From ac8356efb0dbc7d2b32f53bc6141644e41ec7177 Mon Sep 17 00:00:00 2001 From: Jesse Keating Date: Fri, 7 Nov 2008 04:32:42 +0000 Subject: [PATCH 1/8] Initialize branch F-10 for bugzilla --- branch | 1 + 1 file changed, 1 insertion(+) create mode 100644 branch diff --git a/branch b/branch new file mode 100644 index 0000000..dc32377 --- /dev/null +++ b/branch @@ -0,0 +1 @@ +F-10 From adc0bf1cae89a8f552f47a27a2e4fc7372d11aec Mon Sep 17 00:00:00 2001 From: Itamar Reis Peixoto Date: Sun, 1 Mar 2009 03:31:42 +0000 Subject: [PATCH 2/8] new version 3.0.8 --- .cvsignore | 2 +- bugzilla.spec | 24 ++++++++++++++++++++---- import.log | 1 + sources | 2 +- 4 files changed, 23 insertions(+), 6 deletions(-) create mode 100644 import.log diff --git a/.cvsignore b/.cvsignore index 6a34202..f7af357 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -bugzilla-3.0.4.tar.gz +bugzilla-3.0.8.tar.gz diff --git a/bugzilla.spec b/bugzilla.spec index 3949561..149bd53 100644 --- a/bugzilla.spec +++ b/bugzilla.spec @@ -4,9 +4,9 @@ Summary: Bug tracking system URL: http://www.bugzilla.org/ Name: bugzilla -Version: 3.0.4 +Version: 3.0.8 Group: Applications/Publishing -Release: 2%{?dist} +Release: 1%{?dist} License: MPLv1.1 Source0: http://ftp.mozilla.org/pub/mozilla.org/webtools/bugzilla-%{version}.tar.gz Source1: bugzilla-httpd-conf @@ -14,7 +14,7 @@ Source2: README.fedora.bugzilla Patch0: bugzilla-rw-paths.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildArch: noarch -Requires: smtpdaemon, webserver, patchutils, mod_perl, perl-SOAP-Lite, perl-Email-Simple, perl-Email-MIME-Modifier, perl-Template-Toolkit, perl-MIME-tools, perl-Email-MIME-Attachment-Stripper, perl-Email-Send, perl-Email-Reply, perl-Email-MIME, perl-Email-Address, which +Requires: webserver, patchutils, mod_perl, perl-SOAP-Lite, which %package doc Summary: Bugzilla documentation @@ -128,12 +128,28 @@ popd > /dev/null %dir %{_sysconfdir}/bugzilla %files doc +%defattr(-,root,root,-) %{bzinstallprefix}/bugzilla/docs %files contrib +%defattr(-,root,root,-) %{bzinstallprefix}/bugzilla/contrib %changelog +* Sat Feb 28 2009 Itamar Reis Peixoto 3.0.8-1 +- Upgrade to 3.0.8, fix #466077 #438080 +- fix macro in changelog rpmlint warning +- fix files-attr-not-set rpmlint warning for doc and contrib sub-packages + + +* Mon Feb 23 2009 Fedora Release Engineering - 3.0.4-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Mon Feb 2 2009 Stepan Kasal - 3.0.4-3 +- do not require perl-Email-Simple, it is (no longer) in use +- remove several explicit perl-* requires; the automatic dependencies + do handle them + * Mon Jul 14 2008 Tom "spot" Callaway - 3.0.4-2 - fix license tag @@ -200,7 +216,7 @@ popd > /dev/null * Mon Jun 26 2006 John Berninger - 2.22-5 - License is MPL, not GPL -- Clean up %doc specs +- Clean up %%doc specs * Sun Jun 25 2006 John Benringer - 2.22-4 - Remove localconfig file per upstream diff --git a/import.log b/import.log new file mode 100644 index 0000000..5a624ea --- /dev/null +++ b/import.log @@ -0,0 +1 @@ +bugzilla-3_0_8-1_fc11:F-10:bugzilla-3.0.8-1.fc11.src.rpm:1235878257 diff --git a/sources b/sources index e0ea8df..a2bb921 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -f55a3f3cde9cf1bf56492d18c8f7afe4 bugzilla-3.0.4.tar.gz +fff5060b85bc50a40ea5f5de0f7b17b0 bugzilla-3.0.8.tar.gz From 48732fb2a5e41c9de45c7f1c1614744f3a9e8f92 Mon Sep 17 00:00:00 2001 From: Itamar Reis Peixoto Date: Thu, 5 Mar 2009 15:22:45 +0000 Subject: [PATCH 3/8] bugzilla version 3.2.2bugzilla version 3.2.2bugzilla version 3.2.2 --- .cvsignore | 2 +- bugzilla-rw-paths.patch | 13 ++- bugzilla.spec | 46 ++++++--- import.log | 1 + maxpacket-mysql-3.2.patch | 198 ++++++++++++++++++++++++++++++++++++++ sources | 2 +- 6 files changed, 241 insertions(+), 21 deletions(-) create mode 100644 maxpacket-mysql-3.2.patch diff --git a/.cvsignore b/.cvsignore index f7af357..f09f584 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -bugzilla-3.0.8.tar.gz +bugzilla-3.2.2.tar.gz diff --git a/bugzilla-rw-paths.patch b/bugzilla-rw-paths.patch index d6441e9..a9ae59f 100644 --- a/bugzilla-rw-paths.patch +++ b/bugzilla-rw-paths.patch @@ -1,7 +1,6 @@ -diff -ru bugzilla-orig/Bugzilla/Constants.pm bugzilla-3.0.1/Bugzilla/Constants.pm ---- bugzilla-orig/Bugzilla/Constants.pm 2007-08-23 14:42:23.000000000 -0400 -+++ bugzilla-3.0.1/Bugzilla/Constants.pm 