Removed unnecessary lines which were commented out

• Files Changed
• Browse Source

- MantisBT 2.25.7
- MantisBT 2.25.6
Security and maintenance release addressing an information disclosure issue
(CVE-2023-22476), with thanks to d3vpoo1 for identifying and responsibly
reporting it, as well as a vulnerability in bundled moment.js library
(CVE-2022-31129). This release also resolves over 20 issues including several 
PHP 8.x compatibility fixes.
All installations are strongly advised to upgrade as soon as possible.

• Files Changed
• Browse Source

- MantisBT 2.25.5
  Security and maintenance release
  * security
    - CVE-2022-33910: Unrestricted SVG File Upload leads to CSS Injection
    - CVE-2022-33910: Stored XSS via SVG file upload
    - Wrong bugnote_user_edit_threshold value used when checking
      permissions to edit bugnote
    - Upgrade guzzlehttp/guzzle from 6.5.5 to 6.5.8
  * authorization
    - APPLICATION ERROR #13 (access denied) while creating new user when
      threshold configured as MANAGER in administration interface
    - Update issue icon on "My View" page is displayed even without having
      appropriate access rights
    - Update issue icon on "View Issues" page is displayed even without
      having appropriate access rights
  * bugtracker
    - Errors trying to load moment.js library from CDN
    - $g_path incorrectly set in config_defaults_inc.php on PHP 5.6
    - PHP 5.6 support broken
  * filters
    - Create Permalink - special characters handling
  * installation
    - Javascript error in browser console when upgrading
    - Installer's Oracle-specific warning regarding identifiers' length
      is shown initially for MySQL
  * db-mssql
    - APPLICATION ERROR 401 Database query failed. Error received from
      database was #-52: SQLState: IMSSP
  * documentation
    - Impossibility of deleting attachment with form security validation
      turned on

• Files Changed
• Browse Source

- MantisBT 2.25.3
  Security and maintenance release
  * security
    - CVE-2021-43257: CSV Injection with CSV Export Feature #0029130
    - CVE-2022-26144: XSS in manage_plugin_page.php and
      manage_plugin_uninstall.php #0029688
    - Update ADOdb to 5.20.21 #0029485
    - Update guzzlehttp/psr7 to 1.8.5 #0029848
    - Update moment.js to 2.29.2 #0029849
  * api rest
    - Slim Application Error when RestFault generated #0028927
  * api soap
    - SOAP call mc_project_get_id_from_name fails when there is no matching 
      project in PHP 7.2 #0029034
  * attachments
    - Adding an attachment with a long filename causes "Data too long for 
      column 'filename'" application error #0029144
  * bugtracker
    - Constant FILTER_SANITIZE_STRING is deprecated #0029845
    - 'format_issue_summary' custom function not called from View Issue 
      Details page #0029181
    - Passing null to parameter of type XXX is deprecated #0029846
  * custom fields
    - APPLICATION ERROR 1300 Custom field not found with case-sensitive 
      database #0029413
  * installation
    - Unable to install #0029462
  * ui
    - Missing closing div tag causes incorrect page footer display #0029416

• Files Changed
• Browse Source

- MantisBT 2.25.2
  * CVE-2021-33557: XSS in manage_custom_field_edit_page.php
  * PHP 8: "Bad Request" error on custom field filters
  * Update PHPMailer to 6.5.0

Typos in changelog: "MantisBT"

• Files Changed
• Browse Source

- MantiBT 2.25.1
  * administration
    - Error removing project #0028106
  * plug-ins
    - Bundled plugins 2.25.0: incorrect Mantis requirement #0028076
  * security
    - Update PHPMailer to 6.4.1 (fixes CVE-2020-36326) #0028530
  * ui
    - Incorrect spacing between icon and text on manage_user_edit_page.php 
      #0028112
    - Labels for email notifications in User Prefs page appear in bold 
      #0028084
    - Project Edit Page does not display check boxes #0028082
    - Unsightly vertical offset of the "Update Prefs" and "Reset Prefs" 
      buttons. #0028080

