Bug 522547 - "major security issue" bugfix release imminent
"major security issue" bugfix release imminent
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: bugzilla (Show other bugs)
11
All Linux
low Severity urgent
: ---
: ---
Assigned To: Emmanuel Seyman
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-09-10 12:41 EDT by Bill McGonigle
Modified: 2009-09-18 20:11 EDT (History)
2 users (show)

See Also:
Fixed In Version: 3.2.5-1.fc10
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 524309 (view as bug list)
Environment:
Last Closed: 2009-09-18 20:06:34 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Bill McGonigle 2009-09-10 12:41:42 EDT
It looks like we're going to need some urgent packaging and pushes to stable in very short order:

-------- Original Message --------
Subject: [ANN] Warning: Major Security Release Coming Soon
Date: Wed, 09 Sep 2009 17:06:08 -0700
From: Max Kanat-Alexander <mkanat@bugzilla.org>
Organization: Bugzilla Project
To: announce@bugzilla.org

	A major security issue has been discovered in versions of Bugzilla back
to 3.0. We will be releasing a version of Bugzilla which fixes the issue
within 48 hours (possibly within 24 hours), and all administrators
should be ready to perform the upgrade (which does not require any
database changes) shortly after the new version is released.

	If you do not wish to do a full upgrade, patches for just the security
issue will be available. The patches are relatively small and do not
modify very much of Bugzilla.

	-Max Kanat-Alexander
	Release Manager, Bugzilla Project
-------------

Thank you for packaging bugzilla.
Comment 1 Emmanuel Seyman 2009-09-10 15:38:13 EDT
We're ready for this one.
Comment 2 Fedora Update System 2009-09-11 17:57:55 EDT
bugzilla-3.2.5-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/bugzilla-3.2.5-1.fc10
Comment 3 Fedora Update System 2009-09-11 17:58:00 EDT
bugzilla-3.2.5-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/bugzilla-3.2.5-1.fc11
Comment 4 Fedora Update System 2009-09-15 03:37:32 EDT
bugzilla-3.2.5-1.fc10 has been pushed to the Fedora 10 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update bugzilla'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-9550
Comment 5 Fedora Update System 2009-09-15 03:39:27 EDT
bugzilla-3.2.5-1.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update bugzilla'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-9554
Comment 6 Bill McGonigle 2009-09-15 16:56:45 EDT
I had a problem with the update not properly applying.  After debugging it's not really the package's fault, but some improved Requires would help.

It turned out my yum metadata was boned again.  So, I had an previous version of perl-Email-MIME-Encodings.  When checksetup.pl is run in %post, it was complaining about an older version of Email::MIME::Encodings, and not getting to pre-compiling my templates.  So, the symptom was that the version displayed on the web page headers never got updated, even though all the code was installed fine.

Looking at the SPEC, I see:

  Requires: webserver, patchutils, mod_perl, perl(SOAP::Lite), which

I think we need to list all of the current perl module requirements and the versions (when checksetup will fail if they don't meet).

In that case, I'd at least have seen RPM grumble at me rather than silently failing.  Should I file a separate bug?
Comment 7 Emmanuel Seyman 2009-09-16 02:58:41 EDT
(In reply to comment #6)
> 
> I think we need to list all of the current perl module requirements and the
> versions (when checksetup will fail if they don't meet).

Painful but I don't see any other alternatives.
I'll ask around for opinions on this.

> In that case, I'd at least have seen RPM grumble at me rather than silently
> failing.  Should I file a separate bug?  

Yes, please do.
Comment 8 Fedora Update System 2009-09-18 20:06:29 EDT
bugzilla-3.2.5-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2009-09-18 20:11:34 EDT
bugzilla-3.2.5-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.