Bugzilla 5.0 Release Notes

Introduction
Updates in this 5.0.x Release
Minimum Requirements
New Features and Improvements
Outstanding Issues
Code Changes Which May Affect Customizations and Extensions
Notes On Upgrading From a Previous Version
Release Notes for Previous Versions

Introduction

Welcome to Bugzilla 5.0! It has been slightly over two years since we released Bugzilla 4.4 in May of 2013. This new major release comes with many new features and improvements to WebServices and performance.

If you're upgrading, make sure to read Notes On Upgrading From a Previous Version. If you are upgrading from a release before 4.4, make sure to read the release notes for all the previous versions in between your version and this one, particularly the Upgrading section of each version's release notes.

Updates in this 5.0.x Release

5.0.4

This release fixes one security issue. See the Security Advisory for details.

This release also contains the following bug fixes:

checksetup.pl would fail to update Chart storage during pre-3.6 to 5.0 upgrade. (Bug 1273846)
editflagtypes.cgi would crash when classifications are enabled and the user did not have global editcomponents privileges. (Bug 1310728)
The File::Slurp would trigger warnings on perl 5.24. (Bug 1301887)
All the time entries in the 'when' column had the correct date but the time was fixed to 00:00 when using Sqlite. (Bug 1303702)

5.0.3

This release fixes one security issue. See the Security Advisory for details.

This release also contains the following bug fixes:

A regression in Bugzilla 5.0.2 caused whine.pl to be unable to send emails due to a missing subroutine. (Bug 1235395)
The Encode module changed the way it encodes strings, causing email addresses in emails sent by SA Bugzilla to be encoded, preventing emails from being correctly delivered to recipients. We now encode email headers correctly. (Bug 1246228)
Fix additional taint issues with Strawberry Perl. (Bug 987742 and bug 1089448)
When exporting a buglist as a CSV file, fields starting with either "=", "+", "-" or "@" are preceded by a space to not trigger formula execution in Excel. (Bug 1259881)
An extension which allows user-controlled data to be used as a link in tabs could trigger XSS if the data is not correctly sanitized. SA Bugzilla no longer relies on the extension to do the sanity check. A vanilla installation is not affected as no tab is user-controlled. (Bug 1250114)
Extensions can now easily override the favicon used for the SA Bugzilla website. (Bug 1250264)

5.0.2

This release fixes two security issues. See the Security Advisory for details.

This release also contains the following bug fixes:

mod_perl now works correctly with mod_access_compat turned off on Apache 2.4. To regenerate the .htaccess files, you must first delete all existing ones in subdirectories:
```
find . -mindepth 2 -name .htaccess -exec rm -f {} \;
```
You must then run checksetup.pl again to recreate them with the correct syntax. (Bug 1223790)
Emails sent by SA Bugzilla are now correctly encoded as UTF-8. (Bug 714724)
Strawberry Perl is now fully supported on Windows. (Bug 1089448 and bug 987742)
The XML-RPC API now works with IIS on Windows. (Bug 708252)
Some queries should now be faster on PostgreSQL. (Bug 1184431)

5.0.1

This release fixes one security issue. See the Security Advisory for details.

This release also contains the following bug fixes:

Users whose login name is not an email address could not log in on installations which use LDAP to authenticate users. (Bug 1179160)
If a mandatory custom field was hidden, it was not possible to create a new bug or to edit existing ones. (Bug 1183398 and bug 1196969)
A user editing his login name to point to a non-existent email address could cause Bugzilla to stop working, causing a denial of service. (Bug 1194987)
Emails generated during a transaction made PostgreSQL stop working. (Bug 1186700)
Bugs containing a comment with a reference to a bug ID larger than 2^31 could not be displayed anymore using PostgreSQL. (Bug 1191937)
The date picker in the "Time Summary" page was broken. (Bug 1181649)
If Test::Taint or any other Perl module required to use the JSON-RPC API was not installed or was too old, the UI to tag comments was displayed anyway, you could tag comments, but tags were not persistent (they were lost on page reload). Now the UI to tag comments is not displayed at all until the missing Perl modules are installed and up-to-date. (Bug 1183227)
Custom fields of type INTEGER now accept negative integers. (Bug 1198659)
On Windows, the checksetup.pl installation script no longer asks for a SMTP server. It can be set after the installation is complete. (Bug 1191255)

Minimum Requirements

Any requirements that are new since 4.4 will look like this.

