File mantisbt.changes of Package mantisbt
-------------------------------------------------------------------
Mon Nov 17 14:10:09 UTC 2025 - Johannes Weberhofer <jweberhofer@weberhofer.at>
Maintenance and security release addressing 4 vulnerabilities, fixing
several bugs and including a few minor improvements.
- Upgrade to 2.27.3
* administration
- Most Admin Checks are disabled in 2.27.2 #0036619
- PHP Fatal error in Admin Checks of custom fields #0036620
- Upgrade to 2.27.2
* administration
- Error editing categories with PostgreSQL: APPLICATION ERROR 401 #0036263
- Hardcoded role instead of config in access level check on Manage
Columns page #0036515
- Impossible to delete a global config defined in the database #0036164
- Updating a global config yields incorrect error message #0035915
* api rest
- can't change issue category to "no category" via rest api #0035668
- REST API GET /filters throws deprecation warning on PHP 8.1 #0035852
* attachments
- Uploading a file when $g_antispam_max_event_count has been reached
causes Dropzone to display HTML code #0036303
- When dropzone file upload finishes, progress bar keeps spinning #0036353
* authentication
- CVE-2025-47776: Authentication bypass for some passwords due to PHP
type juggling #0035967
* bugtracker
- Ability to change the default project of a user #0036503
- Collapsed status for "Users monitoring" section is not persisted #0036269
- Deleted notes not showing in bug history #0036257
- Introduce a maximum PHP version #0036540
- When editing a bugnote, a newline is appended to the text #0036542
* code cleanup
- Custom Field admin checks refactoring #0036535
* db schema
- Update ADOdb to 5.22.10 #0035906
* feature
- Search with collapsed filter section expands it #0036265
* other
- Access Denied page returns HTTP status 200 #0036512
* security
- CVE-2025-46556: Denial-of-Service #0035893
- CVE-2025-55155: Lack of verification when changing a user's email
address #0036005
- CVE-2025-62520: Ability to copy private project configurations #0036502
* tools
- PHPUnit assertObjectHasAttribute() method is deprecated #0035854
- PHPUnit tests RestFiltersTest fail when anonymous access is disabled
#0035853
* ui
- Incorrect positioning of "View Issue Details" when recalled from
"Direct link to note" #0021675
-------------------------------------------------------------------
Fri Jun 27 06:23:59 UTC 2025 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- Upgrade to mantisbt 2.27.1
* administration
- Admin check for Graphviz tools broken on Windows #0034917
- Constant error 500 after deleting user option on adm_config_report.php
page. #0035064
- Error when creating global profiles #0034854
- In manage_proj_edit_page.php, the "Project" popup at the top of the
window is ignored #0006264
- t_admin_dir_is_accessible check is wrong #0034503
* api rest
- REST API fail external authentication #0035233
* api soap
- Due date is deleted when the caller have no permission to modify
it #0034959
* authentication
- Deprecation warning in Securimage captcha with PHP 8.2 #0035302
* bugtracker
- Issue's last updated date is not modified when a note is deleted #0035432
- Schema: Release marker missing #0034813
* code cleanup
- Calling gpc_get_int() with null default throws deprecation warning on
PHP 8.1 #0035428
* db mysql
- MySQL version 9.0 and 9.1 are not defined in Admin Checks #0034887
* db postgresql
- Postgresql Error - db_stats.php - relation "sql_parts" does not exist
#0035248
- PostgreSQL versions 16 and 17 are not defined in Admin Checks #0034916
* db schema
- Update ADOdb to 5.22.8 #0035257
* documentation
- Improve documentation for $g_phpMailer_method #0035307
* email
- Update PHPMailer to 6.9.3 #0034845
* filters
- Could not use plugins filters with "Permalink" #0035179
- Filters including date custom fields don't work on PHP 8.0 #0035291
* html
- Incorrect absolute URL in the tab menu #0035322
- The avatar.png is a big JPEG actually #0035403
- The MantisBT web interface must pass HTML validation #0035180
* installation
- Checking URL to installation is failing #0034783
- tokenizer php module is required, but not checked for and not documented
as such #0035011
- When installing on mysql with log queries, SET NAMES=UTF8 is not
logged #0035431
