Author: Raphael Bossek
Revision Date: 2010-11-20 05:51:25 UTC

* Support for noninteractive mode in Debconf. Closes: #602738
* Added missing package dependency against liburi-perl. Removed non exsiting
  package option libgd-noxpm-perl.
* Urgency set to medium because previous version is not accepted for
  testing.
* Parallel build for Makefiles is working now.
* Surrpress error messages for non existing template directories if
  checksetup fails (in noninteractive mode).
* Extensions are not installed by default. They exist as documentation.

Author: Raphael Bossek
Revision Date: 2010-11-20 05:51:25 UTC

* Support for noninteractive mode in Debconf. Closes: #602738
* Added missing package dependency against liburi-perl. Removed non exsiting
  package option libgd-noxpm-perl.
* Urgency set to medium because previous version is not accepted for
  testing.
* Parallel build for Makefiles is working now.
* Surrpress error messages for non existing template directories if
  checksetup fails (in noninteractive mode).
* Extensions are not installed by default. They exist as documentation.

Author: Raphael Bossek
Revision Date: 2010-11-20 05:51:25 UTC

* Support for noninteractive mode in Debconf. Closes: #602738
* Added missing package dependency against liburi-perl. Removed non exsiting
  package option libgd-noxpm-perl.
* Urgency set to medium because previous version is not accepted for
  testing.
* Parallel build for Makefiles is working now.
* Surrpress error messages for non existing template directories if
  checksetup fails (in noninteractive mode).
* Extensions are not installed by default. They exist as documentation.

Author: Raphael Bossek
Revision Date: 2010-11-20 05:51:25 UTC

* Support for noninteractive mode in Debconf. Closes: #602738
* Added missing package dependency against liburi-perl. Removed non exsiting
  package option libgd-noxpm-perl.
* Urgency set to medium because previous version is not accepted for
  testing.
* Parallel build for Makefiles is working now.
* Surrpress error messages for non existing template directories if
  checksetup fails (in noninteractive mode).
* Extensions are not installed by default. They exist as documentation.

Author: Raphael Bossek
Revision Date: 2010-11-20 05:51:25 UTC

* Support for noninteractive mode in Debconf. Closes: #602738
* Added missing package dependency against liburi-perl. Removed non exsiting
  package option libgd-noxpm-perl.
* Urgency set to medium because previous version is not accepted for
  testing.
* Parallel build for Makefiles is working now.
* Surrpress error messages for non existing template directories if
  checksetup fails (in noninteractive mode).
* Extensions are not installed by default. They exist as documentation.

Author: Raphael Bossek
Revision Date: 2010-11-20 05:51:25 UTC

* Support for noninteractive mode in Debconf. Closes: #602738
* Added missing package dependency against liburi-perl. Removed non exsiting
  package option libgd-noxpm-perl.
* Urgency set to medium because previous version is not accepted for
  testing.
* Parallel build for Makefiles is working now.
* Surrpress error messages for non existing template directories if
  checksetup fails (in noninteractive mode).
* Extensions are not installed by default. They exist as documentation.

Author: Raphael Bossek
Revision Date: 2010-11-20 05:51:25 UTC

* Support for noninteractive mode in Debconf. Closes: #602738
* Added missing package dependency against liburi-perl. Removed non exsiting
  package option libgd-noxpm-perl.
* Urgency set to medium because previous version is not accepted for
  testing.
* Parallel build for Makefiles is working now.
* Surrpress error messages for non existing template directories if
  checksetup fails (in noninteractive mode).
* Extensions are not installed by default. They exist as documentation.

Author: Raphael Bossek
Revision Date: 2010-11-20 05:51:25 UTC

* Support for noninteractive mode in Debconf. Closes: #602738
* Added missing package dependency against liburi-perl. Removed non exsiting
  package option libgd-noxpm-perl.
* Urgency set to medium because previous version is not accepted for
  testing.
* Parallel build for Makefiles is working now.
* Surrpress error messages for non existing template directories if
  checksetup fails (in noninteractive mode).
* Extensions are not installed by default. They exist as documentation.