Perl
For MySQL Users
For PostgreSQL Users
For Oracle Users
For SQLite Users
Required Perl Modules
Optional Perl Modules
Optional Apache Modules

Perl

Perl v5.10.1

For MySQL Users

MySQL v5.0.15
perl module: DBD::mysql v4.001

For PostgreSQL Users

PostgreSQL v8.03.0000
perl module: DBD::Pg v2.7.0

For Oracle Users

Oracle v10.02.0
perl module: DBD::Oracle v1.19

For SQLite Users

SQLite v3.6.22
perl module: DBD::SQLite v1.29

Required Perl Modules

Module	Version
CGI	3.51
Digest::SHA	(Any)
Date::Format	2.23
DateTime	0.75
DateTime::TimeZone	1.64
DBI	1.614
Template	2.24
Email::Sender	1.300011
Email::MIME	1.904
URI	1.55
List::MoreUtils	0.32
Math::Random::ISAAC	1.0.1
JSON::XS	2.01

Optional Perl Modules

The following perl modules, if installed, enable various features of Bugzilla:

Module	Version	Enables Feature
GD	1.20	Graphical Reports, New Charts, Old Charts
Chart::Lines	2.4.1	New Charts, Old Charts
Template::Plugin::GD::Image	(Any)	Graphical Reports
GD::Text	(Any)	Graphical Reports
GD::Graph	(Any)	Graphical Reports
MIME::Parser	5.406	Move Bugs Between Installations
LWP::UserAgent	(Any)	Automatic Update Notifications
XML::Twig	(Any)	Move Bugs Between Installations, Automatic Update Notifications
PatchReader	0.9.6	Patch Viewer
Net::LDAP	(Any)	LDAP Authentication
Authen::SASL	(Any)	SMTP Authentication
Net::SMTP::SSL	1.01	SSL Support for SMTP
Authen::Radius	(Any)	RADIUS Authentication
SOAP::Lite	0.712	XML-RPC Interface
XMLRPC::Lite	0.712	XML-RPC Interface
JSON::RPC	(Any)	JSON-RPC Interface, REST Interface
Test::Taint	1.06	JSON-RPC Interface, XML-RPC Interface, REST Interface
HTML::Parser	3.67	More HTML in Product/Group Descriptions
HTML::Scrubber	(Any)	More HTML in Product/Group Descriptions
Encode	2.21	Automatic charset detection for text attachments
Encode::Detect	(Any)	Automatic charset detection for text attachments
Email::Reply	(Any)	Inbound Email
HTML::FormatText::WithLinks	0.13	Inbound Email
TheSchwartz	1.07	Mail Queueing
Daemon::Generic	(Any)	Mail Queueing
mod_perl2	1.999022	mod_perl
Apache2::SizeLimit	0.96	mod_perl
File::MimeInfo::Magic	(Any)	Sniff MIME type of attachments
IO::Scalar	(Any)	Sniff MIME type of attachments
Cache::Memcached	(Any)	Memcached Support
File::Copy::Recursive	(Any)	Documentation
File::Which	(Any)	Documentation

Optional Apache Modules

If you are using Apache as your webserver, Bugzilla can take advantage of some Apache features if you have the below Apache modules installed and enabled.

mod_headers
mod_expires
mod_env

On most systems (but not on Windows), checksetup.pl is able to tell whether or not you have these modules installed, and it will tell you.

