Bug 7121 - Upgrade bugzilla.samba.org to Bugzilla 4.0
Upgrade bugzilla.samba.org to Bugzilla 4.0
Status: VERIFIED FIXED
Product: Samba Web
Classification: Unclassified
Component: content
current
All All
: P3 normal
: ---
Assigned To: Björn Jacke
http://www.bugzilla.org/download/#stable
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-02-09 14:14 UTC by Frédéric Buclin
Modified: 2011-03-04 14:37 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Frédéric Buclin 2010-02-09 14:14:11 UTC
bugzilla.samba.org is currently running Bugzilla 2.22.1, which reached end-of-life on July 28, 2009, see http://www.bugzilla.org/news/#release34. This means that this installation is vulnerable to all security bugs found since last summer. It seems a good time to upgrade this installation to Bugzilla 3.4.5, our most stable release.
Comment 1 Frédéric Buclin 2010-09-24 06:16:17 UTC
Bugzilla 3.6.2 has been released since my last comment.
Comment 2 Frédéric Buclin 2011-02-25 09:33:16 UTC
And now Bugzilla 4.0 is available. I filed this bug one year ago. Still no plan to upgrade?
Comment 3 Björn Jacke 2011-02-26 17:03:04 UTC
we are about to upgrade to the release that Debian Squeeze ships (not 4.0 yet ;-). See bugzilla2.samba.org. Currently hunting down bugs in its bugzilla email interface code but we expect to move to 3.6.2 soon.
Comment 4 Frédéric Buclin 2011-02-27 06:28:00 UTC
(In reply to comment #3)
> we are about to upgrade to the release that Debian Squeeze ships (not 4.0 yet
> ;-). See bugzilla2.samba.org. Currently hunting down bugs in its bugzilla email
> interface code but we expect to move to 3.6.2 soon.

Do you know whether Debian included all security patches which were included in 3.6.3 and 3.6.4? Some of them were really critical.
Comment 5 Björn Jacke 2011-02-27 10:37:12 UTC
no, I don't know, I hoped they would incorporate security fixes. I'll try to find out how well it is being maintained ...
Comment 6 Björn Jacke 2011-03-01 05:44:13 UTC
looks like the debian package gets security updates:
http://packages.debian.org/changelogs/pool/main/b/bugzilla/bugzilla_3.6.2.0-4.2/changelog

As bugzilla2.samba.org is there and the switch in DNS to bugzilla.samba.org will happen this week I'll close this bug now.

Thanks for insisting that we update this baby!
Comment 7 Frédéric Buclin 2011-03-04 14:37:35 UTC
bugzilla_3.6.2.0-4.2 doesn't contain all security fixes, see:

 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=611176
 http://security-tracker.debian.org/tracker/CVE-2010-4568

I emailed two Debian developers (including the Bugzilla package maintainer) a few days ago to ask them to hurry up, but I got no response so far.

Anyway, I guess the best you can do so far is to wait and install the newer Debian package once it's available.


Congrats for the upgrade! :)