File mantisbt.changes of Package mantis
-------------------------------------------------------------------
Sun Sep 29 06:41:31 UTC 2019 - Andreas Stieger <andreas.stieger@gmx.de>
- MantisBT 1.3.20:
* CVE-2019-15715: Command execution / injection vulnerability
* SOAP API return value did not match definition in WSDL
* Update ADOdb to 5.20.14 for security and compatibility fixes
* Remove usage of deprecated function __autoload
* Update to PHPMailer 5.2.27
-------------------------------------------------------------------
Fri Sep 14 07:14:29 UTC 2018 - astieger@suse.com
- MantisBT 1.3.16:
* CVE-2018-14895: XSS in bug_actiongroup.php
-------------------------------------------------------------------
Tue May 15 09:16:07 UTC 2018 - astieger@suse.com
- MantisBT 1.3.15:
* CVE-2018-9839: Private issues accessible to unauthorized users
using the "Clone" functionality
-------------------------------------------------------------------
Thu Feb 8 11:23:48 UTC 2018 - astieger@suse.com
- MantisBT 1.3.14:
* CVE-2018-6403: XSS in adm_config_report.php 'value' parameter
- includes changes from 1.3.13:
* mc_project_get_issues_for_user() is retrieving issues in the
authorization context of target user
-------------------------------------------------------------------
Mon Sep 4 15:04:39 UTC 2017 - astieger@suse.com
- MantisBT 1.3.12:
* CVE-2017-12061: XSS in /admin/install.php script
drop CVE-2017-12061.patch
* Improve doc and notifications when admin dir is present (CVE-2017-12419)
-------------------------------------------------------------------
Tue Aug 1 22:51:31 UTC 2017 - astieger@suse.com
- CVE-2017-12061: XSS in /admin/install.php script (bsc#1051697)
add CVE-2017-12061.patch
-------------------------------------------------------------------
Mon May 22 20:30:58 UTC 2017 - astieger@suse.com
- MantisBT 1.3.11:
* CVE-2017-7620: CSRF - Arbitrary Permalink Injection
* CVE-2017-7620: Open redirection vulnerability in /login_page.php
* Use of 'mantis' as plugin table prefix prevents plugin's
installation
-------------------------------------------------------------------
Mon Apr 17 05:36:46 UTC 2017 - astieger@suse.com
- MantisBT 1.3.10:
* CVE-2017-7615: Account verification page allows resetting any
user's password (bsc#1034333)
- includes changes from 1.3.9:
* Installation on MSSQL fails at step 209
* CVE-2017-7241: XSS in move_attachments_page.php (bsc#1031807)
* CVE-2017-7309: XSS in adm_config_report.php (bsc#1031807)
* File upload to MS-SQL not working
- includes changes from 1.3.8:
* CVE-2017-6973: XSS in adm_config_report.ph (bsc#1031807)p
* Resolution changes in some cases when closing issues
- includes changes from 1.3.7:
* documentation fixes
* typo error for the email_receive_own parameter
* drop CVE-2017-6797.patch, now upstream
-------------------------------------------------------------------
Sat Mar 11 08:30:56 UTC 2017 - astieger@suse.com
- Fix CVE-2017-6797: XSS in bug status page
add CVE-2017-6797.patch
- Make the provided "mantis" resolvable a versioned one
-------------------------------------------------------------------
Mon Feb 20 19:41:31 UTC 2017 - astieger@suse.com
- MantisBT 1.3.6:
* security: Update .htaccess files to support Apache 2.4 new
authz syntax
* security: Update PHPMailer to 5.2.22 boo#1020141 CVE-2017-5223
* Hide non-mysql experimental DB's for new installation
* Database log for postgres/oracle not showing parameter
substitution
* Database log does not show boolean parameters correctly
* Update securimage to 3.6.5
* documentation updates
* printing fixes
-------------------------------------------------------------------
Thu Jan 5 14:37:21 UTC 2017 - astieger@suse.com
- MantisBT 1.3.5:
* security fix: Potentially serious RCE vulnerability in bundled
PHPMailer before 5.2.18 (CVE-2016-10033)
* performance improvements, bugfixes, UI fixes and improvements
- MantisBS 1.3.4:
* security fix: Handlers(Assignees) are visible when editing an
issue even if they are not visible when viewing it
* performance improvements, bugfixes, UI fixes and improvements
-------------------------------------------------------------------
Mon Oct 31 07:32:49 UTC 2016 - astieger@suse.com
- MantisBT 1.3.3, a bugfix release:
* various fixes for bugs in the UI, behavior and code
* documentation updates
-------------------------------------------------------------------
