Your message dated Sun, 08 Nov 2009 22:32:46 +0000
with message-id <[email protected]>
and subject line Bug#520935: fixed in bugzilla 3.2.5.0-1
has caused the Debian Bug report #520935,
regarding bugzilla3: Cyclic link when enforce SSL is set to anything besides
"never"
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
520935: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=520935
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: bugzilla3
Version: 3.2.0.1-1
Severity: important
When enforce SSL is set to anything besides never (authenticated sessions or
always), attempting to access bugzilla results in the following error
(text copied from Konqueror, similar error messages in other browsers):
An error occurred while loading
http://bugzilla.h3solution.com/editparams.cgi?section=admin:
Found a cyclic link in
https://bugzilla.h3solution.com/editparams.cgi?section=admin.
If enforce SSL is set to never, everything works correctly (both http and
https) with this one exception:
When a user logs in using https://bugzilla.h3solution.com, upon clicking on the
"Login" button, the following warning is given:
Warning: This is a secure form but it is attempting to send your data
back unencrypted.
A third party may be able to intercept and view this information.
Are you sure you wish to continue?
The user is then directed to http. If, after the user is logged in, the URL is
manually changed from http to https, then the entire site functions
correctly using SSL.
This appears to be a problem with the login function not working correctly. It
redirects everything to http. If https is enforced, it creates a
cyclic link.
url_base is set to 'http://bugzilla.h3solution.com/'
ssl_base is set to 'https://bugzilla.h3solution.com/'
If I want to use SSL I can work around this problem my manually setting
url_base to 'https://bugzilla.h3solution.com' in /etc/bugzilla3/params,
removing the http bugzilla apache entries, and setting a redirect from http to
https in apache, but that seems like a clunky workaround.
Apache config files
<VirtualHost *:80>
ServerName bugzilla.h3solution.com
DocumentRoot /usr/lib/cgi-bin/bugzilla3/
Alias /bugzilla3/ /usr/share/bugzilla3/web/
Alias /cgi-bin/bugzilla3/ /usr/lib/cgi-bin/bugzilla3/
<Directory "/usr/share/bugzilla3/web">
AllowOverride none
Order allow,deny
Allow from all
</Directory>
<Directory "/usr/lib/cgi-bin/bugzilla3">
AddHandler cgi-script cgi
DirectoryIndex index.cgi
Options +Indexes +ExecCGI -MultiViews +SymLinksIfOwnerMatch
+FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<Directory "/var/lib/bugzilla3/data">
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
<VirtualHost *:443>
ServerName bugzilla.h3solution.com
DocumentRoot /usr/lib/cgi-bin/bugzilla3/
Alias /bugzilla3/ /usr/share/bugzilla3/web/
Alias /cgi-bin/bugzilla3/ /usr/lib/cgi-bin/bugzilla3/
<Directory "/usr/share/bugzilla3/web">
AllowOverride none
Order allow,deny
Allow from all
</Directory>
<Directory "/usr/lib/cgi-bin/bugzilla3">
AddHandler cgi-script cgi
DirectoryIndex index.cgi
Options +Indexes +ExecCGI -MultiViews +SymLinksIfOwnerMatch
+FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<Directory "/var/lib/bugzilla3/data">
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages bugzilla3 depends on:
ii apache2 2.2.11-2 Apache HTTP Server metapackage
ii apache2-mpm-prefork [ht 2.2.11-2 Apache HTTP Server - traditional n
ii dbconfig-common 1.8.40 common framework for packaging dat
ii debconf 1.5.26 Debian configuration management sy
ii libappconfig-perl 1.56-2 Perl module for configuration file
ii libcgi-pm-perl 3.42-1 Simple Common Gateway Interface Cl
ii libdbd-mysql-perl 4.008-1 A Perl5 database interface to the
ii libemail-mime-modifier- 1.443-1 module to modify Email::MIME objec
ii libemail-send-perl 2.194-1 Simply Sending Email
ii libtemplate-perl 2.19-1.1lenny1.1 template processing system written
ii libtimedate-perl 1.1600-9 Time and date functions for Perl
ii mysql-client 5.0.51a-24 MySQL database client (metapackage