2007-08-27 08:50:50.000000000 -0400 -@@ -423,9 +423,9 @@ +--- bugzilla-3.2.2/Bugzilla/Constants.pm 2009-02-03 10:02:53.000000000 +0000 ++++ bugzilla-3.2.2-rw/Bugzilla/Constants.pm 2009-02-18 17:59:52.000000000 +0000 +@@ -465,9 +465,9 @@ 'cgi_path' => $libpath, 'templatedir' => "$libpath/template", 'project' => $project, @@ -12,9 +11,9 @@ diff -ru bugzilla-orig/Bugzilla/Constants.pm bugzilla-3.0.1/Bugzilla/Constants.p + 'datadir' => "/var/lib/bugzilla/$datadir", + 'attachdir' => "/var/lib/bugzilla/$datadir/attachments", 'skinsdir' => "$libpath/skins", - # $webdotdir must be in the webtree somewhere. Even if you use a + # $webdotdir must be in the web server's tree somewhere. Even if you use a # local dot, we output images to there. Also, if $webdotdir is -@@ -433,8 +433,8 @@ +@@ -475,8 +475,8 @@ # change showdependencygraph.cgi to set image_url to the correct # location. # The script should really generate these graphs directly... @@ -24,4 +23,4 @@ diff -ru bugzilla-orig/Bugzilla/Constants.pm bugzilla-3.0.1/Bugzilla/Constants.p + 'extensionsdir' => "/var/lib/bugzilla/extensions", }; } - + diff --git a/bugzilla.spec b/bugzilla.spec index 149bd53..8789999 100644 --- a/bugzilla.spec +++ b/bugzilla.spec @@ -4,17 +4,19 @@ Summary: Bug tracking system URL: http://www.bugzilla.org/ Name: bugzilla -Version: 3.0.8 +Version: 3.2.2 Group: Applications/Publishing -Release: 1%{?dist} +Release: 2%{?dist} License: MPLv1.1 Source0: http://ftp.mozilla.org/pub/mozilla.org/webtools/bugzilla-%{version}.tar.gz Source1: bugzilla-httpd-conf Source2: README.fedora.bugzilla Patch0: bugzilla-rw-paths.patch +Patch1: maxpacket-mysql-3.2.patch +# patch1 from https://bugzilla.mozilla.org/show_bug.cgi?id=480001 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildArch: noarch -Requires: webserver, patchutils, mod_perl, perl-SOAP-Lite, which +Requires: webserver, patchutils, mod_perl, perl(SOAP::Lite), which %package doc Summary: Bugzilla documentation @@ -23,11 +25,13 @@ Group: Documentation %package contrib Summary: Bugzilla contributed scripts Group: Applications/Publishing +BuildRequires: python %description -Bugzilla is a popular bug tracking system used by multiple open source -projects. It requires a database engine installed - either MySQL or -PostgreSQL. Without one of these database engines, Bugzilla will not work. +Bugzilla is a popular bug tracking system used by multiple open source projects +It requires a database engine installed - either MySQL, PostgreSQL or Oracle. +Without one of these database engines (local or remote), Bugzilla will not work +- see the Release Notes for details. %description doc Documentation distributed with the Bugzilla bug tracking system @@ -38,14 +42,18 @@ Contributed scripts and functions for Bugzilla %prep %setup -q -n %{name}-%{version} %patch0 -p1 +%patch1 -p0 -# Filter unwanted Requires: +# Filter unwanted Requires found by /usr/lib/rpm/perldeps.pl: +# create a wrapper script which runs the original perl_requires +# command and strips some of the output cat << \EOF > %{name}-req #!/bin/sh %{__perl_requires} $* |\ - sed -e '/perl(globals.pl)/d;/perl(BugzillaEmail)/d' +sed -e '/perl(Authen::Radius)/d;/perl(DBD::Pg)/d;/perl(DBD::Oracle)/d;/perl(sanitycheck.cgi)/d' EOF +# use that wrapper script instead of the original perl_requires script %define __perl_requires %{_builddir}/%{name}-%{version}/%{name}-req chmod +x %{__perl_requires} @@ -101,7 +109,6 @@ popd > /dev/null %defattr(-,root,root,-) %dir %{bzinstallprefix}/bugzilla %{bzinstallprefix}/bugzilla/*.cgi -%{bzinstallprefix}/bugzilla/*.js %{bzinstallprefix}/bugzilla/*.pl %{bzinstallprefix}/bugzilla/Bugzilla.pm %{bzinstallprefix}/bugzilla/bugzilla.dtd @@ -113,6 +120,8 @@ popd > /dev/null %{bzinstallprefix}/bugzilla/skins %{bzinstallprefix}/bugzilla/t %{bzinstallprefix}/bugzilla/template +%{bzinstallprefix}/bugzilla/extensions/example +%{bzinstallprefix}/bugzilla/lib/README %{bzinstallprefix}/bugzilla/cron.daily %{bzinstallprefix}/bugzilla/cron.whine %ghost %{bzinstallprefix}/bugzilla/bugzilla-req @@ -136,11 +145,24 @@ popd > /dev/null %{bzinstallprefix}/bugzilla/contrib %changelog +* Thu Mar 05 2009 Itamar Reis Peixoto 3.2.2-2 +- fix from BZ #474250 Comment #16, from Chris Eveleigh --> +- add python BR for contrib subpackage +- fix description +- change Requires