* localization
- 'en-gb' language is not defined warning for Gravatar plugin #0035262
* other
- HTTP response code not set on errors when using FastCGI #0034828
* performance
- Caching language loading can be more efficient. #0035198
- Improvement of the file_get_mime_type() function #0035199
* plug-ins
- An invalid plugin can cause errors in other plugins' files #0035209
- Unknown named parameter $bug_id #0035255
* preferences
- Error when clearing default profile #0034826
* printing
- Printed reports on the page in "doc" format includes javascript from
the server #0035314
* reports
- The GraphViz tool is almost impossible to customise for Windows #0035039
* rss
- RSS Builder PHP deprecation warnings on PHP 8.1+ #0035312
* tools
- Continuous Integration: moving off TravisCI #0027960
* ui
- Inactive buttons of project navigation bar are not clickable #0035493
- Incorrect styling of Plugin Filter Fields #0035471
- Plug-in listing error during the language test process. #0035200
- Username does not fit in navbar user menu #0023593
-------------------------------------------------------------------
Mon Oct 21 10:16:28 UTC 2024 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- Improved packaging
- Upgrade to mantisbt 2.27.0
* administration
- Add failed_login_count to user information #0026797
- Add OS information to SIte Information page #0034139
- Incorrect Workflow Graph display if the status name contains a space #0034607
- Redundant config settings $g_dot_tool and $g_neato_tool #0034609
- Switch back from manage_user_edit_page to view_user_page #0027004
- Workflow Graph display is difficult to read #0034608
* api rest
- Update Guzzle to 7.9.2 #0033421
* attachments
- Improve display of file upload error messages #0034464
- Open attachment in a new tab/window #0027551
* bugtracker
- Allow disabling Categories #0031017
- Include additional details on Generic error message #0034613
- Use config API to access allow_browser_cache #0033482
* code cleanup
- Modernizing Tests #0034379
- Move timeline_inc.php from core to root directory #0033914
- Refactoring and cleaning up includes #0034468
- Refactoring GraphViz API and Workflow Graph #0034614
- Refactor mc_project_api.php #0033774
- Remove deprecated and incorrect usage of Pragma: no-cache header #0033007
* documentation
- Admin Guide "Page Descriptions" pages have CR/LF problems #0010289
- Clearer email queue guidance in Admin Guide #0034498
* email
- Update PHPMailer to 6.9.1 #0033350
* html
- Wrong function used to format bug id #0034455
- Wrong rendering of custom field names #0034463
* installation
- Increase minimum PHP requirement to 7.4 #0032808
* markdown
- $g_html_valid_tags are not rendered if Markdown is enabled #0024241
- Add syntax highlighting to markdown codeblocks #0034124
- Don't expand issue ids into URLs within code blocks #0022320
- Double quotes " and lesser than sign < are shown as HTML entity within
Markdown code blocks #0024628
- Fix unit tests for markdown #0022231
- Increase spacing before ``` blocks #0022485
- Mantis issue links displayed as raw HTML in code block #0023738
- Markdown converts " to " within code blocks and inline code #0022315
- Markdown different rendering between inline code #0022181
- Markdown links/code always show HTML entities for Ampersand and
Less-than sign #0024810
- Markdown processing code cleanup #0034040
- Update Parsedown library to 1.7.4 #0034415
* other
- Columns are offered in columns list without having access rights to them #0034454
- Update HTML Purifier to 4.17.0 #0033373
* performance
- Enhance performance of bug note formatting #0034456
- MantisGraph: inefficient calculation of data sets for Issue Trends graph #0034042
* plug-ins
- Project graph missing within MantisGraph #0033521
* reports
- Allow HTML-like labels in relationship graphs #0034611
- MantisGraph: last resolved issue not computed in Issue Trends graph #0034041
- Poor error handling in relationship graphs generation #0034610
* tools
- Enable Xdebug to facilitate PHPUnit tests troubleshooting #0033755
- Travis: switch to focal distribution for builds #0033623
- Ugrade to PHPUnit 9.6 and adapt test suite #0033098
* ui
- Error messages with newlines display <br> on CLI #0034612
- File attachment previews #0034467