ii mysql-client-5.0 [mysql 5.0.51a-24 MySQL database client binaries
ii patch 2.5.9-5 Apply a diff file to an original
ii perl-modules [libcgi-pm 5.10.0-19 Core Perl modules
ii postfix [mail-transport 2.5.5-1.1 High-performance mail transport ag
ii ucf 3.0016 Update Configuration File: preserv
Versions of packages bugzilla3 recommends:
ii libchart-perl 2.4.1-5 Chart Library for Perl
ii libxml-parser-perl 2.36-1.1+b1 Perl module for parsing XML files
ii mysql-server 5.0.51a-24 MySQL database server (metapackage
ii mysql-server-5.0 [mysq 5.0.51a-24 MySQL database server binaries
ii perlmagick 7:6.3.7.9.dfsg2-1 Perl interface to the libMagick gr
Versions of packages bugzilla3 suggests:
pn bugzilla3-doc <none> (no description available)
pn graphviz <none> (no description available)
ii libgd-gd2-perl 1:2.39-2 Perl module wrapper for libgd - gd
ii libgd-graph-perl 1.44-3 Graph Plotting Module for Perl 5
ii libgd-text-perl 0.86-5 Text utilities for use with GD
ii libhtml-parser-perl 3.60-1 collection of modules that parse H
pn libhtml-scrubber-perl <none> (no description available)
ii libmailtools-perl 2.04-1 Manipulate email in perl programs
ii libmime-tools-perl 5.427-2 Perl5 modules for MIME-compliant m
ii libnet-ldap-perl 1:0.39-1 client interface to LDAP servers
pn libsoap-lite-perl <none> (no description available)
ii libwww-perl 5.825-1 WWW client/server library for Perl
pn libxml-twig-perl <none> (no description available)
-- debconf information:
* bugzilla3/customized_values: false
bugzilla3/database-type: mysql
bugzilla3/remove-error: abort
bugzilla3/dbconfig-remove:
* bugzilla3/dbconfig-install: true
bugzilla3/internal/reconfiguring: false
bugzilla3/remote/newhost:
bugzilla3/internal/skip-preseed: false
bugzilla3/remote/host:
bugzilla3/install-error: abort
bugzilla3/upgrade-backup: true
bugzilla3/db/dbname: bugzilla3
bugzilla3/missing-db-package-error: abort
bugzilla3/passwords-do-not-match:
bugzilla3/mysql/admin-user: root
bugzilla3/upgrade-error: abort
bugzilla3/db/app-user: bugzilla3
bugzilla3/dbconfig-reinstall: false
bugzilla3/mysql/method: unix socket
* bugzilla3/bugzilla_admin_real_name: Soren Stoutner
bugzilla3/remote/port:
* bugzilla3/bugzilla_admin_name: [email protected]
bugzilla3/dbconfig-upgrade: true
bugzilla3/purge: false
--- End Message ---
--- Begin Message ---
Source: bugzilla
Source-Version: 3.2.5.0-1
We believe that the bug you reported is fixed in the latest version of
bugzilla, which is due to be installed in the Debian FTP archive:
bugzilla3-doc_3.2.5.0-1_all.deb
to main/b/bugzilla/bugzilla3-doc_3.2.5.0-1_all.deb
bugzilla3_3.2.5.0-1_all.deb
to main/b/bugzilla/bugzilla3_3.2.5.0-1_all.deb
bugzilla_3.2.5.0-1.diff.gz
to main/b/bugzilla/bugzilla_3.2.5.0-1.diff.gz
bugzilla_3.2.5.0-1.dsc
to main/b/bugzilla/bugzilla_3.2.5.0-1.dsc
bugzilla_3.2.5.0.orig.tar.gz
to main/b/bugzilla/bugzilla_3.2.5.0.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Raphael Bossek <[email protected]> (supplier of updated bugzilla package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 06 Nov 2009 20:47:23 +0100
Source: bugzilla
Binary: bugzilla3 bugzilla3-doc
Architecture: source all
Version: 3.2.5.0-1
Distribution: unstable
Urgency: medium
Maintainer: Raphael Bossek <[email protected]>
Changed-By: Raphael Bossek <[email protected]>
Description:
bugzilla3 - web-based bug tracking system
bugzilla3-doc - comprehensive guide to Bugzilla
Closes: 495107 511839 511839 520935 522401 522455 538286 539401 539440 544870
544987 547132 549700 550045 550055 550071 554965
Changes:
bugzilla (3.2.5.0-1) unstable; urgency=medium
.
* Increased Standards-Version to 3.8.3; no changes.
* Fixed creation of /etc/bugzilla3/localconfig from debconf settings.
* In case where access to database is protected the user/password is revoked
und recreated again; dpkg-reconfigure -phigh bugzilla3.
* Removed dependency against libemail-reply-perl.
* Changed processing of /etc/bugzilla3/localconfig. Closes: #538286
* Fixed usage of skins by moving away from /cgi-bin/bugzilla3/.