Sun Oct 30 09:55:01 UTC 2016 - astieger@suse.com
- MantisBt 1.3.2, a bugfix update:
* documentation updates
* Various bug fixes and compatible feature updates
* Fix Invalid Strict-Transport-Security header when server would
already send it anyway
-------------------------------------------------------------------
Thu Sep 1 00:28:49 UTC 2016 - astieger@suse.com
- MantisBt 1.3.1, a security and bugfix update
* CVE-2016-7111: Content Security Policy is weakened by Gravatar plugin
* CVE-2016-6837: XSS vulnerability in view_all_bug_page.php
* various bug fixes
-------------------------------------------------------------------
Tue Jul 12 16:59:23 UTC 2016 - astieger@suse.com
- MantisBT 1.3.0, a security and feature update
- New features:
* @ mentions support
* Support for avatar plugins - shipping Gravatar out of the
* Support for user lifecycle plugin events
* Allow administrators to impersonate users
* Support for notes and tags as columns to configure for view
issues, print issues, csv/excel export
* Support for login using email address
* Enforcing email uniqueness
* Enable configuration for email notifications for category owner
* Re-implemented parsing of complex configuration types for
Configuration Report
* Tagging directly from report issue page
* Timeline feature
* Users can now generate API tokens
* Anti-spam feature to limit the number of issues from new users
* Memo custom fields
* jQuery and jQueryUI are now included in core
* PHP version compatibility up to PHP 5.6 and PHP 7.
* Better generated HTML, relying on CSS instead of inline styles
and reducing use of tables for layout
* HTML5 doctype – Lots of improvements to generated markup.
* Out-of-the-box support for Oracle (oci8)
* Greatly enhanced support for PostgreSQL
* Improved installation and admin utilities (system check, tools)
* Mechanism to prevent concurrent updates to the same issue
* Detailed filters hidden by default
* Improved XmlImportExport core plugin
* Bigger e-mail and realname fields
* Improved documentation, migrated to Publican
* Improved email notifications when an issue is unassigned or re-assigned
* Support attaching files while adding a note + attaching multiple files with same name
* Added new log level LOG_EMAIL_VERBOSE.
* Extensibility, add more events
- Security fixes:
* CVE-2016-5364: Reflected XSS inside
manage_custom_field_edit_page.php [boo#984334]
* Cannot change password in second enter to verification page
* bugnote actions in view bug page should send data as POST
* CVE-2014-9759: SOAP API can be used to disclose confidential settings
* CVE-2014-9572: Improper Access Control in install.php
* CVE-2014-9571: XSS in install.php
* CVE-2015-1042: URL redirection issue
* CVE-2014-9573: SQL Injection in manage_user_page.php
* PHP remote code execution in install.php
* CVE-2014-9701: XSS vulnerability in permalink_page.php
* Registrations by bots via captcha exploit
* Support Content-Security-Policy (CSP) per W3C specification
* install.php: do not send the value of crypto_master_salt over http
* Redirect user to change password if logged in with default admin password
* plugins directory must be secured/fixed
* Provide additional random number generators
* allow_reporter_reopen lets reporter make any update, not just reopen
* Add support for Strict-Transport-Security header
* Improve random number generation with openssl_random_pseudo_bytes
* Do not allow to send a reminder on a private issue to users under threshold
* Remove input side XSS validation of user real names
* When user reports an issue, the unpermitted project can be selected
* Remove all inline JavaScript from MantisBT (use external scripts instead)
- Deprecated Features:
* Custom Functions in favor of Plugins
* DB2 support – removed in 2.0.x
* News feature – already deprecated
* Time tracking – already deprecated
* Project Docs – already deprecated
* Sponsorships – already deprecated
- Removed Features:
* Built-in source code integration support
* FTP for attachments
* Removed nusoap in favor of native php soap extension
* Removed feature extended project browser
-------------------------------------------------------------------
Mon Feb 23 11:39:33 UTC 2015 - astieger@suse.com
- MantisBT 1.2.19:
This release resolves 5 security issues and fixes 2 regressions
introduced in 1.2.18.