- Incorrect CSS class on Time Zone select field in Preferences page #0034616
- Missing tooltip for bugnotes_count column #0034459
- Move buttons to Edit User section footer in Manage User Page #0033842
-------------------------------------------------------------------
Fri Jul 19 13:32:58 UTC 2024 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- Upgrade to mantisbt 2.26.2
* api rest
- Adding issue note with REST API returns HTTP 500 when given view_state is invalid #0034348
- REST API error reports incorrect field "version" when updating fixed
in / target version with invalid value #0034410
- REST API: "String not found" warning when adding note with invalid view_state #0034359
* bugtracker
- Failed opening core.php in timeline_inc.php on PHP 8.2 / IIS #0033906
- Issue note links don't reflect if issue is resolved #0034435
- Proceed button is shown twice when redirecting with pending errors #0034404
- Target Version does not respect GET or POST value when reporting issue #0012956
* code cleanup
- Deprecated creation of dynamic properties in BugData class #0034106
- Deprecated warning when updating Issue with null checkbox Custom
Field #0034439
- MantisGraph: fix deprecated warnings in javascript #0034006
* documentation
- MantisGraph: document usage of EVENT_MANTISGRAPH_SUBMENU #0034008
* excel
- Excel error when opening exported issues with custom field with special characters #0034441
* filters
- Filter "assigned to" and "monitor by" shows <br /> between the users
when selecting multiple #0034018
* html
- Incorrect handling of HTML hexadecimal character references &#xNNN; #0034393
* other
- Internal server error on view_user_page #0034399
* security
- CVE-2024-34077: Account Takeover in Password Reset and Account
Registration Feature #0034433
- CVE-2024-34080: Don't hyperlink references to notes whose issues are
not accessible to user #0034434
- CVE-2024-34081: Unsanitised custom field names printed #0034432
- Update corejs-typeahead.js library to 1.3.4 #0034417
- Upgrade to mantisbt 2.26.1
* administration
- Creating an Configuration Option with complex array fails when number is negative #0033588
* api rest
- No endpoints working on Windows server with PHP 8.1+ #0033173
- Updating an Issue through the API sets all comments last edit timestamp #0033402
- Updating an issue with bugnote having empty text causes PHP errors #0033422
* authentication
- User not authenticated when following link from notification email #0033426
* authorization
- Unable to grant user access to private issue by adding them as a monitoring user #0033404
* bugtracker
- Blank page when redirecting with print_successful_redirect() #0033480
* code cleanup
- Uncaught exception in installer #0033631
* custom fields
- APPLICATION ERROR 2800 Invalid form security token when trying to delete custom field #0033248
- Custom fields are showing when resolving issues form despite not checking the option #0033358
* db mssql
- SQL error opening Manage Users page with MSSQL #0033372
* db schema
- Update ADOdb to 5.22.7 #0033171
* documentation
- Document PHP ctype extension as required #0033418
* installation
- Errors on browser console when installing #0033756
- Install: reset buttons for table prefix/suffix not working at stage 2 #0033773
- MySQL Native Driver #0033519
* other
- Erratic behavior of RestProjectVersionTest::testProjectUpdateVersion PHPUnit test case #0033374
* rss
- Error in creating RSS when there are no issues to publish #0033634
* security
- CVE-2024-23830: Host header attack vulnerability #0019381
* ui
- Missing space between "*" and label for required fields on bug report page #0033481
- Overflowing text issue on sidebar menu #0033651
-------------------------------------------------------------------
Fri Nov 10 09:34:47 UTC 2023 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- Feature and maintenance release. Dropping support for PHP 7.1 and older, the
earliest supported PHP version is now 7.2.5. New configuration options were
added to control access to Export and Print Report features (see #0022224). The
default value for the latter was set to UPDATER for security reasons (see
#0025492); to restore earlier behavior, administrators should set
$g_print_reports_threshold = VIEWER;.
