New versions of Bugzilla have been released [0] and should be added to the Portage tree. germzilla (German translation) is available for all three versions [1], so a simple bump should be all that is necessary to get them working. These updates include bug fixes and security fixes. Do _NOT_ include 3.2.1 and 3.0.7 in the tree since they have a large vulnerability when run under mod_perl and were quickly replaced by 3.2.2 and 3.0.8. [0] http://www.bugzilla.org/news/#release322 [1] http://ganderbay.net/germzilla/download/ Reproducible: Always Steps to Reproduce:
Bugzilla 3.2.2 is now superseded by 3.2.3. [2] @Chris: Can you please update the summary accordingly? [2] http://www.bugzilla.org/news/#release323
Added security@gentoo.org as there are multiple vulnerabilities which are not fixed at the moment. I suggest to set severity to something higher than enhancement therefor. I would install this on a stable and current amd64. Let me know if I can help testing. I hesitate to introduce security leaks in an otherwise brandnew server.
Just a info. Bugs 264572 and 257923 are also related to this excluding version 3.3 which is not in portage yet.
Created attachment 189979 [details, diff] Patch against bugzilla-3.0.5.ebuild
Created attachment 189980 [details, diff] Patch against bugzilla-3.2.ebuild I have tested this one on a fresh installation on amd64 system with stable ebuilds except to perl packages required by this ebuild. I have made checkmodules.pl executable for root. This is necessary as mentioned in bugzilla's documentation. Moreover, I have introduced a softlink when LINGUAS is set to "de". Otherwise, clicking on the "help" link at the bottom of each page, will result in a "Page not found" error because there is no german translation in germzilla. I am planning to use this one for a production system in my company. Tests were successful so far. I have not noticed any bugs so far. I really hope, we can get this one into the tree, as Gentoo is currently not secure as far bugzilla is concerned. As no response has been made so far, I am not sure whether this package is still maintained?
Bug #258592 may be get fixed with this one, too. Just a note on the patches provided: header is incomplete as I am no dev and dependencies have been set to the latest stable (where possible) version within portage.
3.2.3 ebuild in tree adjusted, it works for me and does exactly what i want, but i am not maintainer. So i leave the decision about the rest of this bug up to the maintainers (3.0 series).
Created attachment 200937 [details, diff] Patch against bugzilla-3.2.3.ebuild Sorry for spamming. This is a patch fixing some (more) security issues. I have tested it on amd64 and after upgrading with webapp-config found our installation still working :-) Dependencies have been modified to fit latest stable versions in portage. German localization has already been dropped before by Tomáš in 3.2.3. Currently, these three packages need to be unmasked to use bugzilla-3.2.4: dev-perl/Email-MIME ~amd64 dev-perl/Email-MIME-Encodings ~amd64 dev-perl/Email-Simple ~amd64 So, if some dev wants to test/commit this one. Bugzilla seems pretty deserted here...
I think you can close this bug, the bumps have long been done.
