r=dkl,a=sgreen

Bug 1061247 - Successfully using a password change token should invalidate all other password change tokens for that user
r=gerv a=glob

r=dkl a=sgreen

Bug 1046145: It is no longer possible to cancel an email address change when this one has already been confirmed
r=dkl a=sgreen

r=gerv a=justdave

Bug 878035: Do not disclose whether a user account exists or not when a user clicks "forgot password"
r=dkl a=LpSolit

r=wicked a=LpSolit

Bug 706271: CSRF vulnerability in token.cgi allows possible unauthorized password reset e-mail request
r=reed a=LpSolit

r/a=LpSolit

Bug 752303: It is no longer possible to cancel an email address change when this one has already been confirmed
r/a=LpSolit

r=glob a=LpSolit

Bug 680131: Replace the MPL 1.1 license by the MPL 2.0 one in all files, and add it to files which miss one
r=kiko r=mkanat r=mrbball a=LpSolit

Bug 711714: (CVE-2011-3667) [SECURITY] The User.offer_account_by_email WebService method lets you create new user accounts independently of the value of Bugzilla::Auth::Verify::*::user_can_create_account
r=glob a=LpSolit

Bug 677901: Bugzilla crashes when no token is passed to token.cgi but the script expects one, because tokens are incorrectly validated
r/a=mkanat

r/a=mkanat

Bug 565879: Merge ThrowCodeError("action_unrecognized"), ThrowUserError("no_valid_action") and ThrowCodeError("unknown_action")
r=ghendricks a=LpSolit

Patch by Max Kanat-Alexander <mkanat@bugzilla.org> r=dkl, a=mkanat

Bug 508189: (CVE-2009-3166) [SECURITY] Logging in after changing your password would expose your new password in the URL
Patch by Max Kanat-Alexander <mkanat@bugzilla.org> r=LpSolit, a=mkanat

Bug 349336: Automatically log in the user when he chooses his password to create his new account - Patch by FrÃdÃric Buclin <LpSolit@gmail.com> r/a=mkanat

(original patch r/a=mkanat)

Bug 452519: Fix timezones in emails - Patch by FrÃdÃric Buclin <LpSolit@gmail.com> r=wicked a=LpSolit

Bug 455814: token.cgi should reject password change requests for disabled accounts - Patch by FrÃdÃric Buclin <LpSolit@gmail.com> r=ghendricks a=LpSolit

Bug 455815: Remove global variables from token.cgi - Patch by FrÃdÃric Buclin <LpSolit@gmail.com> r/a=mkanat

doesn't protect WebService calls at all
Patch by David Lawrence <dkl@redhat.com> - r/a=LpSolit/mkanat

in the respective bug reports.

Bug 428659 – Setting SSL param to 'authenticated sessions' only
protects logins and param doesn't protect WebService calls at all
Patch by Dave Lawrence <dkl@redhat.com> - r/a=mkanat

Bug 445104: ssl redirects come with a 200 OK HTTP code on mod_perl
Patch By Max Kanat-Alexander <mkanat@bugzilla.org> r=dkl, a=mkanat

Bug 428659 – Setting SSL param to 'authenticated sessions' only protects logins and param doesn't protect WebService calls at all
Patch by Dave Lawrence <dkl@redhat.com> - r/a=mkanat

Bug 405946: Some emails are not sent in the language chosen by the addressee - Patch by FrÃdÃric Buclin <LpSolit@gmail.com> r=wurblzap a=LpSolit

Bug 403834: Replace table locks with database transactions in tokens, votes, and sanitycheck - Patch by Emmanuel Seyman <eseyman@linagora.com> r/a=mkanat

Patch By Max Kanat-Alexander <mkanat@bugzilla.org> r=LpSolit, a=LpSolit

r=lpsolit a=lpsolit

r=lpsolit a=lpsolit

Bug 340538: Insecure dependency in exec while running with -T switch at /usr/lib/perl5/site_perl/5.8.6/Mail/Mailer/sendmail.pm line 16.
Patch by Marc Schumann <wurblzap@gmail.com>,
r=LpSolit, a=myk

Bug 281181: [SECURITY] It's way too easy to delete versions/components/milestones etc... - Patch by Frédéric Buclin <LpSolit@gmail.com> r=mkanat a=myk

Patch By Max Kanat-Alexander <mkanat@bugzilla.org> r=LpSolit, a=myk

Bug 87795: Creating an account should send token and wait for confirmation (prevent user account abuse) - Patch by Frédéric Buclin <LpSolit@gmail.com> r=mkanat r=bkor a=myk