* administration
- Add admin check to detect users without e-mail address when allow_empty_email = OFF #0032940
- "Copy Categories From" copies global categories #0030812
- Detect invalid HTML in language strings #0030447
- Disallow setting logging options in database #0032926
- Do not buffer output for CLI scripts #0028963
- Facilitate identification of user accounts sharing the same email #0032787
- Filter settings are not available on "Workflow Thresholds" page #0029269
- Improve handling of project assignment in manage_user_edit_page.php #0028122
- Inconsistent use of hyperlink instead of button to edit Custom Fields
in Edit Project page #0028557
- Incorrect filtering of users on Manage Project / Accounts #0028606
- Language checks should warn about languages not defined in config
#0029026
- Not able to update existing user accounts if $g_email_ensure_unique == ON #0020647
- Outdated PostgreSQL version information in Admin Checks #0028528
- PHP errors triggered by Admin Checks cause silent failure #0033010
- Project Edit Page improvements #0030551
- Undefined constant ERROR_VERSION_NO_ACTION and missing matching error message #0028562
- Using MySQL 8.0 gives warning in admin checks #0028525
- Utility to copy attachments from File to Database #0004993
* api rest
- Add REST API for setting config options that are settable via database #0032258
- Allow REST API to run on PHP 8.1 without squelching E_DEPRECATED notices #0032866
- Can not get userid from another user with REST API #0027128
- change username via rest api #0027130
- Deleting a user should revoke #0032246
- Get Project Issues returns html if user doesn't have access to project #0032249
- Get Project REST API returns html if user doesn't have access #0032248
- Missing PHPUnit tests for Projects REST API endpoints #0032864
- REST and SOAP APIs fail to report that Mantis is offline #0033023
- REST API: Add API to Get / Delete / Update versions #0030415
- REST API Create Project API requires administrator rather than
create_project_threshold #0032237
- REST API Create Project doesn't trigger EVENT_MANAGE_PROJECT_CREATE
plugin event #0032236
- REST API: Create Project User #0032466
- REST API: Delete Project User #0032467
- REST API errors when attempting to add or delete issue relationships #0032835
- REST API for creating API tokens for users #0032245
- REST API for deleting API token #0032247
- REST API: Project Add API to return information about added version #0032445
- REST API: Support Get User By ID #0032356
- REST API: Support impersonation of users #0032469
- REST API: Support select for fields to return when getting user info #0032357
- REST API unit test incorrectly failing with anonymous user #0032804
- REST API: Update Project User #0032468
- REST API: User Update API #0032465
- Status codes returned by REST API delete operations are not consistent #0032858
- Support retrieving users with specified access level to a project #0022791
- Support selecting which fields to retrieve for an issue #0032331
- To move a user to disabled #0024757
- Update Guzzle to 7.8.0 #0032807
- Update postman collection #0030908
- Update Slim Framework to 3.12.5 #0033018
* api soap
- phpunit FilterTest fail if there are more than 50 issues in the tracker #0017121
- PHPUnit SOAP API tests trigger syntax error when extension is not loaded #0032814
- SOAP API Create Project API requires administrator rather than create_project_threshold #0032234
- SOAP API Create Project doesn't trigger EVENT_MANAGE_PROJECT_CREATE plugin event #0032235
- SOAP API mc_project_get_users doesn't enforce access check #0030907
* attachments
- Show issue attachments along with issue header information #0028965
* authentication
- Login redirection to plugin credentials page for non-existent user #0029517
* bugtracker
- Access Restrictions to "Print Reports", "CSV Export", "Excel Export"
in view all bugs page #0022224
- collapse_settings cookie is hardcoded #0029616
- Cookies "SameSite" attribute triggers warnings in Firefox console #0029611
- Incorrect use of mb_strimwidth() to truncate old/new values in history API #0032385
- Issues should have canonical meta tag #0031833
- "Operation successful." message page slows down interaction #0005189
- PHP 8.2 support #0032027
- print_form_button() generates bad security token name for plugin action page #0028533
* change log