perl-SOAP-Lite to perl(SOAP::Lite) according guidelines + +* Sun Mar 01 2009 Itamar Reis Peixoto 3.2.2-1 +- thanks to Chris Eveleigh +- for contributing with patches :-) +- Upgrade to upstream 3.2.2 to fix multiple security vulns +- Removed old perl_requires exclusions, added new ones for RADIUS, Oracle and sanitycheck.cgi +- Added Oracle to supported DBs in description (and moved line breaks) +- Include a patch to fix max_allowed_packet warnin when using with mysql + * Sat Feb 28 2009 Itamar Reis Peixoto 3.0.8-1 - Upgrade to 3.0.8, fix #466077 #438080 - fix macro in changelog rpmlint warning -- fix files-attr-not-set rpmlint warning for doc and contrib sub-packages - +- fix files-attr-not-set rpmlint warning for doc and contrib sub-packages * Mon Feb 23 2009 Fedora Release Engineering - 3.0.4-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild @@ -155,7 +177,7 @@ popd > /dev/null * Fri May 9 2008 John Berninger - 3.0.4-1 - Update to upstream 3.0.4 to fix multiple security vulns -- Change perms on /etc/bugzilla for bz 427981 +- Change perms on /etc/bugzilla for bz 427981 * Sun May 4 2008 John Berninger - 3.0.3-0 - Update to upstream 3.0.3 - bz 444669 diff --git a/import.log b/import.log index 5a624ea..850c6e8 100644 --- a/import.log +++ b/import.log @@ -1 +1,2 @@ bugzilla-3_0_8-1_fc11:F-10:bugzilla-3.0.8-1.fc11.src.rpm:1235878257 +bugzilla-3_2_2-2_fc10:F-10:bugzilla-3.2.2-2.fc10.src.rpm:1236266484 diff --git a/maxpacket-mysql-3.2.patch b/maxpacket-mysql-3.2.patch new file mode 100644 index 0000000..bf57151 --- /dev/null +++ b/maxpacket-mysql-3.2.patch @@ -0,0 +1,198 @@ +Index: Bugzilla/Config/Attachment.pm +=================================================================== +RCS file: /cvsroot/mozilla/webtools/bugzilla/Bugzilla/Config/Attachment.pm,v +retrieving revision 1.3.4.2 +diff -u -r1.3.4.2 Attachment.pm +--- Bugzilla/Config/Attachment.pm 2 Feb 2009 19:12:15 -0000 1.3.4.2 ++++ Bugzilla/Config/Attachment.pm 1 Mar 2009 23:56:15 -0000 +@@ -74,7 +74,7 @@ + name => 'maxattachmentsize', + type => 't', + default => '1000', +- checker => \&check_numeric ++ checker => \&check_maxattachmentsize + }, + + # The maximum size (in bytes) for patches and non-patch attachments. +Index: Bugzilla/Config/Common.pm +=================================================================== +RCS file: /cvsroot/mozilla/webtools/bugzilla/Bugzilla/Config/Common.pm,v +retrieving revision 1.21 +diff -u -r1.21 Common.pm +--- Bugzilla/Config/Common.pm 27 Mar 2008 00:23:41 -0000 1.21 ++++ Bugzilla/Config/Common.pm 1 Mar 2009 23:56:15 -0000 +@@ -50,7 +50,8 @@ + check_opsys check_shadowdb check_urlbase check_webdotbase + check_netmask check_user_verify_class check_image_converter + check_mail_delivery_method check_notification check_timezone check_utf8 +- check_bug_status check_smtp_auth ++ check_bug_status check_smtp_auth ++ check_maxattachmentsize + ); + + # Checking functions for the various values +@@ -320,6 +321,24 @@ + return ""; + } + ++sub check_maxattachmentsize { ++ my $check = check_numeric(@_); ++ return $check if $check; ++ my $size = shift; ++ my $dbh = Bugzilla->dbh; ++ if ($dbh->isa('Bugzilla::DB::Mysql')) { ++ my (undef, $max_packet) = $dbh->selectrow_array( ++ q{SHOW VARIABLES LIKE 'max\_allowed\_packet'}); ++ my $byte_size = $size * 1024; ++ if ($max_packet < $byte_size) { ++ return "You asked for a maxattachmentsize of $byte_size bytes," ++ . " but the max_allowed_packet setting in MySQL currently" ++ . " only allows packets up to $max_packet bytes"; ++ } ++ } ++ return ""; ++} ++ + sub check_notification { + my $option = shift; + my @current_version = +Index: Bugzilla/DB/Mysql.pm +=================================================================== +RCS file: /cvsroot/mozilla/webtools/bugzilla/Bugzilla/DB/Mysql.pm,v +retrieving revision 1.60.2.7 +diff -u -r1.60.2.7 Mysql.pm +--- Bugzilla/DB/Mysql.pm 7 Nov 2008 00:10:15 -0000 1.60.2.7 ++++ Bugzilla/DB/Mysql.pm 1 Mar 2009 23:56:15 -0000 +@@ -44,6 +44,7 @@ + use strict; + + use Bugzilla::Constants; ++use Bugzilla::Install::Util qw(install_string); + use Bugzilla::Util; + use Bugzilla::Error; + use Bugzilla::DB::Schema::Mysql; +@@ -97,20 +98,9 @@ + } + } + +- # The "comments" field of the bugs_fulltext table could easily exceed +- # MySQL's default max_allowed_packet. Also, MySQL should never have +- # a