bugzilla.samba.org is currently running Bugzilla 2.22.1, which reached end-of-life on July 28, 2009, see http://www.bugzilla.org/news/#release34. This means that this installation is vulnerable to all security bugs found since last summer. It seems a good time to upgrade this installation to Bugzilla 3.4.5, our most stable release.
Bugzilla 3.6.2 has been released since my last comment.
And now Bugzilla 4.0 is available. I filed this bug one year ago. Still no plan to upgrade?
we are about to upgrade to the release that Debian Squeeze ships (not 4.0 yet ;-). See bugzilla2.samba.org. Currently hunting down bugs in its bugzilla email interface code but we expect to move to 3.6.2 soon.
(In reply to comment #3) > we are about to upgrade to the release that Debian Squeeze ships (not 4.0 yet > ;-). See bugzilla2.samba.org. Currently hunting down bugs in its bugzilla email > interface code but we expect to move to 3.6.2 soon. Do you know whether Debian included all security patches which were included in 3.6.3 and 3.6.4? Some of them were really critical.
no, I don't know, I hoped they would incorporate security fixes. I'll try to find out how well it is being maintained ...
looks like the debian package gets security updates: http://packages.debian.org/changelogs/pool/main/b/bugzilla/bugzilla_3.6.2.0-4.2/changelog As bugzilla2.samba.org is there and the switch in DNS to bugzilla.samba.org will happen this week I'll close this bug now. Thanks for insisting that we update this baby!
bugzilla_3.6.2.0-4.2 doesn't contain all security fixes, see: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=611176 http://security-tracker.debian.org/tracker/CVE-2010-4568 I emailed two Debian developers (including the Bugzilla package maintainer) a few days ago to ask them to hurry up, but I got no response so far. Anyway, I guess the best you can do so far is to wait and install the newer Debian package once it's available. Congrats for the upgrade! :)