- Changelog/Roadmap items are printed without any structure #0030192
* code cleanup
- Avatar::get() returns Avatar instance, but phpdoc indicates it returns array #0032978
- Calling user_get_field() with non-existing user throws incorrect warning #0028119
- Create ProjectAddCommand #0032231
- Create ProjectDeleteCommand #0032232
- Create ProjectUpdateCommand #0032238
- Duplicated code in email API #0032382
- Implement UserUpdateCommand #0032464
- Invalid HTML in manage_user_edit_page.php #0028114
- Remove deprecated function db_prepare_string() #0032704
- Remove function check_php_version() #0032714
- Remove PHP < 5.4 compatibility code from
user_get_all_accessible_projects() #0028830
- Remove unnecessary check on Version Id #0032831
- Remove version_cache_row()'s 2nd parameter #0032832
- Removing unused CUSTOM_FIELD_TYPE_xxx constants #0030278
- Unneeded PHP version checks #0032901
- Use range() function instead of string increment #0032735
* db mssql
- APPLICATION ERROR 0000401 / Error MSSQL 4145 when view all bugs for 1000 projects or more #0028902
- Impossible to insert child records with ADOdb 5.21.0 on mssql #0028068
* db mysql
- Problem in the download process #0033031
* db postgresql
- PHP notices leading to unusable system with ADOdb 5.21.0 on pgsql #0028069
* db schema
- Update ADOdb to 5.22.5 #0032028
* documentation
- Admin Guide lists incorrect/incomplete/obsolete required PHP extensions #0027793
- Developers Guide PHPUnit section is out of date #0032806
- Development Guide - Chapter 4. Plugin System - Errors in text #0021657
- Documentation: Hooking events declared by other plugins #0032504
- Duplicated REST API endpoint GET /issues in Postman documentation #0033003
- Mantis version visible in REST API request headers even when
$g_show_version is OFF #0033017
- Using Docker to build Documentation #0031993
* email
- Missing In-Reply-To header in new bugnote email notification #0032038
- monitor receives no mails if he is not project member #0029454
- Support for sending emails with CC and/or BCC #0029583
- Unable to set the In-Reply-To header to a domain different from the
current one #0029585
- Update PHPMailer to 6.8.0 #0029025
* filters
- Filtering on "projection" field is missing #0032726
- Saving a filter triggers deprecated warning on PHP 8.2 #0032734
* html
- Closing </div> tag missing in sign up page #0024621
- Invalid 'literal' tag used in MantisCoreFormatting language strings #0030283
* installation
- admin/check.php script says upload_max_size but actually checks
upload_max_filesize #0030428
- Drop support for PHP 5.x #0025956
- Increase minimum PHP requirement to 7.2.5 #0027840
- MSSQL blocking error during installation. #0029511
* javascript
- list.js library causing CSP violation in manage_proj_edit_page.php
#0030490
- list.js navigation buttons scrolling to top of page #0030494
* ldap
- Can't set a custom field for ldap email #0029230
* localization
- Incorrectly configured saraiki language #0028861
- Incorrectly configured serbo-croatian #0028860
- Missing language codes in browser's auto map #0028668
- New Hindi Language Translation #0028648
- String optimizations for English language #0028905
- Translation in Espéranto #0008664
* markdown
- Markdown markup should be done with CSS classes, not inline styles #0022190
* other
- function gpc_set_cookie() ignores $p_httponly argument #0029027
* performance
- Improve performance of user_pref_clear_invalid_project_default() #0028120
- Issue view page timeouts or inefficient for issues with large number
of notes and attachments #0032244
- Only load dynamic CSS status_config.php when necessary #0030773
* plug-ins
- Event on access level modifications #0026998
- Hook for Custom field on bug_change_status_page #0031666
- Unknown named parameter $files #0033058
* relationships
- Wrong html syntax #0029903
* security
- Printing #0025492
- Use PHP random_bytes() instead of our custom
crypto_generate_random_string function #0032900
* tagging
- Wrong display of tag filter #0032811
* tools
- Enable PHP 8.1 builds on Travis-CI #0029882
- Error when executing the complete PHPUnit test suite with AllTests.php
#0032815
- New build script to download updated font files #0028964
- Refactor and improve output of 'test_langs.php' admin script #0027383
- TravisCI ' /usr/sbin/sendmail: not found' error after successful test execution #0032828
