Release notes updates.

2002-05-26 05:34:25 +00:00 · 2002-05-26 05:34:25 +00:00 · e5bd287315
--- a/webtools/bugzilla/docs/rel_notes.txt
+++ b/webtools/bugzilla/docs/rel_notes.txt
@ -1,6 +1,6 @@
-2.16 has not been released yet - these are prerelease notes.
+2.18 has not been released yet - these are prerelease notes.
-Insert nice little intro for version 2.16 here.
+Insert nice little intro for version 2.18 here.
 **************************
 *** ABOUT THIS VERSION ***
@ -60,8 +60,9 @@ XML::Parser (any)
 - This is possibly the last stable release to support the
  shadow database.  The replacement (using MySQL's built in
  replication) is not present in 2.16, but we expect that
-  very few sites use this feature.  If this would cause a
+  very few sites use this feature, so we are not planning a
-  problem for you, please comment on the below bug.
+  transition period.  If this would cause a problem for you,
  please comment on the below bug.
  (bug 124589)
 *** Outstanding Issues Of Note ***
@ -103,7 +104,7 @@ XML::Parser (any)
 - This release of Bugzilla uses the Template Toolkit.  For speed,
  compiled templates are cached on disk.  If you modify the templates
-  in order to customise the look and feel of your Bugzilla instalation,
+  in order to customise the look and feel of your Bugzilla installation,
  the toolkit will normally detect the changes, and recompile the
  changed templates.
@ -121,45 +122,56 @@ XML::Parser (any)
  permission errors.  If you see these, rerun checksetup.pl as root.  If you
  do not have root access, or cannot get someone who does to do this for you,
  you can rename the data/template directory to data/template.old (or any
-  other name bugzilla doesn't use). Then rerun checksetup.pl to regenerate
+  other name Bugzilla doesn't use).  Then rerun checksetup.pl to regenerate
  the compiled templates.
  (bug 97832)
 - Querying on CC takes too long on big databases.
  (bug 127200)
 *********************************************
 *** USERS UPGRADING FROM 2.16 OR EARLIER  ***
 *********************************************
 *** SECURITY ISSUES RESOLVED ***
 *** IMPORTANT CHANGES ***
 *** Other changes of note ***
 *** Bug fixes of note ***
 ***********************************************
-*** USERS UPGRADING FROM 2.14.1 OR EARLIER  ***
+*** USERS UPGRADING FROM 2.14.2 OR EARLIER  ***
 ***********************************************
 *** SECURITY ISSUES RESOLVED ***
 - The bug reporter could set the priority even when
  'letsubmitterchoosepriority' was off.
  (bug 63018)
 - It was possible for random confidential information to be
  divulged, if the shadow database was in use and became
  corrupted.
  (bug 92263)
 - Mass change would set the groupset of every bug to be the
  groupset of the first bug.
  (bug 107718)
- Most CGIs now run in taint mode.  This helps to prevent
+
  failure to validate errors.
  (bug 108982)
 - queryhelp.cgi no longer shows confidential products to
  people it shouldn't.
  (bug 126801)
 - The bug list sort order could take arbitrary SQL.  There
  are no known exploits for this problem.
  (bug 130821)
- It was possible for a user to bypass the IP check by
+
-  setting up a fake reverse DNS, if the Bugzilla web server
+- The bug reporter could set the priority even when
-  was configured to do reverse DNS lookups.  Apache is not
+  'letsubmitterchoosepriority' was off.
-  configured as such by default.  This is not a complete
+  (bug 63018)
-  exploit, as the user's login cookie would also need to
+
-  be divulged for this to be a problem.
+- Most CGIs are now templatised.  This helps to make it
-  (bug 129466)
+  easier to remember to HTML filter values and easier to spot
  when they are not, preventing cross site scripting attacks.
  (bug 86168)
 - Most CGIs now run in taint mode.  This helps to prevent
  failure to validate errors.
  (bug 108982)
 *** IMPORTANT CHANGES ***
@ -332,6 +344,35 @@ XML::Parser (any)
  their only email preference was being added or removed from QA.