• Files Changed
• Browse Source

- MantiBS 2.25.0:
  This feature and maintenance release contains over 100 fixes and
  enhancements; among many other things, it improves PHP 8 compatibility, LDAP
  authentication and invalid plugins management. It also includes a schema
  change, so do not forget to upgrade the database as documented in the Admin
  Guide.
  Please note that this will be the last release supporting PHP 5;
  * administration
    - "Add Version" without entering a version number outputs "Operation 
      successful" though no version has actually been added #0027994
    - Attachment settings not available on "Workflow Thresholds" page 
      #0026892
    - Issue revision settings not available on "Workflow Thresholds" page 
      #0027817
    - Manage user page table footer is displayed even when empty #0027387
    - Misleading e-mail notification following password reset by admin 
      #0026884
    - PHP warning in config_get_global #0026798
    - Some config options can be set in database, but should be 
      configurable just in config_inc.php #0027884
    - SQL syntax error on manage_user_page #0027117
    - Sticky setting not available on "Workflow Thresholds" page #0027463
    - When deleting a project, there should be information of how many (if 
      any) issues are affected #0027768
  * api rest
    - /config REST API endpoint reports users as not found when they exist 
      #0026891
    - Errors in API documentation #0026481
    - Incorrect documentation for tags #0027969
    - REST API update issue triggers errors if payload is empty #0027973
    - Upgrade guzzlehttp/guzzle from 6.5.2 to 6.5.5 #0026919
  * api soap
    - mc_issue_update() throws system warning when Project not specified in 
      IssueData #0027981
  * attachments
    - Improve pop-up description for file icons #0027827
  * authentication
    - Username regex is too strict by default #0026811
  * authorization
    - reporter allowed to close #0026920
  * bugtracker
    - Admin check always has "WARN" for magic_quotes checks (PHP 7.4) 
      #0026964
    - Allow printing of standard confirmation alerts without buttons 
      #0027242
    - bugnote_clear_cache() does not work properly #0027217
    - clickable summaries in view issues page #0008066
    - It is not possible to clear the Default Profile #0027257
    - Profile-related operations lack confirmations #0027259
    - Refactor Profiles management pages to display a list of records 
      #0027256
    - Standardize on IEEE 1541 units (KiB, MiB) for file sizes #0027700
    - Update securimage to 3.6.8 #0027155
  * change log
    - No hyperlinks in Changelog and Roadmap release notes #0027839
  * code cleanup
    - Code cleanup around User/Global Profiles #0027258
    - Convert Project and User Pref APIs to use DbQuery class #0027145
    - Data integrity: ensure users' default_project preference is a valid 
      project #0027144
    - Error handlers use deprecated context parameter #0027703
    - Implement ConfigsGetCommand and use from REST API #0026889
    - Implement LocalizedStringsGetCommand and use from REST API #0026890
    - Move release scripts to main repository #0026903
    - New API function to get User Id by cookie string #0028002
    - PHP notice in manage_user_edit_page.php when given invalid user id 
      #0027573
    - Refactor printing of project selection menus #0026888
    - Remove obsolete 'posted' form param when reporting new issue #0027575
    - Remove Project Info page #0027802
    - Remove unused and regroup duplicated language strings #0027298
    - Remove unused bug_monitor_list_view_inc.php file #0026962
    - Standardize access of option database_version #0026821
    - System notice in lang_error_handler #0027701
    - Unneeded code for option display_project_padding #0027833
    - Use user_is_login_request_allowed() instead of duplicating the logic 
      #0026930
  * custom fields
    - Custom date field with default value left blank even when field is 
      required #0027914
    - Custom fields with comma can't be used in Manage Config Columns page 
      #0026665
    - Incorrect error message when reporting issue with a custom field 
      failing validation #0027576
    - Remove need to use {} for dynamic dates in custom fields default 
      value #0027956
