Closed Bug 782687 Opened 12 years ago Closed 12 years ago

list/list.js.tmpl is restored when upgrading Bugzilla using CVS with the BUGZILLA-3_6-STABLE, BUGZILLA-4_0-STABLE and Bugzilla_Stable tags

Categories

(Bugzilla :: bugzilla.org, defect)

Product:
Bugzilla
Component:
bugzilla.org
Version:
4.0.7
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: LpSolit, Assigned: dkl)

Details

When using CVS to upgrade Bugzilla to 3.6.10 or 4.0.7 using the BUGZILLA-3_6-STABLE or BUGZILLA-4_0-STABLE tag, the list/list.js.tmpl template is restored despite it has been removed from the repo to fix CVE-2012-0466, see bug 745397:

# cvs -q up -rBUGZILLA-4_0_7 -dP
cvs update: template/en/default/list/list.js.tmpl is no longer in the repository

# cvs -q up -rBUGZILLA-4_0-STABLE -dP
U template/en/default/list/list.js.tmpl

This is pretty critical, because this means that all installations using the -STABLE cvs tag to upgrade (e.g. GCC Bugzilla) are still vulnerable to this issue.
I just realized that the Bugzilla_Stable tag still points to rev 1.3 of list.js.tmpl, which is incorrect. It should be removed from there too.
Assignee: website → dkl
Summary: list/list.js.tmpl is restored when upgrading Bugzilla using CVS with the BUGZILLA-3_6-STABLE and BUGZILLA-4_0-STABLE tags → list/list.js.tmpl is restored when upgrading Bugzilla using CVS with the BUGZILLA-3_6-STABLE, BUGZILLA-4_0-STABLE and Bugzilla_Stable tags
Verified fixed now for BUGZILLA-4_0_7, BUGZILLA-4_0-STABLE and Bugzilla_Stable. Closing.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Group: bugzilla-security
You need to log in before you can comment on or make changes to this bug.