Author: Raphael Bossek
Revision Date: 2010-11-20 05:51:25 UTC

* Support for noninteractive mode in Debconf. Closes: #602738
* Added missing package dependency against liburi-perl. Removed non exsiting
  package option libgd-noxpm-perl.
* Urgency set to medium because previous version is not accepted for
  testing.
* Parallel build for Makefiles is working now.
* Surrpress error messages for non existing template directories if
  checksetup fails (in noninteractive mode).
* Extensions are not installed by default. They exist as documentation.

Author: Raphael Bossek
Revision Date: 2010-11-20 05:51:25 UTC

* Support for noninteractive mode in Debconf. Closes: #602738
* Added missing package dependency against liburi-perl. Removed non exsiting
  package option libgd-noxpm-perl.
* Urgency set to medium because previous version is not accepted for
  testing.
* Parallel build for Makefiles is working now.
* Surrpress error messages for non existing template directories if
  checksetup fails (in noninteractive mode).
* Extensions are not installed by default. They exist as documentation.

Author: Raphael Bossek
Revision Date: 2010-09-02 09:48:42 UTC

* [Debconf translation updates]
  - Spanish (Francisco Javier Cuadrado). Closes: #594766, #595230
  - German (Helge Kreutzmann). Closes: #595186
  - French (Christian Perrier). Closes: #594929
  - Russian (Yuri Kozlov). Closes: #595261
  - Czeck (Michal Simunek). Closes: #595277
  - Swedish (Martin Bagge). Closes: #595350
  - Italian (Vincenzo Campanella).
  - Danish (Joe Dalton). Closes: #595383
  - Basque (Iñaki Larrañaga Murgoitio).
  - Brazilian Portuguese (Adriano Rafael Gomes). Closes: #596436
  - Portuguese (Miguel Figueiredo). Closes: #596279

Author: Raphael Bossek
Revision Date: 2009-11-29 13:56:03 UTC

Fixed dash compatibility within ../bugzilla3/lib/checksetup.pl.
Closes: #558238

Author: Artur Rona
Revision Date: 2009-08-17 21:35:36 UTC

* Fix installable problem (LP: #414985):
  - Depend on libjs-yui, not yui.
  - Fix typo in Recommends on imagemagick.

Author: Stefan Lesicnik
Revision Date: 2008-10-13 11:52:24 UTC

* SECURITY UPDATE: Directory traversal vulnerability in importxml.pl in
  Bugzilla before 2.22.5, and 3.x before 3.0.5, when --attach_path
  is enabled, allows remote attackers to read arbitrary files via an
  XML file with a .. (dot dot) in the data element.(LP: #281915)
  - debian/maintenance/33_CVE-2008-4437.sh: upstream patch with regex
    to remove any leading path data from the filename.
  - CVE-2008-4437

Author: Stefan Lesicnik
Revision Date: 2008-10-11 21:56:21 UTC

* SECURITY UPDATE: Directory traversal vulnerability in importxml.pl in
  Bugzilla before 2.22.5, and 3.x before 3.0.5, when --attach_path
  is enabled, allows remote attackers to read arbitrary files via an
  XML file with a .. (dot dot) in the data element.(LP: #281915)
  - debian/patches/CVE-2008-4437.dpatch: upstream patch with regex
    to remove any leading path data from the filename.
  - CVE-2008-4437

Author: Stefan Lesicnik
Revision Date: 2008-10-11 21:56:21 UTC

* SECURITY UPDATE: Directory traversal vulnerability in importxml.pl in
  Bugzilla before 2.22.5, and 3.x before 3.0.5, when --attach_path
  is enabled, allows remote attackers to read arbitrary files via an
  XML file with a .. (dot dot) in the data element.(LP: #281915)
  - debian/patches/CVE-2008-4437.dpatch: upstream patch with regex
    to remove any leading path data from the filename.
  - CVE-2008-4437