max_allowed_packet smaller than our max_attachment_size. However, +- # if we've already set a max_allowed_packet in MySQL bigger than all +- # of those, we should keep it. +- my (undef, $current_max_allowed) = $self->selectrow_array( +- q{SHOW VARIABLES LIKE 'max\_allowed\_packet'}); +- my $min_max_allowed_packet = MAX_COMMENTS * MAX_COMMENT_LENGTH; +- my $max_allowed_packet = max($min_max_allowed_packet, +- $current_max_allowed, +- # This parameter is not yet defined when the DB +- # is being built for the very first time. +- Bugzilla->params->{'maxattachmentsize'} || 0); +- $self->do("SET SESSION max_allowed_packet = $max_allowed_packet"); ++ # Allow large GROUP_CONCATs (largely for inserting comments ++ # into bugs_fulltext). ++ $self->do('SET SESSION group_concat_max_len = 128000000'); + + return $self; + } +@@ -244,6 +234,24 @@ + sub bz_setup_database { + my ($self) = @_; + ++ # The "comments" field of the bugs_fulltext table could easily exceed ++ # MySQL's default max_allowed_packet. Also, MySQL should never have ++ # a max_allowed_packet smaller than our max_attachment_size. So, we ++ # warn the user here if max_allowed_packet is too small. ++ my $min_max_allowed = MAX_COMMENTS * MAX_COMMENT_LENGTH; ++ my (undef, $current_max_allowed) = $self->selectrow_array( ++ q{SHOW VARIABLES LIKE 'max\_allowed\_packet'}); ++ # This parameter is not yet defined when the DB is being built for ++ # the very first time. The code below still works properly, however, ++ # because the default maxattachmentsize is smaller than $min_max_allowed. ++ my $max_attachment = (Bugzilla->params->{'maxattachmentsize'} || 0) * 1024; ++ my $needed_max_allowed = max($min_max_allowed, $max_attachment); ++ if ($current_max_allowed < $needed_max_allowed) { ++ warn install_string('max_allowed_packet', ++ { current => $current_max_allowed, ++ needed => $needed_max_allowed }) . "\n"; ++ } ++ + # Make sure the installation has InnoDB turned on, or we're going to be + # doing silly things like making foreign keys on MyISAM tables, which is + # hard to fix later. We do this up here because none of the code below +Index: Bugzilla/Install/DB.pm +=================================================================== +RCS file: /cvsroot/mozilla/webtools/bugzilla/Bugzilla/Install/DB.pm,v +retrieving revision 1.51.2.2 +diff -u -r1.51.2.2 DB.pm +--- Bugzilla/Install/DB.pm 27 Aug 2008 15:22:10 -0000 1.51.2.2 ++++ Bugzilla/Install/DB.pm 1 Mar 2009 23:56:15 -0000 +@@ -3009,11 +3009,6 @@ + if (UNIVERSAL::can($dbh, 'sql_group_concat')) { + print "Populating bugs_fulltext..."; + print " (this can take a long time.)\n"; +- # XXX This hack should probably be moved elsewhere. +- if ($dbh->isa('Bugzilla::DB::Mysql')) { +- $dbh->do('SET SESSION group_concat_max_len = 128000000'); +- $dbh->do('SET SESSION max_allowed_packet = 128000000'); +- } + $dbh->do( + q{INSERT INTO bugs_fulltext (bug_id, short_desc, comments, + comments_noprivate) +Index: docs/en/xml/installation.xml +=================================================================== +RCS file: /cvsroot/mozilla/webtools/bugzilla/docs/en/xml/installation.xml,v +retrieving revision 1.157.2.6 +diff -u -r1.157.2.6 installation.xml +--- docs/en/xml/installation.xml 8 Jan 2009 23:44:22 -0000 1.157.2.6 ++++ docs/en/xml/installation.xml 1 Mar 2009 23:56:15 -0000 +@@ -778,6 +778,28 @@ + improving your installation's security. + + ++ ++
++ Allow large attachments and many comments ++ ++ By default, MySQL will only allow you to insert things ++ into the database that are smaller than 64KB. Attachments ++ may be larger than this. Also, Bugzilla combines all comments ++ on a single bug into one field for full-text searching, and the ++ combination of all comments on a single bug are very likely to ++ be larger than 64KB. ++ ++ To change MySQL's default, you need to edit your MySQL ++ configuration file, which is usually /etc/my.cnf ++ on Linux. We recommend that you allow at least 4MB packets by ++ adding the "max_allowed_packet" parameter to your MySQL ++ configuration in the "[mysqld]" section, like this: ++ ++ [mysqld] ++# Allow packets up to 4MB ++max_allowed_packet=4M ++ ++
+ +