New Features and Improvements

Improved WebServices
Improved Caching using Memcached
Abililty to Tag Bug Comments
Improved Bug Group Membership Checking
Improved Documentation for Users and Administrators
Other Enhancements and Changes

Improved WebServices

This release has major improvements in the WebServices interface. One big addition is a new REST-like endpoint alongside the existing XML-RPC and JSON-RPC endpoints. This will allow clients to access Bugzilla data using standard HTTP calls for easy development. Note: XML-RPC and JSON-RPC are deprecated in favor of REST and will likely be removed in the Bugzilla 7.0 release.

Also API key support has been added so that API calls will no longer need to use cookies or a user's login and password. Users can create a different API key for each application and revoke API keys that have been compromised or are no longer needed. The API key will simply be passed to each call as credentials.

Several methods have been added and existing ones improved to allow returning data that was not available before such as Group.get. Bug.search is now as full featured as the Advanced Query UI allowing for the same searches to be executed. Attachment data such as flags and other metadata can now be updated through the API. Other WebService changes are detailed below.

Improved Caching using Memcached

Bugzilla now has the ability to connect to a Memcached server running either locally or on the network to allow fast access to different types of data. This cuts down on the amount of database hits and can improve performance. Other areas have been improved as well to take advantage of caching in memory for objects that are retrieved multiple times during a request such as user data, etc.

Ability to Tag Bug Comments

Users can add tags, visible to other users, to bug comments. This gives the users the ability to thread conversations, mark comments as spam, identify important comments, etc. Users can hide comments that contain specific tags if desired. The tag input field also supports autocompletion so commonly used tags can be selected. Administrators can make specifically tagged comments be automatically hidden from view.

Improved Bug Group Membership Checking

In the past, Bugzilla restricted who can view a bug to everyone who was a member of ALL the groups the bug was in. That is, the groups were ANDed together. This made some access control scenarios rather difficult to achieve. So now, Bugzilla defaults to (and can be switched to, in existing installations) a mode where the bug can be viewed by everyone who is a member of ANY group the bug is in. That is, the groups are ORed together. This give more flexibility in the way bugs are made private to specific groups of users.

Note: Group memberships for bugs and users are not changed at all when this setting is switched. When switching from AND to OR, this means that bugs may be more widely viewable than previously. It is the responsibility of the administrator to make sure that no bugs are accidentally revealed to the wrong people when changing this setting.

Improved Documentation for Users and Administrators

The standard documentation that is shipped along with the Bugzilla code has been rewritten and improved using the reStructuredText format. This allows the documentation to be easily hosted at sites such as ReadTheDocs.org and can also be more easily converted into different formats such as HTML and PDF. A new section dedicated to the new REST WebService API has also been added, significantly improving on the old WebService documentation.

Other Enhancements and Changes

Enhancements for Users

Bugs: The deadline field is now visible to users not in the the timetracking group.
Bugs: There is now a "Preview" mode when creating a new comment that allows you to see how the comment will look before committing to the database.
Bugs: The reporter is now allowed to enter keywords at time of bug creation.
Bugs: "See Also" now allows spaces as well as commas to delimit multiple values.
Bugs: Auto linkification in comments of bug IDs and comment IDs has been improved.
Bugs: Bugs can now have multiple aliases assigned to them. Before each bug could only have a single value. Also, aliases are now visible in the browser's title bar.
Bugs: Users can now change the flags of multiple bugs at once using the mass-edit form.
Charts and Reports: UTF-8 characters are now correctly displayed in "New Charts" and graphical reports.
Charts and Reports: Custom multi-select fields are now available as report axis options. This makes them usable for categorizing bugs in reports.
Email: You can now choose to not receive any mail at all about a particular bug, even if you continue to have a role on that bug (e.g. reporter).
Email: When adding or removing a bug as a dependency, the summary of the bug is included in the email notification.
Requests: request.cgi can now output results in CSV format.
Requests: X-Bugzilla-* headers are now included in flag notification emails.
Searches: Some useful searches have been added to the Bugzilla home page.
Searches: Quicksearch now allows for use of comparison operators such as !=, >=, >, <, etc., in addition to substring searches.
Searches: The "Blocks" and "Depends On" values can now be displayed as columns in a bug list.
Searches: The "is empty" and "is not empty" search operators have been added to the Advanced Search UI. This allows searching for null and not null values for certain fields.

