Revisions of mantisbt
Johannes Weberhofer (weberho)
accepted
request 1128278
from
Johannes Weberhofer (weberho)
(revision 46)
Removed unnecessary lines which were commented out
Johannes Weberhofer (weberho)
accepted
request 1082713
from
Johannes Weberhofer (weberho)
(revision 45)
- MantisBT 2.25.7 - MantisBT 2.25.6 Security and maintenance release addressing an information disclosure issue (CVE-2023-22476), with thanks to d3vpoo1 for identifying and responsibly reporting it, as well as a vulnerability in bundled moment.js library (CVE-2022-31129). This release also resolves over 20 issues including several PHP 8.x compatibility fixes. All installations are strongly advised to upgrade as soon as possible.
Johannes Weberhofer (weberho)
accepted
request 1033780
from
Johannes Weberhofer (weberho)
(revision 44)
- MantisBT 2.25.5 Security and maintenance release * security - CVE-2022-33910: Unrestricted SVG File Upload leads to CSS Injection - CVE-2022-33910: Stored XSS via SVG file upload - Wrong bugnote_user_edit_threshold value used when checking permissions to edit bugnote - Upgrade guzzlehttp/guzzle from 6.5.5 to 6.5.8 * authorization - APPLICATION ERROR #13 (access denied) while creating new user when threshold configured as MANAGER in administration interface - Update issue icon on "My View" page is displayed even without having appropriate access rights - Update issue icon on "View Issues" page is displayed even without having appropriate access rights * bugtracker - Errors trying to load moment.js library from CDN - $g_path incorrectly set in config_defaults_inc.php on PHP 5.6 - PHP 5.6 support broken * filters - Create Permalink - special characters handling * installation - Javascript error in browser console when upgrading - Installer's Oracle-specific warning regarding identifiers' length is shown initially for MySQL * db-mssql - APPLICATION ERROR 401 Database query failed. Error received from database was #-52: SQLState: IMSSP * documentation - Impossibility of deleting attachment with form security validation turned on
Johannes Weberhofer (weberho)
accepted
request 970991
from
Johannes Weberhofer (weberho)
(revision 43)
- MantisBT 2.25.3 Security and maintenance release * security - CVE-2021-43257: CSV Injection with CSV Export Feature #0029130 - CVE-2022-26144: XSS in manage_plugin_page.php and manage_plugin_uninstall.php #0029688 - Update ADOdb to 5.20.21 #0029485 - Update guzzlehttp/psr7 to 1.8.5 #0029848 - Update moment.js to 2.29.2 #0029849 * api rest - Slim Application Error when RestFault generated #0028927 * api soap - SOAP call mc_project_get_id_from_name fails when there is no matching project in PHP 7.2 #0029034 * attachments - Adding an attachment with a long filename causes "Data too long for column 'filename'" application error #0029144 * bugtracker - Constant FILTER_SANITIZE_STRING is deprecated #0029845 - 'format_issue_summary' custom function not called from View Issue Details page #0029181 - Passing null to parameter of type XXX is deprecated #0029846 * custom fields - APPLICATION ERROR 1300 Custom field not found with case-sensitive database #0029413 * installation - Unable to install #0029462 * ui - Missing closing div tag causes incorrect page footer display #0029416
Johannes Weberhofer (weberho)
accepted
request 901095
from
Johannes Weberhofer (weberho)
(revision 42)
- MantisBT 2.25.2 * CVE-2021-33557: XSS in manage_custom_field_edit_page.php * PHP 8: "Bad Request" error on custom field filters * Update PHPMailer to 6.5.0 Typos in changelog: "MantisBT"
Johannes Weberhofer (weberho)
accepted
request 894534
from
Johannes Weberhofer (weberho)
(revision 41)
- MantiBT 2.25.1 * administration - Error removing project #0028106 * plug-ins - Bundled plugins 2.25.0: incorrect Mantis requirement #0028076 * security - Update PHPMailer to 6.4.1 (fixes CVE-2020-36326) #0028530 * ui - Incorrect spacing between icon and text on manage_user_edit_page.php #0028112 - Labels for email notifications in User Prefs page appear in bold #0028084 - Project Edit Page does not display check boxes #0028082 - Unsightly vertical offset of the "Update Prefs" and "Reset Prefs" buttons. #0028080
Johannes Weberhofer (weberho)
accepted
request 877786
from
Johannes Weberhofer (weberho)
(revision 40)