    - Validate date custom fields default value format #0027950
  * db mssql
    - Update ADOdb to 5.20.20 #0026837
  * db postgresql
    - PHP 8.0 PostgreSQL builds fail due to deprecated pg_fieldsize() 
      function #0027830
  * db schema
    - Email field in mantis_email_table is shorter than user email in 
      mantis_user_table #0027982
  * documentation
    - Admin Guide has various broken links, obsolete info, etc. #0026617
    - Fix discrepancies in documentation for $g_display_errors #0027300
    - Host the Example Plugin from the Developers Guide in a repository in 
      mantisbt-plugins organization #0027993
    - Improve Custom Fields documentation #0027983
    - Out of the box Mantis does not display either a Dependancy or 
      Relationship Graph #0027584
    - Remove helper_alternate_class() calls from Developers Guide and 
      document alternative #0027992
    - REST API documentation #0025998
  * email
    - Enable S/MIME signed e-mail notifications #0025764
  * filters
    - Preserving filters does not work correctly on sub-sub-projects 
      #0027129
    - search field at project-selection is not working anymore #0027375
  * html
    - Standardize the way fontawesome icons are printed #0027828
  * installation
    - Required PHP json extension not documented and checked #0026974
  * installation] Sourceforge [admin/test_langs.php
    - File missing from installation packages ( mantisbt-2.24.3.zip & 
      mantisbt-2.24.3.tar.gz) #0027362
  * installation
    - Using an empty timezone causes PHP notice on PHP 8 #0027796
  * javascript
    - MantisGraph: stop using chart.js bundled build #0027123
  * ldap
    - Add STARTTLS Support to LDAP #0015361
    - Changed default $g_ldap_protocol_version from 0 to 3. #0027848
    - LDAP configuration options can be set in database #0026822
    - LDAP server must be specified as an URI #0027849
  * localization
    - Confusing message when selecting a project to enter an issue #0011463
    - Improve handling of missing language strings #0027241
  * other
    - Upgrade release build scripts to Python3 #0027384
  * performance
    - Non visible image previews are transferred from server to client 
      #0027150
  * plug-ins
    - 3rd-party plugins cannot use chart.js library bundled with 
      MantisGraph #0027122
    - Admin checks should detect invalid / incorrectly installed plugins 
      #0026143
    - Create cronjob script and plugin event #0027882
    - Force-installed plugins are not registered in order of priority 
      #0027302
    - Improve handling of invalid / incorrectly installed plugins #0026142
    - MantisGraph: update Chart.js library to v2.9.3 #0027124
    - Plugin_force_uninstall is not declared #0012961
    - Tag attach group action doesn't trigger EVENT_TAG_ATTACHED #0027881
    - Validate plugin folder name and name match during setup #0017487
  * preferences
    - issue report TOO_MANY_REDIRECTS #0026988
    - Non existing field name os_version used where os_build should be used 
      #0026840
  * printing
    - Viewer does not get Selection column in View Issues or Print Reports 
      lists #0026839
  * security
    - Printing unsanitized user input in account_prof_edit_page.php #0027853
    - Update PHPMailer to 6.3.0 #0027118
  * sql
    - Error in bug_api.php when UPDATEing a bug #0027113
  * sub-projects
    - Project Menu Bar does not indent subprojects properly #0026887
  * time tracking
    - User list in time tracking summary is not sorted #0027005
  * tools
    - TravisCI: add PHP 8.0 to tests, and switch to bionic build 
      environment #0027829
  * ui
    - Confusing redirection when editing profiles #0027260
    - Horizontal rules (<hr> tag) are nearly invisible #0027978
    - Inconsistent form input labels' font size when HTML label element is 
      used #0027958
    - Left-align the Send Reminder textarea #0027972
    - Manage users edit page: inconsistent spacing between sections #0027574
    - "Move" functionality offered for users that have just access to a 
      single project #0026861
    - Questionable UI / button on "Edit Project Category" page #0027808
    - Upgrade to fontawesome version 4.7.0 #0026823
    - Username field in Monitor box triggers password managers #0026963
    - Wrong page position after bugnote add/edit #0027160

