Bugzilla 5.0 is right around the corner

Bugzilla 5.0 is right around the corner and honestly we’re a little excited.

Are you an early adopter?

Bugzilla 5.0rc2 is available now if you like to live on the bleeding edge. There aren’t any changes expected between now and when 5.0 is officially released in a couple of weeks. If you are interested in upgrading just let support know and we’ll take care of it.

Don’t have Bugzilla? Support can add it to your account at any time.

Don’t have an account? Get started in under a minute.

For everyone else we will follow our typical upgrade process. We will test 5.0 ourselves and monitor any issues other people in the community are running into. Once we are confident that 5.0 is stable enough we will send out an announcement about when the upgrade will happen and give you the option to opt out.

Here are some highlights of what you have to look forward to:

Improved WebServices

This release has major improvements in the WebServices interface. One big addition is a new REST-like endpoint alongside the existing XML-RPC and JSON-RPC endpoints. This will allow clients to access Bugzilla data using standard HTTP calls for easy development.

Several methods have been added and existing ones improved to allow returning data that was not available before such as Group.get. is now as full featured as the Advanced Query UI allowing for the same searches to be executed. Attachment data such as flags and other metadata can now be updated through the API.

Also API key support has been added so that API calls will no longer need to use cookies or a user’s login and password.

Ability to Tag Bug Comments

Users can add tags, visible to other users, to bug comments. This gives the users the ability to thread conversations, mark comments as spam, identify important comments, etc. Users can hide comments that contain specific tags if desired. The tag input field also supports autocompletion so commonly used tags can be selected. Administrators can make specifically tagged comments be automatically hidden from view.

Other Improvements

There is now a “Preview” mode when creating a new comment that allows you to see how the comment will look before committing to the database. This will let you see the results of the “autolinkification” of bug references and links.

Bugs can now have multiple aliases assigned to them. Before each bug could only have a single value. Also, aliases are now visible in the browser’s title bar.

You can now choose to not receive any mail at all about a particular bug, even if you continue to have a role on that bug (e.g. reporter).

Some useful searches have been added to the Bugzilla home page.

Quicksearch now allows for use of comparison operators such as !=, >=, >, <, etc., in addition to substring searches.

The “Blocks” and “Depends On” values can now be displayed as columns in a bug list.

There are now INTEGER and DATE custom field types.

Bugzilla is now HTML5 compliant.

When a site administrator creates a new user, an email is sent to the user.

What isn’t included

Unfortunately the “Make Bugzilla Pretty” effort stalled and was replaced by incorporating the theme used by which also unfortunatly did not make it into 5.0, but is rescheduled to 6.0.

GHOST Attack

Another exploit has been discovered which affects many Linux servers. The moniker is GHOST.

During a code audit performed internally at Qualys, we discovered a
buffer overflow in the __nss_hostname_digits_dots() function of the GNU
C Library (glibc). This bug is reachable both locally and remotely via
the gethostbyname*() functions, so we decided to analyze it — and its
impact — thoroughly, and named this vulnerability “GHOST”.

As of yesterday all our servers were patched with the newest glibc version.

Attack of the Poodle

A new security attack (dubbed the POODLE attack) makes continued use of SSLv3 dangerous. So effective immediately, we are dropping support for SSLv3. Browser users will likely see minimal-to-no impact. If you are having an issue please try a newer version of your browser.

Extremely old browsers (specifically IE 6 users on Windows XP) will no longer be able to connect to devZing pages. We performed a traffic analysis that shows this would have affected no customers in the last 90 days.

September Downtime Complete

It took a few hours longer than planned due to the SAN reporting some issues after restarting, but we are back up and running.

XML-RPC Client

From time to time we’ve had people wonder if the XML-RPC API is turned on for their Bugzilla installation. The answer is yes in all cases. Nevertheless it is difficult to verify as Bugzilla will not give you a meaningful response if you go to https://<mybugzilla>/xmlrpc.cgi in your browser.

Other clients want to verify some off error message they are getting from a tool that integrates with Bugzilla through the XML-RPC API.

To solve these questions we have deployed our online XML-RPC client.

xml-rpc client

By default it has the URL and credentials for our Bugzilla demo, but you can point it to any Bugzilla with XML-RPC enabled (even

The tricky bit is the parameter XML.

Bugzilla XML-RPC expects a single <struct> element. The names of the parameters listed in the API docs for each function are the <name> element for the struct <member>s. See Bugzilla::WebService::Server::XMLRPC and Bugzilla::WebService for more information.

For example


This is the minimum set of parameters for Bugzilla 4.4.x as almost all methods require authentication.

To retrieve a bug you need to set the method to Bug.get and parameter XML to something like the following:


For more information on how to represent various data types see the XML-RPC specification.

All Bugzilla Accounts Upgraded to 4.4.5

Bugzilla 4.4.5 is a security release which addresses the following issue:

Adobe does not properly restrict the SWF file format, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks against Bugzilla’s JSONP endpoint, possibly obtaining sensitive bug information, via a crafted OBJECT element with SWF content satisfying the character-set requirements of a callback API.

For more details see:

Interestingly this bug only seems to affect Firefox users.

Bugzilla 4.0.5 Released

The Bugzilla team has released a security fix for Bugzilla 4.0.x.

  • A CSRF vulnerability in the implementation of the XML-RPC API when running under mod_perl could be used to make changes to bugs or execute some admin tasks without the victim’s knowledge.

This defect does not affect any devZing customers. However, all new devZing hosted Bugzilla installs will be created with Bugzilla 4.0.5.

All Instances upgraded to 4.0.4

All Bugzilla hosting customers have been upgraded to Bugzilla 4.0.4.

You can read more about the release at the Bugzilla site.

A number of changes were released to address this

  • When a user creates a new account, Bugzilla doesn’t correctly reject email addresses containing non-ASCII characters, which could be used to impersonate another user account. Such email addresses could look visually identical to other valid email addresses, and an attacker could try to confuse other users and be added to bugs he shouldn’t have access to.
  • Due to a lack of validation of the Content-Type header when making POST requests to jsonrpc.cgi, a possible CSRF vulnerability was discovered. If a user visits an HTML page with some malicious JS code in it, an attacker could make changes to a remote Bugzilla installation on behalf of the victim’s account by using the JSON-RPC API. The user would have had to be already logged in to the target site for the vulnerability to work.

December Downtime, Revised

Please be advised that there will be an extended system outage starting December 10 03:00 UTC (Dec 9 22:00 New York, Dec 10 14:00 Sydney).

This downtime will last approximately 10 hours.

During this time all equipment will be moved to a new data center. Because this move is an entire data center and not just devZing equipment we do not have any flexibility with regard to the timing of this downtime.

As a result of this move our IP addresses will be changing.

If you have a custom domain name please make sure you are using a CNAME record pointing to rather than an A record pointing to our IP address.