  (bug 143091)
 ***********************************************
 *** USERS UPGRADING FROM 2.14.1 OR EARLIER  ***
 ***********************************************
 *** SECURITY ISSUES RESOLVED ***
 - queryhelp.cgi no longer shows confidential products to
  people it shouldn't.
  (bug 126801)
 - It was possible for a user to bypass the IP check by
  setting up a fake reverse DNS, if the Bugzilla web server
  was configured to do reverse DNS lookups.  Apache is not
  configured as such by default.  This is not a complete
  exploit, as the user's login cookie would also need to
  be divulged for this to be a problem.
  (bug 129466)
 - In some situations the data directory became world writeable.
  (bug 134575)
 - Any user with access to editusers.cgi could delete a user
  regardless of whether 'allowuserdeletion' is on.
  (bug 141557)
 - Real names were not HTML filtered, causing possible cross
  site scripting attacks.
  (bug 146447)
 ********************************************
 *** USERS UPGRADING FROM 2.14 OR EARLIER ***
 ********************************************
@ -370,11 +411,13 @@ known to us after the Bugzilla 2.14 release.
 - buglist.cgi had an undocumented parameter that allowed you
  to pass arbitrary SQL for the "WHERE" part of a query.
-  This has been disabled. (bug 108812)
+  This has been disabled.
  (bug 108812)
 - It was possible for a user to send arbitrary SQL by inserting
  single quotes in the "mybugslink" field in the user
-  preferences. (bug 108822)
+  preferences.
  (bug 108822)
 - buglist.cgi was not validating that the field names being
  passed from the "boolean chart" query form were valid field
@ -384,12 +427,73 @@ known to us after the Bugzilla 2.14 release.
 - long_list.cgi was not validating that the bug ID parameter
  was actually a number, allowing arbitrary SQL to be inserted
-  if you edited the HTML by hand. (bug 109690)
+  if you edited the HTML by hand.
  (bug 109690)
 ********************************************
 *** USERS UPGRADING FROM 2.12 OR EARLIER ***
 ********************************************
 *** SECURITY ISSUES RESOLVED ***
 - Multiple instances of unauthorised access to confidential
  bugs has been fixed.
  (bug 39524, 39526, 39527, 39531, 39533, 70189, 82781)
 - Multiple instances of untrusted parameters not being
  checked/escaped was fixed.  These included definite security
  holes.
  (bug 38854, 38855, 38859, 39536, 87701, 95235)
 - After logging in passwords no longer appear in the URL.
  (bug 15980)
 - Procedures to prevent unauthorised access to confidential
  files are now simpler.  In particular the shadow directory
  no longer exists and the data/comments file no longer needs
  to be directly accessible, so the entire data directory can
  be blocked.  However, no changes are required here if you
  have a properly secured 2.12 installation as no new files
  must be protected.
  (bug 71552, 73191)
 - If they do not already exist, checksetup.pl will attempt to
  write Apache .htaccess files by default, to prevent
  unauthorised access to confidential files.  You can turn this
  off in the localconfig file.
  (bug 76154)
 - Sanity check can now only be run by people in the 'editbugs'
  group.  Although it would be better to have a separate
  group, this is not possible until the limitation on the
  number of groups allowed has been removed.
  (bug 54556)
 - The password is no longer stored in plaintext form.  It will
  be eradicated next time you run checksetup.pl.  A user must
  now change their password via a password change request that
  gets validated at their e-mail account, rather than have it
  mailed to them.
  (bug 74032)
 - When you are using product groups and you move a bug between
  products (single or mass change), the bug will no longer be
  restricted to the old product's group (if it was) and will
  be restricted to the new product's group.
  (bug 66235)
 - There are now options on a bug to choose whether the
  reporter, and CCs can access a bug even if they aren't in
  groups the bug it is restricted to.
  (bug 39816)
 - You can no longer mark a bug as a duplicate of a bug you
  can't see, and if you mark a bug a duplicate of a bug
  the reporter cannot see you will be given options as to
  what to do regarding adding the reporter of the resolved
  bug to the CC of the open bug.
  (bug 96085)
 *** IMPORTANT CHANGES ***
 - Bugzilla 2.14 no longer supports old email tech.  Upon
@ -458,57 +562,6 @@ known to us after the Bugzilla 2.14 release.
  in this version to make sure that the user does this.