+ Allow small words in full-text indexes +Index: template/en/default/setup/strings.txt.pl +=================================================================== +RCS file: /cvsroot/mozilla/webtools/bugzilla/template/en/default/setup/strings.txt.pl,v +retrieving revision 1.8 +diff -u -r1.8 strings.txt.pl +--- template/en/default/setup/strings.txt.pl 28 Jan 2008 00:54:59 -0000 1.8 ++++ template/en/default/setup/strings.txt.pl 1 Mar 2009 23:56:15 -0000 +@@ -52,6 +52,12 @@ + + EOT + install_module => 'Installing ##module## version ##version##...', ++ max_allowed_packet => < "found v##ver##", + module_not_found => "not found", + module_ok => 'ok', + diff --git a/sources b/sources index a2bb921..56c909f 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -fff5060b85bc50a40ea5f5de0f7b17b0 bugzilla-3.0.8.tar.gz +ad9eca21b6bafdd7a9a34e4c1b55281e bugzilla-3.2.2.tar.gz From f94e2a5a25732c786f4ed4b9bc222d4cfe8462e5 Mon Sep 17 00:00:00 2001 From: Itamar Reis Peixoto Date: Mon, 6 Apr 2009 23:22:57 +0000 Subject: [PATCH 4/8] 3.2.3 - fix CVE-2009-1213 --- .cvsignore | 2 +- bugzilla.spec | 15 +-- import.log | 1 + maxpacket-mysql-3.2.patch | 198 -------------------------------------- sources | 2 +- 5 files changed, 11 insertions(+), 207 deletions(-) delete mode 100644 maxpacket-mysql-3.2.patch diff --git a/.cvsignore b/.cvsignore index f09f584..6399c1b 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -bugzilla-3.2.2.tar.gz +bugzilla-3.2.3.tar.gz diff --git a/bugzilla.spec b/bugzilla.spec index 8789999..1097a21 100644 --- a/bugzilla.spec +++ b/bugzilla.spec @@ -4,16 +4,15 @@ Summary: Bug tracking system URL: http://www.bugzilla.org/ Name: bugzilla -Version: 3.2.2 +Version: 3.2.3 Group: Applications/Publishing -Release: 2%{?dist} +Release: 1%{?dist} License: MPLv1.1 Source0: http://ftp.mozilla.org/pub/mozilla.org/webtools/bugzilla-%{version}.tar.gz Source1: bugzilla-httpd-conf Source2: README.fedora.bugzilla Patch0: bugzilla-rw-paths.patch -Patch1: maxpacket-mysql-3.2.patch -# patch1 from https://bugzilla.mozilla.org/show_bug.cgi?id=480001 + BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildArch: noarch Requires: webserver, patchutils, mod_perl, perl(SOAP::Lite), which @@ -42,7 +41,6 @@ Contributed scripts and functions for Bugzilla %prep %setup -q -n %{name}-%{version} %patch0 -p1 -%patch1 -p0 # Filter unwanted Requires found by /usr/lib/rpm/perldeps.pl: # create a wrapper script which runs the original perl_requires @@ -101,9 +99,9 @@ install -m 0644 -D -p %{SOURCE1} ${RPM_BUILD_ROOT}%{_sysconfdir}/httpd/conf.d/b rm -rf ${RPM_BUILD_ROOT} %post -pushd %{bzinstallprefix}/bugzilla > /dev/null +(pushd %{bzinstallprefix}/bugzilla > /dev/null ./checksetup.pl > /dev/null -popd > /dev/null +popd > /dev/null) %files %defattr(-,root,root,-) @@ -145,6 +143,9 @@ popd > /dev/null %{bzinstallprefix}/bugzilla/contrib %changelog +* Mon Apr 06 2009 Itamar Reis Peixoto 3.2.3-1 +- fix CVE-2009-1213 + * Thu Mar 05 2009 Itamar Reis Peixoto 3.2.2-2 - fix from BZ #474250 Comment #16, from Chris Eveleigh --> - add python BR for contrib subpackage diff --git a/import.log b/import.log index 850c6e8..213c4d1 100644 --- a/import.log +++ b/import.log @@ -1,2 +1,3 @@ bugzilla-3_0_8-1_fc11:F-10:bugzilla-3.0.8-1.fc11.src.rpm:1235878257 bugzilla-3_2_2-2_fc10:F-10:bugzilla-3.2.2-2.fc10.src.rpm:1236266484 +bugzilla-3_2_3-1_fc11:F-10:bugzilla-3.2.3-1.fc11.src.rpm:1239060133 diff --git a/maxpacket-mysql-3.2.patch b/maxpacket-mysql-3.2.patch deleted file mode 100644 index bf57151..0000000 --- a/maxpacket-mysql-3.2.patch +++ /dev/null @@ -1,198 +0,0 @@ -Index: Bugzilla/Config/Attachment.pm -=================================================================== -RCS file: /cvsroot/mozilla/webtools/bugzilla/Bugzilla/Config/Attachment.pm,v -retrieving revision 1.3.4.2 -diff -u -r1.3.4.2 Attachment.pm ---- Bugzilla/Config/Attachment.pm 2 Feb 2009 19:12:15 -0000 1.3.4.2 -+++ Bugzilla/Config/Attachment.pm 1 Mar 2009 23:56:15 -0000 -@@ -74,7 +74,7 @@ - name => 'maxattachmentsize', - type => 't', - default => '1000', -- checker => \&check_numeric -+ checker => \&check_maxattachmentsize - }, - - # The maximum size (in bytes) for patches and non-patch attachments. -Index: Bugzilla/Config/Common.pm -=================================================================== -RCS file: /cvsroot/mozilla/webtools/bugzilla/Bugzilla/Config/Common.pm,v -retrieving revision 1.21 -diff -u -r1.21 Common.pm ---- Bugzilla/Config/Common.pm 27 Mar 2008 00:23:41 -0000 1.21 -+++ Bugzilla/Config/Common.pm 1 Mar 2009 23:56:15 -0000 -@@ -50,7 +50,8 @@ - check_opsys check_shadowdb check_urlbase check_webdotbase - check_netmask check_user_verify_class check_image_converter - check_mail_delivery_method check_notification check_timezone check_utf8 -- check_bug_status check_smtp_auth -+ check_bug_status check_smtp_auth -+ check_maxattachmentsize - ); - - # Checking functions for the various values -@@ -320,6 +321,24 @@ - return ""; - } - -+sub check_maxattachmentsize { -+ my $check = check_numeric(@_); -+ return $check if $check; -+ my $size = shift; -+ my $dbh = Bugzilla->dbh; -+ if ($dbh->isa('Bugzilla::DB::Mysql')) { -+ my (undef, $max_packet) = $dbh->selectrow_array( -+ q{SHOW VARIABLES LIKE 'max\_allowed\_packet'}); -+ my $byte_size = $size * 1024; -+ if ($max_packet < $byte_size) { -+ return "You asked for a maxattachmentsize of $byte_size bytes," -+ . " but the max_allowed_packet setting in MySQL currently" -+ . " only allows packets up to $max_packet bytes"; -+ } -+ } -+ return ""; -+} -+ - sub check_notification { - my $option = shift; - my @current_version = -Index: Bugzilla/DB/Mysql.pm -=================================================================== -RCS file: /cvsroot/mozilla/webtools/bugzilla/Bugzilla/DB/Mysql.pm,v -retrieving revision 1.60.2.7 -diff -u -r1.60.2.7 Mysql.pm ---- Bugzilla/DB/Mysql.pm 7 Nov 2008 00:10:15 -0000 1.60.2.7 -+++ Bugzilla/DB/Mysql.pm 1 Mar 2009 23:56:15 -0000 -@@ -44,6 +44,7 @@ - use strict; - - use Bugzilla::Constants; -+use Bugzilla::Install::Util qw(install_string); - use Bugzilla::Util; - use Bugzilla::Error; - use Bugzilla::DB::Schema::Mysql; -@@ -97,20 +98,9 @@ - } - } - -- # The "comments" field of the bugs_fulltext table could easily exceed -- # MySQL's default max_allowed_packet. Also, MySQL should never have -- # a max_allowed_packet smaller than our max_attachment_size. However, -- # if we've already set a max_allowed_packet in MySQL bigger than all -- # of those, we should keep it. -- my (undef, $current_max_allowed) = $self->selectrow_array( -- q{SHOW VARIABLES LIKE 'max\_allowed\_packet'}); -- my $min_max_allowed_packet = MAX_COMMENTS * MAX_COMMENT_LENGTH; -- my $max_allowed_packet = max($min_max_allowed_packet, -- $current_max_allowed, -- # This parameter is not yet defined when the DB -- # is being built for the very first time. -- Bugzilla->params->{'maxattachmentsize'} || 0); -- $self->do("SET SESSION max_allowed_packet = $max_allowed_packet"); -+ # Allow large GROUP_CONCATs (largely for inserting comments -+ # into bugs_fulltext). -+ $self->do('SET SESSION group_concat_max_len = 128000000'); - - return $self; - } -@@ -244,6 +234,24 @@ - sub bz_setup_database { - my ($self) = @_; - -+ # The "comments" field of the bugs_fulltext table could easily exceed -+ # MySQL's default max_allowed_packet. Also, MySQL should never have -+ # a max_allowed_packet smaller than our max_attachment_size. So, we -+ # warn the user here if max_allowed_packet is too small. -+ my $min_max_allowed = MAX_COMMENTS * MAX_COMMENT_LENGTH; -+ my (undef, $current_max_allowed) = $self->selectrow_array( -+ q{SHOW VARIABLES LIKE 'max\_allowed\_packet'}); -+ # This parameter is not yet defined when the DB is being built for -+ # the very first time. The code below still works properly, however, -+ # because the default maxattachmentsize is smaller than $min_max_allowed. -+ my $max_attachment = (Bugzilla->params->{'maxattachmentsize'} || 0) * 1024; -+ my $needed_max_allowed = max($min_max_allowed, $max_attachment); -+ if ($current_max_allowed < $needed_max_allowed) { -+ warn install_string('max_allowed_packet', -+ { current => $current_max_allowed, -+ needed => $needed_max_allowed }) . "\n"; -+ } -+ - # Make sure the installation has InnoDB turned on, or we're going to be - # doing silly things like making foreign keys on MyISAM tables, which is - # hard to fix later. We do this up here because none of the code below -Index: Bugzilla/Install/DB.pm -=================================================================== -RCS file: /cvsroot/mozilla/webtools/bugzilla/Bugzilla/Install/DB.pm,v -retrieving revision 1.51.2.2 -diff -u -r1.51.2.2 DB.pm ---- Bugzilla/Install/DB.pm 27 Aug 2008 15:22:10 -0000 1.51.2.2 -+++ Bugzilla/Install/DB.pm 1 Mar 2009 23:56:15 -0000 -@@ -3009,11 +3009,6 @@ - if (UNIVERSAL::can($dbh, 'sql_group_concat')) { - print "Populating bugs_fulltext..."; - print " (this can take a long time.)