* [security] CVE-2014-9573: SQL Injection in manage_user_page.php
* [security] CVE-2014-9624: CAPTCHA bypass is way easier than it should be
* [security] CVE-2015-1042: URL redirection issue
* [security] CVE-2014-9571: XSS in install.php
* [security] CVE-2014-9572: Improper Access Control in install.php
* [bugtracker] Reporting an issue gives: 'Invalid argument supplied for foreach()' in '/opt/mantisbt-1.2.18/core/gpc_api.php' line 259
* [email] Order of notes in email notifications seem to be based on user who triggered the action
* [bugtracker] Fix handling of due dates
* [administration] Installer UI tweaks
* [bugtracker] Sort bug notes by date, not by ID
* [authentication] User creation with captcha broken by fix for issue 0017811
- includes changes from MantisBT 1.2.18:
This release resolves 23 security-related bugs and vulnerabilities:
* 7 Cross-Site Scripting (XSS) issues
* 2 Code injection issues
* 2 SQL injection (XSS) issues
* 5 Information disclosure issues
- 7 Other security issues
* [security] CVE-2014-8986: adm_config_report.php filtering does not check config option is valid
* [security] CVE-2014-9117: CAPTCHA bypass
* [security] CVE-2014-9089: SQL injection in view_all_set.php
* [security] Multiple vulnerabilities in MantisBT
* [security] CVE-2014-9279: Db Credentials leak via unattended upgrade script
* [security] CVE-2014-9281: Reflected XSS in admin panel / copy_field.php
* [security] CVE-2014-9271: Persistent XSS in file uploads/attachments
* [security] CVE-2014-9280: PHP Object Injection in filter API
* [security] CVE-2014-9272: XSS in string_insert_hrefs allows script execution
* [security] CVE-2014-6316: URL redirection issue
* [security] Emails on relations is send to people who cannot see the related issue
* [security] CVE-2014-8553: SOAP API: leak of user personal information
* [security] Login_page.php: Ensure username is valid
* [security] CVE-2014-6387: Null byte poisoning in LDAP authentication
* [security] CVE-2014-8988: Attachments can be downloaded without permission
* [security] Prevent unauthorized users setting handler when reporting issue
* [other] Incorrect $specific_where
* [documentation] Code allows display of Resolution and Status in bug report page, but doc says it's not allowed
* [code cleanup] Use of deprecated PREG_REPLACE_EVAL ('e') pattern modifier
* [attachments] Warning in bug report when attachments are disabled
* [attachments] Debug output displayed when adding files
* [bugtracker] proj_doc_update.php on document update crashes if new file is not uploaded
* [bugtracker] Missing error param when updating project doc
* [filters] Column summary of the free text search is not prefixed by table (filter_api)
* [bugtracker] Default profile doesn't work
* [security] No Errors shown at all if error_reporting=0 configured at server
* [bugtracker] Invalid category check is not made
* [news] News section shouldn't show in permissions report when feature is disabled
* [api soap] Handler can be set without having appropriate access rights
* [db mssql] Graph « Cumulative by date » is not displayed in Summary > Advanced Summary
* [migration] Import plugins should be able to set last_updated field to a date in the past
* [bugtracker] Issue history show date submitted and last updated as integers rather than dates
* [bugtracker] New BugData object due_date should be blank
* [plug-ins] XML import plugin only replaces links in 'description'
* [security] CVE-2014-7146 : PHP Code Injection Vulnerability in XmlImportExport plugin