- Ugrade to PHPUnit 8.5 and adapt test suite #0032810
- Use phpunit.xml to define Test Suites #0032816
* ui
- Add hash to MantisBT CSS files to force browser cache update #0026148
- Bugnotes links tilde ' ~' sign rendered as dash '-' in View page #0022109
- Buttons' vertical size is slightly smaller than other form elements #0030550
- Long unbreakable text does not auto wrap in bug details page #0027114
- Manage Project Edit page should redirect to relevant section after updates #0030435
- Move Delete buttons into main form #0027274
- "pinning" an issue calls for not CSS code in view_all_inc.php #0031944
- progress bar on the title bar #0028182
- Regroup the 2 Subprojects sections on Manage Project Edit page #0030423
- Removing vertical lines in tabular presentation to reduce clutter #0028826
- Text Custom Field columns should be left-aligned #0030279
- Visually align the 1st column's width in manage_user_proj_delete.php #0028124
* upgrade
- Improve handling of unserialize->json conversion during upgrade #0028918
* wiki
- Support for WackoWiki #0022371
-------------------------------------------------------------------
Tue Apr 25 09:28:09 UTC 2023 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- MantisBT 2.25.7
* bugtracker
- Ampersand in $g_search_title prevents adding search engine #0032076
- Getting Undefined index: target_version when viewing bug #0032353
- IssueViewPageCommand.php line 135: 'Undefined array key "version"
with php 8.1.16 #0032086
* email
- new PHPMailer() is created for every outgoing email #0030127
* performance
- access_project_array_filter can lead to many SQL requests #0032131
* plug-ins
- EVENT_LOG can produce stack overflow when LOG_DATABASE is enabled #0032243
- MantisBT 2.25.6
Security and maintenance release addressing an information disclosure issue
(CVE-2023-22476), with thanks to d3vpoo1 for identifying and responsibly
reporting it, as well as a vulnerability in bundled moment.js library
(CVE-2022-31129). This release also resolves over 20 issues including several
PHP 8.x compatibility fixes.
All installations are strongly advised to upgrade as soon as possible.
* api rest
- Update Slim Framework to 3.12.4 #0030841
* bugtracker
- Browser extensions may trigger automatic bug monitoring #0030922
- config_flush_cache() doesn't clean the eval cache for individual
options #0030793
- Date conversion fails when editing a project version using a non-US
date format #0031836
- Product Version / Target Version - Date missing #0031889
- Remove "sponsorship_total" from columns default #0032037
* code cleanup
- PHP 8.1 deprecated warnings #0031712
* documentation
- Missing columns on $g_view_issues_page_columns documentation #0022238
* installation
- Creation of dynamic properies is deprecated in PHP 8.2 #0031943
* ldap
- Deprecated conversion of false to array in ldap_api.php with PHP
8.1 #0030790
- Editing user with use_ldap_email = ON empties email address #0024720
- Poor error handling when $g_login_method = LDAP and PHP extension
missing #0030771
* markdown
- URLs should only be converted to links when process_url is ON #0030918
* other
- Upcoming incompatibility with PHP 8.2, "Deprecate ${} string
interpolation" RFC #0030429
* plug-ins
- XML import: Undefined property warning when importing bug notes #0031876
* reports
- Graphviz logs syntax error in line xx near ';' #0031827
* security
- Allow adding relation type noopener/noreferrer to outgoing links #0030791
- CVE-2023-22476: Private issue summary disclosure #0031086
- Update moment.js to 2.29.4 #0030772
* signup
- Captcha audio not working #0030814
- Captcha image not showing on PHP 8.1 #0030794
* tagging
- Undefined constants TAG_NOT_ATTACHED + TAG_ALREADY_ATTACHED in
tag_api.php #0031159
* ui
- Status color boxes shown in black on bug_relationship_graph.php #0031829
- unreachable submit button #0030835
* upgrade
- Scalar typehint is not supported in PHP 5.x #0030777
-------------------------------------------------------------------
Sun Nov 6 06:46:50 UTC 2022 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- MantisBT 2.25.5
Security and maintenance release
* security
- CVE-2022-33910: Unrestricted SVG File Upload leads to CSS Injection
- CVE-2022-33910: Stored XSS via SVG file upload
- Wrong bugnote_user_edit_threshold value used when checking
permissions to edit bugnote
- Upgrade guzzlehttp/guzzle from 6.5.5 to 6.5.8