• Files Changed
• Browse Source

- MantiBS 2.24.4:
  Security and maintenance release, addressing 6 CVEs: an XSS issue, an SQL
  injection in the SOAP API and several information disclosure issues including a
  critical one allowing full access to private issues' contents. All
  installations are strongly advised to upgrade as soon as possible.
  This release also includes a few PHP 8.0 compatibility fixes, including a
  major one causing an access denied error for all users when updating issues.
  * Attacker can leak private information via different functionality 
    - CVE-2020-29604: Full disclosure of private issue contents, including bugnotes and attachments
    - CVE-2020-29605: Disclosure of private issue summary
    - CVE-2020-29603: Disclosure of private project name
  * Private category can be access/used by a non member of a private project (IDOR)
  * CVE-2020-35571: XSS in helper_ensure_confirmed() calls
  * User Account - Takeover
  * Fixed in version can be changed to a version that doesn't exist
  * When updating an issue, a Viewer user can be set as Reporter
  * CVE-2020-35849: Revisions allow viewing private bugnotes id and summary
  * CVE-2020-28413: SQL injection in the parameter "access" on the mc_project_get_users function throught the API SOAP.
  * inconsistent UI for view bugnote revision
  * Printing unsanitized user input in install.php
  * print_manage_user_sort_link Function Parameter Required after Optional
  * Declaring a required parameter after an optional one is deprecated in PHP 8
  * Javascript error in View Issues page
  * Adapt Error handler to PHP 8
  * Impossible to edit issues with PHP8

• Files Changed
• Browse Source

MantiBS 2.24.3

• Files Changed
• Browse Source

MantisBT 2.24.2

• Files Changed
• Browse Source

- MantisBT 2.24.0
  * administration
    - how can I allow user to view only the issue that assigned to them #0010831
  * api rest
    - Passing invalid id to rest api custom field update causes program crash #0026541
    - Passing out of range custom field id causes multiple PHP warnings / 
      incorrect response #0026542
    - Passing unsanitized data to type hinted function causes program crash #0026540
    - Support user password reset via REST API #0026632
    - Update GuzzleHttp from 6.4.1 to 6.5.2 #0026441
  * authentication
    - login username is not trimmed #0025097
  * bugtracker
    - Allow multiple, customizable due date levels #0026438
    - Change of due date background color #0016869
    - Implement limit_reporters as a threshold #0023570
    - Inheritance of sub project not read correctly from database #0026765
    - Make category on bug_report_page a required field when 
      $g_allow_no_category = OFF; #0026686
    - Mass update does not allow setting an empty category #0026690
    - Reporter can't see an issue they have been made a monitor of #0015466
    - Required fields when reporting an issue, should also be when updating it #0026687
  * code cleanup
    - Code Cleanup #0026567
    - Remove $g_log_destination 'firebug' option, as the project is dead 
      since 2017 #0026572
  * customization
    - Retire bug_change_status_page_fields config option #0026778
  * db mssql
    - Update ADOdb to 5.20.16 #0026598
  * documentation
    - Admin Guide: remove doc for long-deprecated $g_ldap_port config #0026589
  * email
    - Update phpmailer/phpmailer from 6.1.3 to 6.1.4 #0026475
  * feature
    - Limit reporter's access to their own issues #0009534
  * filters
    - BugFilterQuery - issue? - trying to add join & where conditions #0024600
    - Wrong filtering by none-relationship #0026621
  * installation
    - Add informational comments to SQL script generated by installer #0026661
    - Allow admin to reset table pre/suffix to their default values #0026664
    - Apostrophe in custom_field_string table causes upgrade from < 1.2.0 
      to fail #0026636
    - Final statement to set database version not logged in SQL script #0026662
    - improve installer messages when generating SQL script #0026663
    - Use appropriate statement to update DB schema when generating SQL 
      #0026568
  * localization
    - lang_get_defaulted does not search for fallback language #0021201
  * plug-ins
    - Improve MantisColumn sort capability to allow sorting by more complex 
      expressions #0026612
    - New Event: EVENT_MENU_ISSUE_RELATIONSHIP #0011365
    - No equivalent to lang_get_defaulted() in plugin_api() #0026747
  * relationships
    - Dependency Graph crash on circular parent child relationships #0011381
    - Relationship Graph - inconsistency between button label and title #0026165
    - Relationship Graph page is missing legend #0026164
    - Relationship Graph page UI lacks MantisBT 2.x layout #0026163
  * reports
    - Display issue Summary inside relation graph nodes #0017594
    - Wrong number of displayed rows on summary page #0026555
  * roadmap
    - User can't see in roadmap a private issue that they reported #0025115
  * rss
    - Access of non existent image in RSS feeds #0021133
  * time tracking
    - Cell coloring for due date indicates "overdue" when not overdue yet.  #0009155
  * ui
    - Generate token with empty name and APPLICATION ERROR #11 #0026623
    - Incorrect CSS rules get applied if a word in custom field name 
      matches an existing CSS class #0026473
    - Issue list throws warning on every issue without bug notes. #0026439
    - on mantisbt.org Roadmap progress bar 'data-percent' class could stand 
      out better #0022142
    - Provide a way to 'show content' for all complex items on Manage 
      Configuration Report page #0026712

