09:47 ohauer 

- update to 4.4.13

MFH:		2018Q1
Security:	CVE-2018-5123
Security:	vid: 22283b8c-13c5-11e8-a861-20cf30e32f6d

 

18:35 ohauer 

- update to 4.4.12

Security:	CVE-2016-2803
Security:	036d6c38-1c5b-11e6-b9e0-20cf30e32f6d

 

11:25 ohauer 

- update to 4.4.11

This release fixes two security issues.
See the Security Advisory for details. [1]

This release also contains the following bug fix:

 o mod_perl now works correctly with mod_access_compat turned off
   on Apache 2.4. The (incorrect) fix implemented in Bugzilla 4.4.9
   has been backed out. To regenerate the .htaccess files, you must
   first delete all existing ones in subdirectories:

    find . -mindepth 2 -name .htaccess -exec rm -f {} \;

   You must then run checksetup.pl again to recreate them with the
   correct syntax. (Bug 1223790)

[1] https://www.bugzilla.org/security/4.2.15/

MFH:		2015Q4
Security:	CVE-2015-8508
		CVE-2015-8509
		vid="54075861-a95a-11e5-8b40-20cf30e32f6d"

 

04:10 ohauer 

- update bugzilla ports to 5.0.1 / 4.4.10

o Users whose login name is not an email address could not log in on
  installations which use LDAP to authenticate users.
o If a mandatory custom field was hidden, it was not possible to create a
  new bug or to edit existing ones.
o A user editing his login name to point to a non-existent email address
  could cause Bugzilla to stop working, causing a denial of service.
o Emails generated during a transaction made PostgreSQL stop working.
o Bugs containing a comment with a reference to a bug ID larger than 2^31
  could not be displayed anymore using PostgreSQL.
o Emails sent by Bugzilla are now correctly encoded as UTF-8.
o The date picker in the "Time Summary" page was broken.
o If Test::Taint or any other Perl module required to use the JSON-RPC API
  was not installed or was too old, the UI to tag comments was displayed
  anyway, you could tag comments, but tags were not persistent (they were
  lost on page reload). Now the UI to tag comments is not displayed at all
  until the missing Perl modules are installed and up-to-date.
o Custom fields of type INTEGER now accept negative integers.

MFH:		2015Q3
Security:	CVE-2015-4499
Security:	ea893f06-5a92-11e5-98c0-20cf30e32f6d

 

16:07 ohauer 

- update to 4.4.9

 

21:33 ohauer 

- update to 4.4.8

Release Notes:
https://www.bugzilla.org/releases/4.4.8/release-notes.html

This releases contains the following bug fix:
 - Fixing a regression caused by bug 10902750 [1], JSON-RPC API calls could
   crash in certain cases instead of displaying the proper error message.
   (Bug 1124716) [2]

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1090275
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1124716

MFH:		2015Q1

 

20:28 ohauer 

- update to 4.4.7
- adjust dependency

MFH:		2015Q1
Security:	dc2d76df-a595-11e4-9363-20cf30e32f6d
		CVE-2014-8630

 

19:16 ohauer 

- update to bugzilla 4.4.6

Summary
=======
The following security issues have been discovered in Bugzilla:

* The 'realname' parameter is not correctly filtered on user account
  creation, which could lead to user data override.
* Several places were found in the Bugzilla code where cross-site
  scripting attacks could be used to access sensitive information.
* Private comments can be shown to flagmail recipients who aren't in
  the insider group
* Specially formatted values in a CSV search results export could be
  used in spreadsheet software to attack a user's computer.

Security:	CVE-2014-1572
		CVE-2014-1571
		CVE-2014-1571

 

14:15 ohauer 

- update to bugzilla44-4.4.5

Vulnerability Details
=====================

Class:       Cross Site Request Forgery
Versions:    3.7.1 to 4.0.13, 4.1.1 to 4.2.9, 4.3.1 to 4.4.4, 4.5.1 to 4.5.4
Fixed In:    4.0.14, 4.2.10, 4.4.5, 4.5.5
Description: Adobe does not properly restrict the SWF file format,
             which allows remote attackers to conduct cross-site
             request forgery (CSRF) attacks against Bugzilla's JSONP
             endpoint, possibly obtaining sensitive bug information,
             via a crafted OBJECT element with SWF content satisfying
             the character-set requirements of a callback API.

http://www.bugzilla.org/security/4.0.13/

MFH:		2014Q3
Security:	9defb2d6-1404-11e4-8cae-20cf30e32f6d
		CVE-2014-1546

 

17:26 ohauer 

- update bugzilla to 4.4.4, 4.2.9, 4.0.13
- minor Makefile cleanup

This release fixes one regression introduced in Bugzilla by
security bug 968576: URLs in bug comments are displayed
correctly again. (Bug 998323)

Release Notes & Changes
=======================
Before installing or upgrading, you should read the Release Notes for
the new version of Bugzilla:

  4.4.4:  http://www.bugzilla.org/releases/4.4.4/release-notes.html
  4.2.9:  http://www.bugzilla.org/releases/4.2.9/release-notes.html
  4.0.13: http://www.bugzilla.org/releases/4.0.13/release-notes.html

MFH:		2014Q2

 

18:54 ohauer 

- commit forgotten distinfo

 

15:03 ohauer 

- update to 4.0.12, 4.2.8, 4.4.3
- move BINMODE to Makefile.common so it is also used in the language packs

Security:	CVE-2014-1517
Security:	608ed765-c700-11e3-848c-20cf30e32f6d
Security:	60bfa396-c702-11e3-848c-20cf30e32f6d

 

19:35 ohauer 

- update to latest release [1]
- use PKGNAMESUFFIX instead LATEST_LINK
- whitespace cleanup
- svn mv */bugzilla to */bugzilla40
- add vuxml entry

4.4.1, 4.2.7, and 4.0.11 Security Advisory
Wednesday Oct 16th, 2013

Summary
=======

Bugzilla is a Web-based bug-tracking system used by a large number of
software projects. The following security issues have been discovered
in Bugzilla:

* A CSRF vulnerability in process_bug.cgi affecting Bugzilla 4.4 only
  can lead to a bug being edited without the user consent.

* A CSRF vulnerability in attachment.cgi can lead to an attachment
  being edited without the user consent.

* Several unfiltered parameters when editing flagtypes can lead to XSS.

* Due to an incomplete fix for CVE-2012-4189, some incorrectly filtered
  field values in tabular reports can lead to XSS.

All affected installations are encouraged to upgrade as soon as
possible.

[1]  even bugzilla40 gets upstream fixes an upgrade to bugzilla42/44 is
recommend

Security:	vid e135f0c9-375f-11e3-80b7-20cf30e32f6d
		CVE-2013-1733
		CVE-2013-1734
		CVE-2013-1742
		CVE-2013-1743

 

22:21 ohauer 

New ports for bugzilla44
- devel/bugzilla44
- japanese/bugzilla44
- german/bugzilla44

Release Notes:
http://www.bugzilla.org/releases/4.4/release-notes.html