Author: Raphael Bossek
Revision Date: 2009-01-10 16:37:54 UTC

* Debconf templates and debian/control reviewed by the debian-l10n-
  english team as part of the Smith review project. Closes: #507533
* [Debconf translation updates]
  - German. Closes: #507594
  - Swedish. Closes: #506601
  - Japanese. Closes: #507773
  - Portuguese. Closes: #507813, #508317
  - French. Closes: #508164
  - Russian. Closes: #508290
  - Italian. Closes: #508530
  - Basque. Closes: #508892
* Fixed skin support. Closes: #509020
* checksetup.pl is now a wrapper shell script which run-parts
  /usr/share/bugzilla3/debian/{pre,post}-checksetup.d directories. Scripts
  in those directories take care about the configuration. The configuration
  variable webdotbase is preset to the right value. Closes: #494091
* If Status/Resolution filds were modified, checksetup.pl is *not* started
  but installation procedure is finished successful. The user have to
  restart dpkg-reconfigure bugzilla3 after modified checksetup_nondebian.pl.
* If package is installed from scratch the /etc/apache2/conf.d/bugzilla3 is
  sym-linked to /usr/share/doc/bugzilla3/examples/basic.conf. Bugzilla works
  out of the box in this case.
* Support for PostgreSQL is missing right now (see bug 511331) but it's
  possible right now to install this package without db-config support and do
  everthing manually. Closes: #507555

Author: Stefan Lesicnik
Revision Date: 2008-10-13 11:52:24 UTC

* SECURITY UPDATE: Directory traversal vulnerability in importxml.pl in
  Bugzilla before 2.22.5, and 3.x before 3.0.5, when --attach_path
  is enabled, allows remote attackers to read arbitrary files via an
  XML file with a .. (dot dot) in the data element.(LP: #281915)
  - debian/maintenance/33_CVE-2008-4437.sh: upstream patch with regex
    to remove any leading path data from the filename.
  - CVE-2008-4437

Author: Emanuele Gentili
Revision Date: 2008-08-14 20:43:29 UTC

* Merge from debian unstable, remaining changes:
  - added Homepage field.

Author: Stefan Lesicnik
Revision Date: 2008-10-11 21:56:21 UTC

* SECURITY UPDATE: Directory traversal vulnerability in importxml.pl in
  Bugzilla before 2.22.5, and 3.x before 3.0.5, when --attach_path
  is enabled, allows remote attackers to read arbitrary files via an
  XML file with a .. (dot dot) in the data element.(LP: #281915)
  - debian/patches/CVE-2008-4437.dpatch: upstream patch with regex
    to remove any leading path data from the filename.
  - CVE-2008-4437

Author: Michael Bienia
Revision Date: 2007-09-01 16:21:54 UTC

* Merge from Debian unstable, remaining changes:
  - debian/rules: Install whine.pl in /usr/share/bugzilla/lib.
  - debian/control: Update maintainer field.

Author: Stefan Lesicnik
Revision Date: 2008-10-11 21:56:21 UTC

* SECURITY UPDATE: Directory traversal vulnerability in importxml.pl in
  Bugzilla before 2.22.5, and 3.x before 3.0.5, when --attach_path
  is enabled, allows remote attackers to read arbitrary files via an
  XML file with a .. (dot dot) in the data element.(LP: #281915)
  - debian/patches/CVE-2008-4437.dpatch: upstream patch with regex
    to remove any leading path data from the filename.
  - CVE-2008-4437

Author: Michael Bienia
Revision Date: 2007-09-01 16:21:54 UTC

* Merge from Debian unstable, remaining changes:
  - debian/rules: Install whine.pl in /usr/share/bugzilla/lib.
  - debian/control: Update maintainer field.

Author: Alexis Sukrieh
Revision Date: 2006-11-15 07:54:08 UTC

* Depends on mysql-client as we provide mysql support with dbconfig-common.
  (closes: #398621)
* Urgency set to high to fix the etch RC bug.
* Updated the Bugzilla version (debian minor) in Bugzilla/Config.pm.