• Files Changed
• Browse Source

- Move admin files to /usr/share/php[57] to have them available for system updates
- A POST script has been added which copies the admin files, executes them 
  and removes the files after a successfull update
- Cleaned up the spec
- Fully removed formed mantisbt-install package

• Files Changed
• Browse Source

MantisBT 2.23.0

• Files Changed
• Browse Source

MantisBT 2.22.2

• Files Changed
• Browse Source

MantisBT 2.22.1

• Files Changed
• Browse Source

MantisBT 2.22.0

• Files Changed
• Browse Source

- MantisBT 2.21.1
  * administration
    - Button label truncated on manage_config_workflow_page #0025783
    - LOGFILE_NOT_WRITABLE error triggered if file does not exist #0025734
    - Wrong access_level settings when updating rights in the project admin 
      page #0025722
  * attachments
    - File upload timeout #0025763
  * other
    - Summary "By Date (days)" gets wrong number #0025742
  * reports
    - Summary statistics db error message #0025781

• Files Changed
• Browse Source

- MantisBT 2.21
  * administration
    - E_USER_DEPRECATED errors are no longer displayed inline #0025629
    - If log file is not writable, log_event() fails silently #0019642
    - PHP Notice or incorrect file+line number when displaying DEPRECATED 
      error #0025631
  * api rest
    - Inconsistent naming of username field in REST API #0025688
    - Update Slim Framework to 3.12.1 #0025703
  * bugtracker
    - Redirect to the new issue's page after reporting it #0025695
  * customization
    - Modification to status colors css #0023550
  * documentation
    - Encoding of custom files not documented #0022143
    - Upgrade guide does not mention plugins #0022972
  * filters
    - sub-project assignments missing from project-specific My View page 
      #0023333
  * installation
    - Missing file (api/rest/web.config) in installer #0025614
  * ldap
    - LDAP documentation - Remove invalid 'hostname:port' example #0025664
  * performance
    - Improve performance of Summary Page queries #0025693
    - Update color when new Status is selected in Bug Update Page #0025651
  * plug-ins
    - View Issue page menu links from EVENT MENU_ISSUE event are
      wrapped with "[", "-" characters #0023694
  * timeline
    - My View page without timeline does not respect the 
      $g_my_view_boxes_fixed_position setting #0022096
  * ui
    - Focus on project search #0023037
    - My View Page layout misses some boxes #0022104
    - Plugin tab in Summary section not highlighted when selected #0023418
    - Projects menu search box should be hidden when having a small number 
      of projects #0025594
    - Show Invite button for users with manage users access level, not just 
      administrators #0025682
    - Show status with a color square instead of background color on Bug 
      Update Page #0025650
    - Uneven distribution of boxes on My View page when Timeline is OFF 
      #0025679

• Files Changed
• Browse Source

MantisBT 2.20

• Files Changed
• Browse Source

- MantisBT 2.19
  https://www.mantisbt.org/bugs/changelog_page.php?project=mantisbt&version=2.19.0
  * Updates: ADOdb, Guzzle, Slim Framework, PHPMailer, 
    Disposable Email Checker 
  * Fixed installation issue (memory_limit test fails when memory_limit 
    is set to -1, PHP 7.3 issue)
  * Fixed authentication issues
  * Improved form handling for password managers
  * Fixed some UI issues
  * Code cleanup
- Updated file lists, removed additional files not used in distribution

• Files Changed
• Browse Source