- MantiBS 2.25.0: This feature and maintenance release contains over 100 fixes and enhancements; among many other things, it improves PHP 8 compatibility, LDAP authentication and invalid plugins management. It also includes a schema change, so do not forget to upgrade the database as documented in the Admin Guide. Please note that this will be the last release supporting PHP 5; * administration - "Add Version" without entering a version number outputs "Operation successful" though no version has actually been added #0027994 - Attachment settings not available on "Workflow Thresholds" page #0026892 - Issue revision settings not available on "Workflow Thresholds" page #0027817 - Manage user page table footer is displayed even when empty #0027387 - Misleading e-mail notification following password reset by admin #0026884 - PHP warning in config_get_global #0026798 - Some config options can be set in database, but should be configurable just in config_inc.php #0027884 - SQL syntax error on manage_user_page #0027117 - Sticky setting not available on "Workflow Thresholds" page #0027463 - When deleting a project, there should be information of how many (if any) issues are affected #0027768 * api rest - /config REST API endpoint reports users as not found when they exist #0026891 - Errors in API documentation #0026481 - Incorrect documentation for tags #0027969 - REST API update issue triggers errors if payload is empty #0027973 - Upgrade guzzlehttp/guzzle from 6.5.2 to 6.5.5 #0026919 * api soap - mc_issue_update() throws system warning when Project not specified in IssueData #0027981 * attachments - Improve pop-up description for file icons #0027827 * authentication - Username regex is too strict by default #0026811 * authorization - reporter allowed to close #0026920 * bugtracker - Admin check always has "WARN" for magic_quotes checks (PHP 7.4) #0026964 - Allow printing of standard confirmation alerts without buttons #0027242 - bugnote_clear_cache() does not work properly #0027217 - clickable summaries in view issues page #0008066 - It is not possible to clear the Default Profile #0027257 - Profile-related operations lack confirmations #0027259 - Refactor Profiles management pages to display a list of records #0027256 - Standardize on IEEE 1541 units (KiB, MiB) for file sizes #0027700 - Update securimage to 3.6.8 #0027155 * change log - No hyperlinks in Changelog and Roadmap release notes #0027839 * code cleanup - Code cleanup around User/Global Profiles #0027258 - Convert Project and User Pref APIs to use DbQuery class #0027145 - Data integrity: ensure users' default_project preference is a valid project #0027144 - Error handlers use deprecated context parameter #0027703 - Implement ConfigsGetCommand and use from REST API #0026889 - Implement LocalizedStringsGetCommand and use from REST API #0026890 - Move release scripts to main repository #0026903 - New API function to get User Id by cookie string #0028002 - PHP notice in manage_user_edit_page.php when given invalid user id #0027573 - Refactor printing of project selection menus #0026888 - Remove obsolete 'posted' form param when reporting new issue #0027575 - Remove Project Info page #0027802 - Remove unused and regroup duplicated language strings #0027298 - Remove unused bug_monitor_list_view_inc.php file #0026962 - Standardize access of option database_version #0026821 - System notice in lang_error_handler #0027701 - Unneeded code for option display_project_padding #0027833 - Use user_is_login_request_allowed() instead of duplicating the logic #0026930 * custom fields - Custom date field with default value left blank even when field is required #0027914 - Custom fields with comma can't be used in Manage Config Columns page #0026665 - Incorrect error message when reporting issue with a custom field failing validation #0027576 - Remove need to use {} for dynamic dates in custom fields default value #0027956 - Validate date custom fields default value format #0027950 * db mssql - Update ADOdb to 5.20.20 #0026837 * db postgresql - PHP 8.0 PostgreSQL builds fail due to deprecated pg_fieldsize() function #0027830 * db schema - Email field in mantis_email_table is shorter than user email in mantis_user_table #0027982 * documentation - Admin Guide has various broken links, obsolete info, etc. #0026617 - Fix discrepancies in documentation for $g_display_errors #0027300 - Host the