Author: Alexis Sukrieh
Revision Date: 2006-06-07 12:49:53 UTC

* New upstream release (2.22).
  (closes: #365304)
* Tempaltes moved to `/var/lib/bugzilla' instead of `/usr/share/bugzilla'
  which is more appropriate, and compliant with README.Debian.
  (closes: #368605)
* Doesn't overwrite `/etc/bugzilla/localconfig' silently, uses ucf for
  replacing this file so the local administrator can check if he wants to
  update the DB access or not. It's then possible to upgrade from version
  prior to 2.22 with denying to use dbconfig-common.
  (closes: #366961)

Author: Alexis Sukrieh
Revision Date: 2005-10-15 18:55:24 UTC

* New upstream release.
  (closes: #331242)
* New dependency: libmailtools-perl for Mail/Mailer.pm
* New dutch po-debconf translation (Thanks to Luk Claes).
  (closes: #328675)
* New catalan po-debconf translation (Thanks to Miguel Gea Milvaques).
  (closes: #328930)
* New spanish po-debconf translation (Thanks to César Gómez Martín).
  (closes: #333900)
* New german po-debconf translation (Thanks to Jens Nachtigall).
  (closes: #326794)
* Added debconf-2.0 dependency.
  (closes: #331769)

Author: Alexis Sukrieh
Revision Date: 2005-10-03 16:51:01 UTC

* New upstream minor release
  + Fixed a security issue: It was possible to bypass the "user
    visibility groups" restrictions if user-matching was turned on
    in "substring" mode.
  + Fixed a security issue: config.cgi exposed information to users who
    weren't logged in, even when "requirelogin" was turned on in Bugzilla.
  (closes: #331206)

Author: Nafallo Bjälevik
Revision Date: 2005-05-06 09:56:00 UTC

* SECURITY UPDATE: cross-site scripting (XSS)
* CGI.pl:
  - Applied patch from upstream.
* template/en/default/global/code-error.html.tmpl:
  - Applied patch from upstream.
* References:
  CAN-2004-1061

Author: Francesco Paolo Lovergine
Revision Date: 2004-12-07 22:54:45 UTC

* NMU 0-days due to serious/important bug solving which prevents
  bugzilla entering testing.

[ Alexis Sukrieh ]

* Post-inst won't fail anymore when no MySQL server is
  available. Added an automatic way of setting up the MySQL server if
  /etc/mysql/debian.cnf exists, will read values from it then.
  (closes: #250638)
* Using a MySQL user with '-' inside its name won't fail anymore.
  (closes unreported bug)
* Better handling on DBI connection errors. When DBI complains about
  something, user is not confused anymore by ugly error messages.
  (closes: #154249)
* Running checksetup.pl by hand won't break the Bugzilla's installation
  anymore. User can use it as he want without running dpkg-reconfigure.
  (closes: #200707)

[ Francesco P. Lovergine ]

* Now rules removes .cvsignore file which trashes /usr/share/bugzilla/template.
* Added virtual package httpd to the list of web server.
  (closes: #213784)

Author: Nafallo Bjälevik
Revision Date: 2005-06-14 11:06:00 UTC

* SECURITY UPDATE: multiple vulnerabilities
* CGI.pl, template/en/default/global/code-error.html.tmpl:
  - Substitute <, > and & with their HTML alternatives to prevent XSS.
  - CAN-2004-1061
* editgroups.cgi, editusers.cgi:
  - Rewrite of the SQL querys for grouphandling to prevent SQL injection.
  - CAN-2004-0707
* editgroups.cgi, editusers.cgi, editcomponents.cgi, editmilestones,
  editproducts.cgi, editversions.cgi:
  - Removed un-needed form value display code to fix an XSS vulnerability.
  - CAN-2004-0705
* buglist.cgi, duplicates.cgi:
  - Added a check to see if the user is priviledged to see a hidden product.
    This prevents an information leak that showed the user all products by
    visiting duplicates.cgi. Also the check was needed for buglist.cgi.
  - CAN-2004-0704
* References:
  http://www.bugzilla.org/security/2.16.5/

Author: Rémi Perrot
Revision Date: 2004-04-02 01:13:32 UTC

Duplicate table creation is now also fixed in bugzilla.postinst
(closes: #224288)