Closes: #495107
* Support for new version of Germzilla added. Closes: #522401
* Added support for 2 digit version numbers for uscan. Closes: #539401
* libtemplate-plugin-gd-perl is recomended. Closes: #539440
* Uses Debian's YUI files for security concerns with JavaScript.
Closes: #544987, #544870
* The post-checksetup.d/10permissions script fix directory/file access
rights. Closes: #550045
* Fixed typo in checksetup(_debian).sh script. Closes: #550055
* Include path /usr/share/bugzilla3 added. Closes: #549700
* The localhost mta/smtp/email server have to accept email sending.
Closes: #522455
* Fixed SQL injection vulnerability in the Bug.create WebService function
CVE-2009-3165, Closes: #547132
* Fixed typo in recomends (imagemagick). Closes: #554965
.
[ NEWS.Debian ]
* The directory /usr/lib/cgi-bin/bugzilla3 moved to
/usr/share/bugzilla3/web. The /usr/share/doc/bugzilla3/examples/basic.conf
file show the changes mandatory for apache2.
This change was required to be able to install bugzilla3 for apache2
out-of-the box with apache2 default setup for /cgi-bin/ directory.
Closes: #520935
* New basic.conf/vh-basic.conf files fix /cgi-bin/ issues with default
apache2 configuration. Closes: #511839
* urlbase (/etc/bugzilla3/param) changed from /cgi-bin/bugzilla3/ to
/bugzilla3/.
* docs_urlbase (/etc/bugzilla3/param) changed from
/docs/bugzilla3-doc/%lang%/html to /doc/bugzilla3-doc/%lang%/html with
changed directory structure within bugzilla3-doc. Closes: #511839
* The directories /etc/bugzilla3/pre-checksetup.d and
/etc/bugzilla3/post-checksetup.d contain executables which are started in
alphanumerical order befor and after checksetup.pl is called. Save your
own scripts which should be executed if checksetup.pl is called, e.g.
while upgrade of the package.
* /usr/share/bugzilla3/lib/sanitycheck.pl added; will be executed daily.
Closes: #550071
Checksums-Sha1:
55fb3c4a8d8375b9bbe8c5a6dfa1b2535739fe06 1047 bugzilla_3.2.5.0-1.dsc
ca30dcf262ded69d12936620ff7bb35db7ccf016 4238899 bugzilla_3.2.5.0.orig.tar.gz
e9871c62a28afc6bf686c2774d30bf7ea40ab06f 79515 bugzilla_3.2.5.0-1.diff.gz
ece765bc0a9feec5ac6379c068556e9cf5095c13 2905370 bugzilla3_3.2.5.0-1_all.deb
39871e6dc2ecfcc4bfd0331d6583520ee2064631 1453664
bugzilla3-doc_3.2.5.0-1_all.deb
Checksums-Sha256:
103ad38a0271461855647008383071b0c95759d2cfb3477b0179d8bda95ee0bc 1047
bugzilla_3.2.5.0-1.dsc
4e75f3270d62a3d57b1c91d199fd9e7a38d30ef71ea20df3a8c4aa612b5d0294 4238899
bugzilla_3.2.5.0.orig.tar.gz
d682314d02f10b6aa3d45257e3bb3439f7852e023db2d1d26f66c81a856e760b 79515
bugzilla_3.2.5.0-1.diff.gz
3e6115c86d7513deb93e9c8dc823edcf29ef4600083e306b51b1b2f691745266 2905370
bugzilla3_3.2.5.0-1_all.deb
95facf8e4ea2516c8e0648ace0a6cce86860eeac54f0b0888b19bb634d732d26 1453664
bugzilla3-doc_3.2.5.0-1_all.deb
Files:
568dfa811bf83f5ca73b6ecf0097185a 1047 web optional bugzilla_3.2.5.0-1.dsc
37bc4fd16775c5d2236f84064eab10db 4238899 web optional
bugzilla_3.2.5.0.orig.tar.gz
cffe99945ea843157f40d9bbdfd06d0d 79515 web optional bugzilla_3.2.5.0-1.diff.gz
72f71058e52b2cd8db1da26c4edfce2f 2905370 web optional
bugzilla3_3.2.5.0-1_all.deb
cc7e10c21063e82a1cd31058ab2fb5af 1453664 doc optional
bugzilla3-doc_3.2.5.0-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iD8DBQFK90OAN2lBq4Nesv8RAhbpAJ0UPbzc9UmT9S5MjRfLTt+FyHyDTgCbBEGU
OV1s0bt7ckT399VpxK6j9wo=
=nBnH
-----END PGP SIGNATURE-----
--- End Message ---