Example Plugin from the Developers Guide in a repository in mantisbt-plugins organization #0027993 - Improve Custom Fields documentation #0027983 - Out of the box Mantis does not display either a Dependancy or Relationship Graph #0027584 - Remove helper_alternate_class() calls from Developers Guide and document alternative #0027992 - REST API documentation #0025998 * email - Enable S/MIME signed e-mail notifications #0025764 * filters - Preserving filters does not work correctly on sub-sub-projects #0027129 - search field at project-selection is not working anymore #0027375 * html - Standardize the way fontawesome icons are printed #0027828 * installation - Required PHP json extension not documented and checked #0026974 * installation] Sourceforge [admin/test_langs.php - File missing from installation packages ( mantisbt-2.24.3.zip & mantisbt-2.24.3.tar.gz) #0027362 * installation - Using an empty timezone causes PHP notice on PHP 8 #0027796 * javascript - MantisGraph: stop using chart.js bundled build #0027123 * ldap - Add STARTTLS Support to LDAP #0015361 - Changed default $g_ldap_protocol_version from 0 to 3. #0027848 - LDAP configuration options can be set in database #0026822 - LDAP server must be specified as an URI #0027849 * localization - Confusing message when selecting a project to enter an issue #0011463 - Improve handling of missing language strings #0027241 * other - Upgrade release build scripts to Python3 #0027384 * performance - Non visible image previews are transferred from server to client #0027150 * plug-ins - 3rd-party plugins cannot use chart.js library bundled with MantisGraph #0027122 - Admin checks should detect invalid / incorrectly installed plugins #0026143 - Create cronjob script and plugin event #0027882 - Force-installed plugins are not registered in order of priority #0027302 - Improve handling of invalid / incorrectly installed plugins #0026142 - MantisGraph: update Chart.js library to v2.9.3 #0027124 - Plugin_force_uninstall is not declared #0012961 - Tag attach group action doesn't trigger EVENT_TAG_ATTACHED #0027881 - Validate plugin folder name and name match during setup #0017487 * preferences - issue report TOO_MANY_REDIRECTS #0026988 - Non existing field name os_version used where os_build should be used #0026840 * printing - Viewer does not get Selection column in View Issues or Print Reports lists #0026839 * security - Printing unsanitized user input in account_prof_edit_page.php #0027853 - Update PHPMailer to 6.3.0 #0027118 * sql - Error in bug_api.php when UPDATEing a bug #0027113 * sub-projects - Project Menu Bar does not indent subprojects properly #0026887 * time tracking - User list in time tracking summary is not sorted #0027005 * tools - TravisCI: add PHP 8.0 to tests, and switch to bionic build environment #0027829 * ui - Confusing redirection when editing profiles #0027260 - Horizontal rules (<hr> tag) are nearly invisible #0027978 - Inconsistent form input labels' font size when HTML label element is used #0027958 - Left-align the Send Reminder textarea #0027972 - Manage users edit page: inconsistent spacing between sections #0027574 - "Move" functionality offered for users that have just access to a single project #0026861 - Questionable UI / button on "Edit Project Category" page #0027808 - Upgrade to fontawesome version 4.7.0 #0026823 - Username field in Monitor box triggers password managers #0026963 - Wrong page position after bugnote add/edit #0027160
Johannes Weberhofer (weberho)
accepted
request 864057
from
Johannes Weberhofer (weberho)
(revision 39)
- MantiBS 2.24.4: Security and maintenance release, addressing 6 CVEs: an XSS issue, an SQL injection in the SOAP API and several information disclosure issues including a critical one allowing full access to private issues' contents. All installations are strongly advised to upgrade as soon as possible. This release also includes a few PHP 8.0 compatibility fixes, including a major one causing an access denied error for all users when updating issues. * Attacker can leak private information via different functionality - CVE-2020-29604: Full disclosure of private issue contents, including bugnotes and attachments - CVE-2020-29605: Disclosure of private issue summary - CVE-2020-29603: Disclosure of private project name * Private category can be