on IRC these last few weeks about upgrading problems.
  • Bug 508xxx: various improvements have been made to, which should make upgrades significantly faster.
  • Bug 509027: There is now a hook in Bugzilla::Attachment::_check_data() which lets extensions manipulate attachments before they are added to the DB. The BMP-to-PNG converter mentioned above uses this hook. You could also imagine an extension which looks at the "isurl" attribute and downloads the document pointed by this URL (do it at your own risk, of course, in case the URL points to a 4Gb DVD ISO).
  • Bug 509497: GROUP_CONCAT(), natively implemented in MySQL, will soon be available for PostgreSQL and Oracle as a custom sql_group_concat() function. The function is ready for checkin for PostgreSQL, but we are still waiting for an updated patch for Oracle. It should land on time for Bugzilla 3.5.1.
  • Bug 108243: Thanks to the new sql_group_concat() function mentioned above, bug flags can now be displayed in buglists! I will check in this patch as soon as the patch for sql_group_concat() is ready for Oracle DB. It should also be available on time for Bugzilla 3.5.1. (Note that I said "bug flags", meaning that attachment flags won’t be displayed in buglists.)

More cool stuff should come in the coming weeks! :)

There is no planned date for Bugzilla 3.5.1 yet, and in all cases, keep in mind that it will be a development snapshot. It will not be suitable for production. Our next stable release will be Bugzilla 3.6.

Catégories:Bugzilla, Mozilla

Bugzilla 3.4.1 released to fix a security bug

We released Bugzilla 3.4.1 a few minutes ago to fix a security bug reported two days ago. Your installation is only vulnerable if at least one of your products has the "Entry" bit turned on for at least one group. Note that users cannot do any harm: security checks are working fine and so no user can file or move a bug into a product if the user is not allowed to access this product. We marked this bug as a security one because a user could see the name of some products despite he should not be aware of their existence (when these products have Entry + Mandatory/Mandatory set).

Here is what happened since we released Bugzilla 3.4 on Tuesday:

Tuesday, July 28

11:00 GMT: Bugzilla 3.4 is available for download.

Thursday, July 30

15:02 GMT: Sergej Pupykin files bug 507389 about too much product names being visible in the "Product" drop-down field in show_bug.cgi to users with no access to them.

17:05 GMT: I confirm that the bug is a regression in 3.4.

18:40 GMT: A first fix is proposed.

Friday , July 31:

10:23 GMT: A second fix is proposed. This one gets r+

Saturday, August 1:

10:59 GMT: Bug 507800 is filed. We are going to release Bugzilla 3.4.1 today.

12:38 GMT: The security fix is checked in and the bug marked as FIXED.

12:48 GMT: Automated QA tests (running Selenium) report several errors.

13:04 GMT: I confirm that the security fix (which I wrote; oops) is bogus and is responsible for the bustage.

13:22 GMT: New fix proposed.

13:51 GMT: All QA tests now pass successfully. We are ready to go.

14:01 GMT: The fix is checked in.

15:00 GMT: mkanat is done with the website update.

15:41 GMT: Bug 507800 is marked as FIXED. Bugzilla 3.4.1 is officially available for download.

If you already upgraded to 3.4, you can safely upgrade to 3.4.1 as the changes between both versions are really non invasive. I hope we won’t need to release 3.4.2 next week! :)

Catégories:Bugzilla, Mozilla

Recevez les nouvelles publications par mail.