Hi. As I didn't have much spare time yesterday, I could not explain in details what we've done for the 2.18 package and why an upload to sarge is welcome.
I will here list all the changes bugzilla 2.18 will provide, in the hope that could justify why we'd like to see that package hinting sarge. Upstream secutiry issue fixed in 2.18 ------------------------------------------------------------------------------ Summary: XSS in Internal Error messages in Bugzilla 2.16.7 and 2.18rc3 CVE Name: CAN-2004-1061 Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=272620 It was previously closed in our 2.16.7-2 package thanks to an upstream patch though (Bug #288245). Debian changes provided by our 2.18 package ------------------------------------------------------------------------------ One important bug fix is provided by our 2.18 package and is still open in the 2.16 branch: 303730 - failure creating a db with hyphens in name The 2.18 package now handles a param file better than 2.16 did (with the use of ucf when needed, and with an automatic upgrade of the file when upgrading from previous version): 305327 - bugzilla: params overwritten on upgrade A couple of better translations are provided in the 2.18 package: 305073 - bugzilla catalan debconf templates 302911 - [INTL:nl] updated Dutch po-debconf translation (unreported fixes: New pt_BR.po, fr.po) There are also several normal/minor bugs closed by the 2.18 package: 221985 - bugzilla doesn't include "contrib" files 143154 - missing documentation and scripts from contrib 291206 - CVS files in binary package 253651 - Package contains .arch-ids directories 275681 - unclear wording in bugzilla.template And to conlcude, I also recall the fact some some debian users strongly requested the arrival of 2.18 in sarge: 290775 - Please consider packaging Bugzilla 2.18 Changes in the package's source ------------------------------------------------------------------------------ I'd like also to add that we enhanced the way the package is made in 2.18. A huge cleaning has been done in the 2.18-5 package, and we also added the use of dpatch in the build process in order to handle nicely patches. There are now a set of 6 "dpatches" in the 2.18 sources, whereas the 2.16 ones have hard-coded patches in upstream sources: $ dpatch-list-patch Patches that would be applied: debian/patches/01_libpath.dpatch (<[EMAIL PROTECTED]>): Change every local paths to the Debian ones (/usr/share/bugzilla) debian/patches/02_checksetup.dpatch (<[EMAIL PROTECTED]>): Change checksetup.pl to fit our needs debian/patches/03_params_path.dpatch (<[EMAIL PROTECTED]>): Upstream patch: #291574 - Provide ability to specify location for the param file debian/patches/04_cookiepath.dpatch (<[EMAIL PROTECTED]>): Perform a check when entering a cookie path in editparams.cgi debian/patches/05_webpath.dpatch (<[EMAIL PROTECTED]>): Upstream patch: #280180 - Templates should provide a [% webpath %] token for a non standalone Bugzilla websites. debian/patches/06_contrib.dpatch (<[EMAIL PROTECTED]>): Change "shebangs" of contrib scripts to right Debian paths Conclusion ------------------------------------------------------------------------------ For all the reasons above, I think that bugzilla 2.18-6 is worth an upload to sarge, either for us (better debian sources, thus better maintenance) or for our users (up-to-date upstream version). Regards. -- Alexis Sukrieh <[EMAIL PROTECTED]> http://www.sukria.net � Quidquid latine dictum sit, altum sonatur. � Whatever is said in Latin sounds profound. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