Enhancements for Administrators and Developers

Administration: There are now INTEGER and DATE custom field types.
Administration: Filenames used to store product data for "Old Charts" are now based on product IDs to avoid data loss when changing product names.
Administration: JavaScript and CSS files are now minified and concatenated to improve page load performance. When changes are made, checksetup.pl should be run to regenerate the combined files.
Bugs: Bugzilla now keeps track of the last time each user visited (that is, loaded the show_bug page in a web browser) each bug. This could be useful for dashboards or API clients.
Database: Text that contained unicode supplementary characters (outside BMP) was cut off when using MySQL as backend. This has been fixed to prevent data loss.
Database: SSL connections are now possible when using MySQL as backend.
Database: For version 8.x of PostgreSQL, plpgsql was not always installed by default and checksetup.pl would generate an error. This has been fixed.
Development: Bugzilla is now HTML5 compliant. As a consequence, Internet Explorer 6 and 7 are no longer supported.
Email: Email generation originally was done before the jobqueue job was inserted. This is now delayed and done by jobqueue.pl right before sending the email which can improve responsiveness when processing bug changes.
Email: When a site administrator creates a new user, an email is sent to the user.
Email: For dependency email notifications, the header X-Bugzilla-Type: dep_changed is set.
Email: whine.pl emails now use DEFAULT_COLUMN_LIST (the same default columns seen in the buglist page) instead of hard coded column list.
Security: Support for increased values for PASSWORD_SALT_LENGTH without breaking compatibility with old hashes.

WebService Changes

Bug.search now allows for full search functionality similar to what is possible using the Advanced Query UI.
Basic support for eTag headers has been added to all WebServices to allow for better network performance.
Administrators can now change a parameter that filters all email addresses returned in WebService calls similar to filtering that happens in the web UI.
WebService calls now support use of API keys for authentication. Usernames and passwords remain supported.
Invalid or expired authentication cookies and tokens now throw errors instead of being silently ignored. User.valid_login can be used to determine if they are still valid or not.
WebService calls that are used to create and update bugs and attachments now support setting and updating of flags.
Bug.update_attachment can update an attachment's metadata as well as its flags.
The product parameter for Bug.possible_duplicates has been renamed to products.
Some compatibility fields included in returned data that were marked to be removed in this release are now gone.
Group.get has been added to get information about a group and its members.
FlagType.get has been added to get information about valid flag types for a given product and component.
The deprecated Bug.get_bugs, Bug.get_history and Product.get_products methods are no longer supported. They have been renamed to Bug.get, Bug.history and Product.get respectively.

Code Changes Which May Affect Customizations and Extensions

Support for CVS, Bonsai and LXR has been removed entirely when viewing attachments. This means that the cvsroot, cvsroot_get, bonsai_url, lxr_url and lxr_root parameters are all gone, as well as cvsbin from the localconfig file.
The docs_urlbase parameter has been removed. If documentation has not been compiled locally, the "Help" links and other documentation links will redirect to bugzilla.readthedocs.org automatically.
The mostfreqthreshold parameter has also been removed.
All extensions which define new public WebService methods must list them in a PUBLIC_METHODS constant. Methods which are not listed there will not be accessible remotely.
JSON::XS is now used instead of Data::Dumper for storage on configuration values in data/params. This should improve performance when loading the file.
A new test has been added to check for reserved words in SQL schema.
Pod::Coverage is now used to ensure subroutines are documented.
Bugzilla code now uses use parent instead of use base in all places applicable.
A new hook called cgi_headers has been added to allow customization of the HTTP headers returned.
A new hook called user_check_account_creation has been added to add extra checks before accepting the creation of a new user account.