Bugzilla 3.4.1 released to fix a security bug
We released Bugzilla 3.4.1 a few minutes ago to fix a security bug reported two days ago. Your installation is only vulnerable if at least one of your products has the "Entry" bit turned on for at least one group. Note that users cannot do any harm: security checks are working fine and so no user can file or move a bug into a product if the user is not allowed to access this product. We marked this bug as a security one because a user could see the name of some products despite he should not be aware of their existence (when these products have Entry + Mandatory/Mandatory set).
Here is what happened since we released Bugzilla 3.4 on Tuesday:
Tuesday, July 28
11:00 GMT: Bugzilla 3.4 is available for download.
Thursday, July 30
15:02 GMT: Sergej Pupykin files bug 507389 about too much product names being visible in the "Product" drop-down field in show_bug.cgi to users with no access to them.
17:05 GMT: I confirm that the bug is a regression in 3.4.
18:40 GMT: A first fix is proposed.
Friday , July 31:
10:23 GMT: A second fix is proposed. This one gets r+
Saturday, August 1:
10:59 GMT: Bug 507800 is filed. We are going to release Bugzilla 3.4.1 today.
12:38 GMT: The security fix is checked in and the bug marked as FIXED.
12:48 GMT: Automated QA tests (running Selenium) report several errors.
13:04 GMT: I confirm that the security fix (which I wrote; oops) is bogus and is responsible for the bustage.
13:22 GMT: New fix proposed.
13:51 GMT: All QA tests now pass successfully. We are ready to go.
14:01 GMT: The fix is checked in.
15:00 GMT: mkanat is done with the website update.
15:41 GMT: Bug 507800 is marked as FIXED. Bugzilla 3.4.1 is officially available for download.
If you already upgraded to 3.4, you can safely upgrade to 3.4.1 as the changes between both versions are really non invasive. I hope we won’t need to release 3.4.2 next week!