* [security] Attachments displayed in history despite user not authorised to view them
* [api soap] mc_issue_update() email notification doesn't include added notes
* [security] CVE-2014-8598: XML plugin should restrict ability to import data
* [api soap] CVE-2014-8554: SQL injection in SOAP API
* [security] CVE-2014-9269: XSS in extended project browser
* [security] CVE-2014-8987: XSS in adm_config_report.php
* [security] CVE-2014-9270: Stored XSS in Mantis
* [email] Disposable library triggers PHP STRICT warnings
* [news] Not possible to set 'announcement' flag when editing News
- Fix XSS in adm_config_report.php
- mantisbt-1.2.19-CVE-2015-2046.patch CVE-2015-2046 [boo#919035]
-------------------------------------------------------------------
Wed Oct 8 18:37:57 UTC 2014 - andreas.stieger@gmx.de
- MantisBT 1.2.17:
* undefined function db_params() in core/news_api.php
* The bug_get_bugnote_count() function in the bug API always
returns 0
* duplicate "<a " tag
* [security] CVE-2014-2238: SQL injection vulnerability in
adm_config_report.php
- includes changes from 1.2.26, including:
[security] CVE-2014-1609: SQL injection vulnerabilities
* [security] CVE-2014-1608: soap:Envelope SQL injection attack
* [security] When $g_limit_reporters = ON; it is still possible
to change reporter
* [security] CVE-2013-4460: XSS in account_sponsor_page.php
project names
* For a full list, see
http://www.mantisbt.org/bugs/changelog_page.php?project=mantisbt&version=1.2.16
- clean up spec file
- verify source signature
-------------------------------------------------------------------
Thu Aug 8 21:01:23 UTC 2013 - robert.munteanu@gmail.com
- Rename changes file to package name
- Do not package the root directory in both main and -install
package
- Update summary and description
- Do not package build and test files
- Corrected license name
-------------------------------------------------------------------
Fri Oct 7 21:38:44 UTC 2011 - mrdocs@opensuse.org
-Update to 1.2.8
+numerous bugfxes and security updates
- Versioned changelogs 1.2.4 - 1.2.8:
- http://www.mantisbt.org/bugs/changelog_page.php?version_id=139
- http://www.mantisbt.org/bugs/changelog_page.php?version_id=138
- http://www.mantisbt.org/bugs/changelog_page.php?version_id=137
- http://www.mantisbt.org/bugs/changelog_page.php?version_id=114
- http://www.mantisbt.org/bugs/changelog_page.php?version_id=133
- renamed spec file to eliminate rpmlint warning
-------------------------------------------------------------------
Wed Jan 12 16:25:22 UTC 2011 - nix@opensuse.org
- Update to version 1.2.4
- Delete useless .gitignore
- Disable rpmlint check for zero length *.html files
- change file ownership to root instead of apache!!
-------------------------------------------------------------------
Fri Jun 11 15:09:58 UTC 2010 - rpms@ilmi.fi - 1.2.1
- Update to version 1.2.1
-------------------------------------------------------------------
Mon Mar 8 15:09:58 UTC 2010 - nix@opensuse.org
- Update to version 1.2.0
- Migrate changelog to changes file
-------------------------------------------------------------------
* Mon Dec 08 2008 Tuukka Pasanen <rpms@ilmi.fi> - 1.1.5
- New version 1.1.5.
- Name changed
- Directories added
* Wed Jun 25 2008 Tuukka Pasanen <rpms@ilmi.fi> - 1.1.2
- New version 1.1.2
* Wed Jan 16 2008 Tuukka Pasanen <rpms@ilmi.fi> - 1.1.0
- Separate Admin package.
* Tue Jul 10 2007 Tuukka Pasanen <rpms@ilmi.fi> - 1.0.8
- New version 1.0.8
* Wed Feb 28 2007 Tuukka Pasanen <rpms@ilmi.fi> - 1.0
- Initial build