access/used by a non member of a private project (IDOR) * CVE-2020-35571: XSS in helper_ensure_confirmed() calls * User Account - Takeover * Fixed in version can be changed to a version that doesn't exist * When updating an issue, a Viewer user can be set as Reporter * CVE-2020-35849: Revisions allow viewing private bugnotes id and summary * CVE-2020-28413: SQL injection in the parameter "access" on the mc_project_get_users function throught the API SOAP. * inconsistent UI for view bugnote revision * Printing unsanitized user input in install.php * print_manage_user_sort_link Function Parameter Required after Optional * Declaring a required parameter after an optional one is deprecated in PHP 8 * Javascript error in View Issues page * Adapt Error handler to PHP 8 * Impossible to edit issues with PHP8
Andreas Stieger (AndreasStieger)
accepted
request 837925
from
Andreas Stieger (AndreasStieger)
(revision 38)
MantiBS 2.24.3
Andreas Stieger (AndreasStieger)
accepted
request 825744
from
Andreas Stieger (AndreasStieger)
(revision 37)
MantisBT 2.24.2
Johannes Weberhofer (weberho)
accepted
request 799212
from
Johannes Weberhofer (weberho)
(revision 36)
- MantisBT 2.24.0 * administration - how can I allow user to view only the issue that assigned to them #0010831 * api rest - Passing invalid id to rest api custom field update causes program crash #0026541 - Passing out of range custom field id causes multiple PHP warnings / incorrect response #0026542 - Passing unsanitized data to type hinted function causes program crash #0026540 - Support user password reset via REST API #0026632 - Update GuzzleHttp from 6.4.1 to 6.5.2 #0026441 * authentication - login username is not trimmed #0025097 * bugtracker - Allow multiple, customizable due date levels #0026438 - Change of due date background color #0016869 - Implement limit_reporters as a threshold #0023570 - Inheritance of sub project not read correctly from database #0026765 - Make category on bug_report_page a required field when $g_allow_no_category = OFF; #0026686 - Mass update does not allow setting an empty category #0026690 - Reporter can't see an issue they have been made a monitor of #0015466 - Required fields when reporting an issue, should also be when updating it #0026687 * code cleanup - Code Cleanup #0026567 - Remove $g_log_destination 'firebug' option, as the project is dead since 2017 #0026572 * customization - Retire bug_change_status_page_fields config option #0026778 * db mssql - Update ADOdb to 5.20.16 #0026598 * documentation - Admin Guide: remove doc for long-deprecated $g_ldap_port config #0026589 * email - Update phpmailer/phpmailer from 6.1.3 to 6.1.4 #0026475 * feature - Limit reporter's access to their own issues #0009534 * filters - BugFilterQuery - issue? - trying to add join & where conditions #0024600 - Wrong filtering by none-relationship #0026621 * installation - Add informational comments to SQL script generated by installer #0026661 - Allow admin to reset table pre/suffix to their default values #0026664 - Apostrophe in custom_field_string table causes upgrade from < 1.2.0 to fail #0026636 - Final statement to set database version not logged in SQL script #0026662 - improve installer messages when generating SQL script #0026663 - Use appropriate statement to update DB schema when generating SQL #0026568 * localization - lang_get_defaulted does not search for fallback language #0021201 * plug-ins - Improve MantisColumn sort capability to allow sorting by more complex expressions #0026612 - New Event: EVENT_MENU_ISSUE_RELATIONSHIP #0011365 - No equivalent to lang_get_defaulted() in plugin_api() #0026747 * relationships - Dependency Graph crash on circular parent child relationships #0011381 - Relationship Graph - inconsistency between button label and title #0026165 - Relationship Graph page is missing legend #0026164 - Relationship Graph page UI lacks MantisBT 2.x layout #0026163 * reports - Display issue Summary inside relation graph nodes #0017594 - Wrong number of displayed rows on summary page #0026555 * roadmap - User can't see in roadmap a private issue that they reported #0025115 * rss - Access of non existent image in RSS feeds #0021133 * time tracking - Cell coloring for due date indicates "overdue" when not overdue yet. #0009155 * ui - Generate token with empty name and APPLICATION ERROR #11 #0026623 - Incorrect CSS rules get applied if a word in custom field name matches an existing CSS class #0026473 - Issue list throws warning on every issue without bug notes. #0026439 - on mantisbt.org Roadmap progress bar 'data-percent' class could stand out better #0022142 - Provide a way to 'show content' for all complex items on Manage Configuration Report page #0026712