\n"; -- # XXX This hack should probably be moved elsewhere. -- if ($dbh->isa('Bugzilla::DB::Mysql')) { -- $dbh->do('SET SESSION group_concat_max_len = 128000000'); -- $dbh->do('SET SESSION max_allowed_packet = 128000000'); -- } - $dbh->do( - q{INSERT INTO bugs_fulltext (bug_id, short_desc, comments, - comments_noprivate) -Index: docs/en/xml/installation.xml -=================================================================== -RCS file: /cvsroot/mozilla/webtools/bugzilla/docs/en/xml/installation.xml,v -retrieving revision 1.157.2.6 -diff -u -r1.157.2.6 installation.xml ---- docs/en/xml/installation.xml 8 Jan 2009 23:44:22 -0000 1.157.2.6 -+++ docs/en/xml/installation.xml 1 Mar 2009 23:56:15 -0000 -@@ -778,6 +778,28 @@ - improving your installation's security. - - -+ -+
-+ Allow large attachments and many comments -+ -+ By default, MySQL will only allow you to insert things -+ into the database that are smaller than 64KB. Attachments -+ may be larger than this. Also, Bugzilla combines all comments -+ on a single bug into one field for full-text searching, and the -+ combination of all comments on a single bug are very likely to -+ be larger than 64KB. -+ -+ To change MySQL's default, you need to edit your MySQL -+ configuration file, which is usually /etc/my.cnf -+ on Linux. We recommend that you allow at least 4MB packets by -+ adding the "max_allowed_packet" parameter to your MySQL -+ configuration in the "[mysqld]" section, like this: -+ -+ [mysqld] -+# Allow packets up to 4MB -+max_allowed_packet=4M -+ -+
- -
- Allow small words in full-text indexes -Index: template/en/default/setup/strings.txt.pl -=================================================================== -RCS file: /cvsroot/mozilla/webtools/bugzilla/template/en/default/setup/strings.txt.pl,v -retrieving revision 1.8 -diff -u -r1.8 strings.txt.pl ---- template/en/default/setup/strings.txt.pl 28 Jan 2008 00:54:59 -0000 1.8 -+++ template/en/default/setup/strings.txt.pl 1 Mar 2009 23:56:15 -0000 -@@ -52,6 +52,12 @@ - - EOT - install_module => 'Installing ##module## version ##version##...', -+ max_allowed_packet => < "found v##ver##", - module_not_found => "not found", - module_ok => 'ok', - diff --git a/sources b/sources index 56c909f..afc4623 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -ad9eca21b6bafdd7a9a34e4c1b55281e bugzilla-3.2.2.tar.gz +fcc8f64fec821e76718fbda13e232b59 bugzilla-3.2.3.tar.gz From 4d8f1b8e17172c887a66efa092e017cd97cfc336 Mon Sep 17 00:00:00 2001 From: Itamar Reis Peixoto Date: Wed, 8 Jul 2009 19:22:40 +0000 Subject: [PATCH 5/8] new version 3.2.4 fix Unauthorized Bug Change --- .cvsignore | 2 +- bugzilla.spec | 5 ++++- import.log | 1 + sources | 2 +- 4 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.cvsignore b/.cvsignore index 6399c1b..d30801d 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -bugzilla-3.2.3.tar.gz +bugzilla-3.2.4.tar.gz diff --git a/bugzilla.spec b/bugzilla.spec index 1097a21..37757a3 100644 --- a/bugzilla.spec +++ b/bugzilla.spec @@ -4,7 +4,7 @@ Summary: Bug tracking system URL: http://www.bugzilla.org/ Name: bugzilla -Version: 3.2.3 +Version: 3.2.4 Group: Applications/Publishing Release: 1%{?dist} License: MPLv1.1 @@ -143,6 +143,9 @@ popd > /dev/null) %{bzinstallprefix}/bugzilla/contrib %changelog +* Wed Jul 08 2009 Itamar Reis Peixoto - 3.2.4-1 +- fix https://bugzilla.mozilla.org/show_bug.cgi?id=495257 + * Mon Apr 06 2009 Itamar Reis Peixoto 3.2.3-1 - fix CVE-2009-1213 diff --git a/import.log b/import.log index 213c4d1..3554667 100644 --- a/import.log +++ b/import.log @@ -1,3 +1,4 @@ bugzilla-3_0_8-1_fc11:F-10:bugzilla-3.0.8-1.fc11.src.rpm:1235878257 bugzilla-3_2_2-2_fc10:F-10:bugzilla-3.2.2-2.fc10.src.rpm:1236266484 bugzilla-3_2_3-1_fc11:F-10:bugzilla-3.2.3-1.fc11.src.rpm:1239060133 +bugzilla-3_2_4-1_fc11:F-10:bugzilla-3.2.4-1.fc11.src.rpm:1247080919 diff --git a/sources b/sources index afc4623..a823be9 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -fcc8f64fec821e76718fbda13e232b59 bugzilla-3.2.3.tar.gz +845c94c8a498340b244a2c36db7abd76 bugzilla-3.2.4.tar.gz From bdd445c10ca442da23b5960223ef446f5f2fc9fe Mon Sep 17 00:00:00 2001 From: Emmanuel Seyman Date: Fri, 11 Sep 2009 21:40:35 +0000 Subject: [PATCH 6/8] Update to 3.2.5 --- .cvsignore | 2 +- bugzilla.spec | 10 +++++----- sources | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.cvsignore b/.cvsignore index d30801d..d079a0f 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -bugzilla-3.2.4.tar.gz +bugzilla-3.2.5.tar.gz diff --git a/bugzilla.spec b/bugzilla.spec index 37757a3..5a3ab34 100644 --- a/bugzilla.spec +++ b/bugzilla.spec @@ -4,7 +4,7 @@ Summary: Bug tracking system URL: http://www.bugzilla.org/ Name: bugzilla -Version: 3.2.4 +Version: 3.2.5 Group: Applications/Publishing Release: 1%{?dist} License: MPLv1.1 @@ -88,7 +88,7 @@ cd %{bzinstallprefix}/bugzilla ./collectstats.pl EOM echo "0-59/15 * * * * apache cd %{bzinstallprefix}/bugzilla && env LANG=C %{bzinstallprefix}/bugzilla/whine.pl" > ${RPM_BUILD_ROOT}/%{bzinstallprefix}/bugzilla/cron.whine -rm -f ${RPM_BUILD_ROOT}/%{bzinstallprefix}/bugzilla/{README,QUICKSTART,UPGRADING,UPGRADING-pre-2.8} +rm -f ${RPM_BUILD_ROOT}/%{bzinstallprefix}/bugzilla/README mkdir -p ${RPM_BUILD_ROOT}/%{_datadir}/doc/%{name}-%{version} cp %{SOURCE2} ./README.fedora mkdir -p ${RPM_BUILD_ROOT}/%{bzdatadir} @@ -126,9 +126,6 @@ popd > /dev/null) %config(noreplace) %{_sysconfdir}/httpd/conf.d/bugzilla.conf %defattr(-,root,root,-) %doc README -%doc QUICKSTART -%doc UPGRADING -%doc UPGRADING-pre-2.8 %doc README.fedora %dir %{bzdatadir} %defattr(0750,root,apache,-) @@ -143,6 +140,9 @@ popd > /dev/null) %{bzinstallprefix}/bugzilla/contrib %changelog +* Fri Sep 11 2009 Emmanuel Seyman - 3.2.5-1 +- Update to 3.2.5 (CVE-2009-3125, CVE-2009-3165 and CVE-2009-3166) + * Wed Jul 08 2009 Itamar Reis Peixoto - 3.2.4-1 - fix https://bugzilla.mozilla.org/show_bug.cgi?id=495257 diff --git a/sources b/sources index a823be9..fda3a06 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -845c94c8a498340b244a2c36db7abd76 bugzilla-3.2.4.tar.gz +4e6a9c872bc1420a3702e244500ce964 bugzilla-3.2.5.tar.gz From 2a7cf613fe1ca5a227245d271feaca335ea0a855 Mon Sep 17 00:00:00 2001 From: Bill Nottingham Date: Thu, 26 Nov 2009 01:23:54 +0000 Subject: [PATCH 7/8] Fix typo that causes a failure to update the common directory. (releng #2781) --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index c2b3080..8518ff4 100644 --- a/Makefile +++ b/Makefile @@ -4,7 +4,7 @@ NAME := bugzilla SPECFILE = $(firstword $(wildcard *.spec)) define find-makefile-common -for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done +for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$d/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done endef MAKEFILE_COMMON := $(shell $(find-makefile-common)) From 46b7f4210c143713c8809e0d2873229e8fcad183 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 28 Jul 2010 11:18:56 +0000 Subject: [PATCH 8/8] dist-git conversion --- .cvsignore => .gitignore | 0 Makefile | 21 --------------------- branch | 1 - import.log | 4 ---- 4 files changed, 26 deletions(-) rename .cvsignore => .gitignore (100%) delete mode 100644 Makefile delete mode 100644 branch delete mode 100644 import.log diff --git a/.cvsignore b/.gitignore similarity index 100% rename from .cvsignore rename to .gitignore diff --git a/Makefile b/Makefile deleted file mode 100644 index 8518ff4..0000000 --- a/Makefile +++ /dev/null @@ -1,21 +0,0 @@ -# Makefile for source rpm: bugzilla -# $Id$ -NAME := bugzilla -SPECFILE = $(firstword $(wildcard *.spec)) - -define find-makefile-common -for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$d/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done -endef - -MAKEFILE_COMMON := $(shell $(find-makefile-common)) - -ifeq ($(MAKEFILE_COMMON),) -# attept a checkout -define checkout-makefile-common -test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2 -endef - -MAKEFILE_COMMON := $(shell $(checkout-makefile-common)) -endif - -include $(MAKEFILE_COMMON) diff --git a/branch b/branch deleted file mode 100644 index dc32377..0000000 --- a/branch +++ /dev/null @@ -1 +0,0 @@ -F-10 diff --git a/import.log b/import.log deleted file mode 100644 index 3554667..0000000 --- a/import.log +++ /dev/null @@ -1,4 +0,0 @@ -bugzilla-3_0_8-1_fc11:F-10:bugzilla-3.0.8-1.fc11.src.rpm:1235878257 -bugzilla-3_2_2-2_fc10:F-10:bugzilla-3.2.2-2.fc10.src.rpm:1236266484 -bugzilla-3_2_3-1_fc11:F-10:bugzilla-3.2.3-1.fc11.src.rpm:1239060133 -bugzilla-3_2_4-1_fc11:F-10:bugzilla-3.2.4-1.fc11.src.rpm:1247080919