Bugzilla 2.16 Release Reset & Bugzilla 2.14.1 Security Update Released

Mike Angelo 8 January 2002(C)

Note about the headline graphic: the praying mantis eats other bugs -- including the bothersome sorts of bugs that mess up your garden vegetables and flowers. So it seemed to be an appropriate headline graphic for this article -- in large part much as the noble mantis helps to control bugs in the real world, Bugzilla is an aid to controlling and eliminating pesky software bugs. The Mantis on Thyme (C) graphic, by Mike Angelo, used here is a modification of one used in an About Computers article about digital photography.

The Mozilla Organization has issued a Bugzilla Security Advisory and released a security update to its Bugzilla software development database. It also announced that the upcoming Bugzilla 2.16 target release date has been reset from 1 January 2002 to 1 February 2002.

Bugzilla 2.14.1 is a security update; patches from a number of security-related bugs which have already been applied to the working source version 2.15 in cvs, have been applied to Bugzilla 2.14 to create the new stable release 2.14.1, which fixes several security issues discovered since version 2.14 was released, which we believe are too serious to wait for our upcoming 2.16 release. (Bugzilla Security Advisory, Mozilla Organization, 6 January 2002)

Bugzilla is the Mozilla Project's collaborative MySQL database for tracking bugs, requests for enhancements (RFEs), problems, and other such software-development project-management matters.

Bugzilla is perhaps the shining star of the Mozilla Project. The Bugzilla source code is open source software and is available for public downloading. (Download link in the Resources section below.) Many multi-developer software projects use Bugzilla for their problem management database.

The Bugzilla security update (Bugzilla 2.14.1) is available for public download. However, it is not for everyone that uses Bugzilla:

If you already have a version of Bugzilla 2.15 that was checked out of CVS, please DO NOT DOWNLOAD THIS VERSION, but use 'cvs update' to pull in these fixes. Bugzilla 2.14.1 does not contain most of the code currently in CVS, but is only patches that have been back-ported to the 2.14 code base in order to seal security holes. (Bugzilla 2.14.1 Release Notes, Mozilla Organization, 5 January 2001)

All users of Bugzilla, the bug-tracking system from mozilla.org, who are using a version of Bugzilla installed from a downloaded tarball or package file are strongly recommended to update to version 2.14.1.

All users of Bugzilla who are currently using version 2.15 checked out of cvs prior to 03 January 2002 are strongly recommended to use 'cvs update' to obtain the current cvs code. (Bugzilla Security Advisory, Mozilla Organization, 6 January 2002)

Please make sure you read the release notes, security advisory, and download instructions before you download and install Bugzilla 2.14.1. It could be tricky if you do not read the info.

The revised Bugzilla 2.16 roadmap now sets feature freeze for 15 January 2002 and the target release date for 1 February 2002. There currently are 35 Bugzilla 2.16 release blockers, which might trigger some additional slippage in the Bugzilla 2.16 release schedule.

Here are the major changes and new features planned for Bugzilla 2.16:

· HTML 4.01 Transitional compliance.

· Templatization of all customer-visible CGI pages, to allow easy customization by the administrator

· Allow users to change their own email addresses, instead of having to bug the site admin (using verification emails sent to both the old and new addresses to validate the change)

· Complete redesign of the schema related to security groups to eliminate the "funky groupset math" and allow more than 55 bug groups to be created.

· Remove old attachment code in favor of the new attachment tracker system.

· Enable Perl's taint mode for all files, and taint-check anything being sent to the database.

(Milestone-specific goals, Bugzilla Development Roadmap, Mozilla Organization, 1 January 2001)