  (bug 28882, 92593)
 *** SECURITY ISSUES RESOLVED ***
 - Multiple instances of unauthorised access to confidential
  bugs has been fixed.
  (bug 39524, 39526, 39527, 39531, 39533, 70189, 82781)
 - Multiple instances of untrusted parameters not being
  checked/escaped was fixed.  These included definite security
  holes.
  (bug 38854, 38855, 38859, 39536, 87701, 95235)
 - After logging in passwords no longer appear in the URL.
  (bug 15980)
 - Procedures to prevent unauthorised access to confidential
  files are now simpler.  In particular the shadow directory
  no longer exists and the data/comments file no longer needs
  to be directly accessible, so the entire data directory can
  be blocked.  However, no changes are required here if you
  have a properly secured 2.12 installation as no new files
  must be protected.
  (bug 71552, 73191)
 - If they do not already exist, checksetup.pl will attempt to
  write Apache .htaccess files by default, to prevent
  unauthorised access to confidential files.  You can turn this
  off in the localconfig file.
  (bug 76154)
 - Sanity check can now only be run by people in the 'editbugs'
  group.  Although it would be better to have a separate
  group, this is not possible until the limitation on the
  number of groups allowed has been removed.
  (bug 54556)
 - The password is no longer stored in plaintext form.  It will
  be eradicated next time you run checksetup.pl.  A user must
  now change their password via a password change request that
  gets validated at their e-mail account, rather than have it
  mailed to them.
  (bug 74032)
 - When you are using product groups and you move a bug between
  products (single or mass change), the bug will no longer be
  restricted to the old product's group (if it was) and will
  be restricted to the new product's group.
  (bug 66235)
 - There are now options on a bug to choose whether the
  reporter, and CCs can access a bug even if they aren't in
  groups the bug it is restricted to.
  (bug 39816)
 - You can no longer mark a bug as a duplicate of a bug you
  can't see, and if you mark a bug a duplicate of a bug
  the reporter cannot see you will be given options as to
  what to do regarding adding the reporter of the resolved
  bug to the CC of the open bug.
  (bug 96085)
 *** Other changes of note ***
 - Groups can now be marked inactive, so you can't add a new
@ -532,7 +585,6 @@ known to us after the Bugzilla 2.14 release.
  resorting to direct database access.
  (bug 65290)
 *** Bug fixes of note ***
 - The bug list page was sometimes bringing up a not logged in
@ -571,6 +623,12 @@ known to us after the Bugzilla 2.14 release.
 *** USERS UPGRADING FROM 2.10 OR EARLIER ***
 ********************************************
 *** SECURITY ISSUES RESOLVED ***
 - Some security holes have been fixed where shell escape characters
  could be passed to Bugzilla, allowing remote users to execute
  system commands on the web server.
 *** IMPORTANT CHANGES ***
 - There is now a facility for users to choose the sort of
@ -586,7 +644,7 @@ known to us after the Bugzilla 2.14 release.
    Subject: [Bug %bugid%] %neworchanged% - %summary%
-  to
+  to:
    Subject: [Bug %bugid%] %neworchanged%%summary%
@ -595,10 +653,6 @@ known to us after the Bugzilla 2.14 release.
  middle.
  (bug 29820)
 - Some security holes have been fixed where shell escape characters
  could be passed to Bugzilla, allowing remote users to execute
  system commands on the web server.
 *** Other changes of note ***
 - Bug titles now appear in the page title, and will hence
@ -632,7 +686,6 @@ known to us after the Bugzilla 2.14 release.
  open bug.
  (bug 28676)
 *** Bug fixes of note ***
 - Notification emails will now always be sent to QA contacts.
@ -657,7 +710,6 @@ known to us after the Bugzilla 2.14 release.
  bug is resolved.  This occurred because of midair collisions.
  (bug 49306)
 *******************************************
 *** USERS UPGRADING FROM 2.8 OR EARLIER ***
 *******************************************
@ -668,4 +720,3 @@ Release notes were not compiled for versions of Bugzilla before
 The file 'UPGRADING-pre-2.8' contains instructions you may
 need to perform in addition to running 'checksetup.pl' if you
 are running a pre 2.8 version.