Johannes Weberhofer (weberho)
accepted
request 762074
from
Johannes Weberhofer (weberho)
(revision 35)
- Move admin files to /usr/share/php[57] to have them available for system updates - A POST script has been added which copies the admin files, executes them and removes the files after a successfull update - Cleaned up the spec - Fully removed formed mantisbt-install package
Johannes Weberhofer (weberho)
accepted
request 756722
from
Johannes Weberhofer (weberho)
(revision 34)
MantisBT 2.23.0
Andreas Stieger (AndreasStieger)
accepted
request 755470
from
Andreas Stieger (AndreasStieger)
(revision 33)
MantisBT 2.22.2
Johannes Weberhofer (weberho)
accepted
request 733902
from
Andreas Stieger (AndreasStieger)
(revision 32)
MantisBT 2.22.1
Johannes Weberhofer (weberho)
accepted
request 727252
from
Johannes Weberhofer (weberho)
(revision 31)
MantisBT 2.22.0
Johannes Weberhofer (weberho)
accepted
request 712977
from
Johannes Weberhofer (weberho)
(revision 30)
- MantisBT 2.21.1 * administration - Button label truncated on manage_config_workflow_page #0025783 - LOGFILE_NOT_WRITABLE error triggered if file does not exist #0025734 - Wrong access_level settings when updating rights in the project admin page #0025722 * attachments - File upload timeout #0025763 * other - Summary "By Date (days)" gets wrong number #0025742 * reports - Summary statistics db error message #0025781
Johannes Weberhofer (weberho)
accepted
request 706272
from
Johannes Weberhofer (weberho)
(revision 29)
- MantisBT 2.21 * administration - E_USER_DEPRECATED errors are no longer displayed inline #0025629 - If log file is not writable, log_event() fails silently #0019642 - PHP Notice or incorrect file+line number when displaying DEPRECATED error #0025631 * api rest - Inconsistent naming of username field in REST API #0025688 - Update Slim Framework to 3.12.1 #0025703 * bugtracker - Redirect to the new issue's page after reporting it #0025695 * customization - Modification to status colors css #0023550 * documentation - Encoding of custom files not documented #0022143 - Upgrade guide does not mention plugins #0022972 * filters - sub-project assignments missing from project-specific My View page #0023333 * installation - Missing file (api/rest/web.config) in installer #0025614 * ldap - LDAP documentation - Remove invalid 'hostname:port' example #0025664 * performance - Improve performance of Summary Page queries #0025693 - Update color when new Status is selected in Bug Update Page #0025651 * plug-ins - View Issue page menu links from EVENT MENU_ISSUE event are wrapped with "[", "-" characters #0023694 * timeline - My View page without timeline does not respect the $g_my_view_boxes_fixed_position setting #0022096 * ui - Focus on project search #0023037 - My View Page layout misses some boxes #0022104 - Plugin tab in Summary section not highlighted when selected #0023418 - Projects menu search box should be hidden when having a small number of projects #0025594 - Show Invite button for users with manage users access level, not just administrators #0025682 - Show status with a color square instead of background color on Bug Update Page #0025650 - Uneven distribution of boxes on My View page when Timeline is OFF #0025679
Johannes Weberhofer (weberho)
accepted
request 686061
from
Johannes Weberhofer (weberho)
(revision 28)
MantisBT 2.20
Johannes Weberhofer (weberho)
accepted
request 664620
from
Johannes Weberhofer (weberho)
(revision 27)
- MantisBT 2.19 https://www.mantisbt.org/bugs/changelog_page.php?project=mantisbt&version=2.19.0 * Updates: ADOdb, Guzzle, Slim Framework, PHPMailer, Disposable Email Checker * Fixed installation issue (memory_limit test fails when memory_limit is set to -1, PHP 7.3 issue) * Fixed authentication issues * Improved form handling for password managers * Fixed some UI issues * Code cleanup - Updated file lists, removed additional files not used in distribution
Displaying revisions 1 - 20 of 46