Hi, I would like to suppose an update of the bugzilla3 package in lenny/stable. There are many further security fixes but also improvements/fixes in the installation routine. Here the changelog: bugzilla (3.0.10.0-1) stable-security; urgency=low * New upstream release. * Remote attackers to delete unused flag types via a link or IMG tag to editflagtypes.cgi. CVE-2009-0485 * Remote attackers to delete shared or saved searches via a link or IMG tag to buglist.cgi. CVE-2009-0484 * Remote attackers to delete keywords and user preferences via a link or IMG tag to (1) editkeywords.cgi or (2) userprefs.cgi. CVE-2009-0483 * Remote authenticated users to conduct cross-site scripting (XSS) and related attacks by uploading HTML and JavaScript attachments that are rendered by web browsers. CVE-2009-0481 * libtemplate-plugin-gd-perl is recomended. Closes: #539440 * Include path /usr/share/bugzilla3 added. README.Debian explains how to install missing Perl modules for email_in.pl. Closes: #549700 * The localhost mta/smtp/email server have to accept email sending. Closes: #522455 * Support for new version of Germzilla added. Closes: #522401 * Change access rights within cron's daily script. Closes: #516135 * MySQL GRANT TABLES not in sync with /etc/bugzilla3/dbconfig-params Closes: #498672 * Added Homepage tag in control file. Closes: #494845 * Graphviz is not mandatory anymore. Closes: #493585 * Added libmail-sendmail-perl dependency. Closes: #516101 * Fixed ucf warning. Closes: #521855 [ NEWS.Debian ] * Added /usr/share/doc/bugzilla3/examples/30_unconfirmed_allways.sh script as an example how to customize bugzilla3 installations. * Uses dpkg-statoverride for files/directory to give the admin more control over the access rights of package files. checksetup_nondebian.pl does not change access rights and modes of files anymore. Please check the /etc/bugzilla3/post-checksetup.d/10setdefaultdpkgstatoverride and 15restoredpkgstatoverride scripts. Closes: #550085 * Added support for custom templates (and skins); use the /etc/bugzilla3/template and /etc/bugzilla3/skins directories. The /etc/bugzilla3/pre-checksetup.d/30copyetcskins and 30copyetctemplate copy the content to the right locations. LP: #413065 * The directory /usr/lib/cgi-bin/bugzilla3 moved to /usr/share/bugzilla3/web. The /usr/share/doc/bugzilla3/examples/basic.conf file show the changes mandatory for apache2. This change was required to be able to install bugzilla3 for apache2 out-of-the box with apache2 default setup for /cgi-bin/ directory. Closes: #520935 * New basic.conf/vh-basic.conf files fix /cgi-bin/ issues with default apache2 configuration. Closes: #511839 * urlbase (/etc/bugzilla3/param) changed from /cgi-bin/bugzilla3/ to /bugzilla3/. * docs_urlbase (/etc/bugzilla3/param) changed from /docs/bugzilla3-doc/%lang%/html to /doc/bugzilla3-doc/%lang%/html with changed directory structure within bugzilla3-doc. Closes: #511839 * The directories /etc/bugzilla3/pre-checksetup.d and /etc/bugzilla3/post-checksetup.d contain executables which are started in alphanumerical order befor and after checksetup.pl is called. Save your own scripts which should be executed if checksetup.pl is called, e.g. while upgrade of the package. * /usr/share/bugzilla3/lib/sanitycheck.pl added; will be executed daily. Closes: #550071 -- Raphael Bossek <bossekr@debian.org> Sun, 15 Nov 2009 17:05:37 +0100 Greetings, Raphael
Attachment:
signature.asc
Description: OpenPGP digital signature