* authorization
- APPLICATION ERROR #13 (access denied) while creating new user when
threshold configured as MANAGER in administration interface
- Update issue icon on "My View" page is displayed even without having
appropriate access rights
- Update issue icon on "View Issues" page is displayed even without
having appropriate access rights
* bugtracker
- Errors trying to load moment.js library from CDN
- $g_path incorrectly set in config_defaults_inc.php on PHP 5.6
- PHP 5.6 support broken
* filters
- Create Permalink - special characters handling
* installation
- Javascript error in browser console when upgrading
- Installer's Oracle-specific warning regarding identifiers' length
is shown initially for MySQL
* db-mssql
- APPLICATION ERROR 401 Database query failed. Error received from
database was #-52: SQLState: IMSSP
* documentation
- Impossibility of deleting attachment with form security validation
turned on
-------------------------------------------------------------------
Wed Apr 20 07:20:50 UTC 2022 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- MantisBT 2.25.3
Security and maintenance release
* security
- CVE-2021-43257: CSV Injection with CSV Export Feature #0029130
- CVE-2022-26144: XSS in manage_plugin_page.php and
manage_plugin_uninstall.php #0029688
- Update ADOdb to 5.20.21 #0029485
- Update guzzlehttp/psr7 to 1.8.5 #0029848
- Update moment.js to 2.29.2 #0029849
* api rest
- Slim Application Error when RestFault generated #0028927
* api soap
- SOAP call mc_project_get_id_from_name fails when there is no matching
project in PHP 7.2 #0029034
* attachments
- Adding an attachment with a long filename causes "Data too long for
column 'filename'" application error #0029144
* bugtracker
- Constant FILTER_SANITIZE_STRING is deprecated #0029845
- 'format_issue_summary' custom function not called from View Issue
Details page #0029181
- Passing null to parameter of type XXX is deprecated #0029846
* custom fields
- APPLICATION ERROR 1300 Custom field not found with case-sensitive
database #0029413
* installation
- Unable to install #0029462
* ui
- Missing closing div tag causes incorrect page footer display #0029416
-------------------------------------------------------------------
Mon Jun 21 07:13:28 UTC 2021 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- MantisBT 2.25.2
* CVE-2021-33557: XSS in manage_custom_field_edit_page.php
* PHP 8: "Bad Request" error on custom field filters
* Update PHPMailer to 6.5.0
-------------------------------------------------------------------
Thu May 20 06:31:27 UTC 2021 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- MantisBT 2.25.1
* administration
- Error removing project #0028106
* plug-ins
- Bundled plugins 2.25.0: incorrect Mantis requirement #0028076
* security
- Update PHPMailer to 6.4.1 (fixes CVE-2020-36326) #0028530
* ui
- Incorrect spacing between icon and text on manage_user_edit_page.php
#0028112
- Labels for email notifications in User Prefs page appear in bold
#0028084
- Project Edit Page does not display check boxes #0028082
- Unsightly vertical offset of the "Update Prefs" and "Reset Prefs"
buttons. #0028080
-------------------------------------------------------------------
Mon Mar 8 14:33:08 UTC 2021 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- MantisBT 2.25.0
This feature and maintenance release contains over 100 fixes and
enhancements; among many other things, it improves PHP 8 compatibility, LDAP
authentication and invalid plugins management. It also includes a schema
change, so do not forget to upgrade the database as documented in the Admin
Guide.
Please note that this will be the last release supporting PHP 5;
* administration
- "Add Version" without entering a version number outputs "Operation
successful" though no version has actually been added #0027994
- Attachment settings not available on "Workflow Thresholds" page
#0026892
- Issue revision settings not available on "Workflow Thresholds" page
#0027817
- Manage user page table footer is displayed even when empty #0027387
- Misleading e-mail notification following password reset by admin
#0026884
- PHP warning in config_get_global #0026798
- Some config options can be set in database, but should be
configurable just in config_inc.php #0027884
- SQL syntax error on manage_user_page #0027117
- Sticky setting not available on "Workflow Thresholds" page #0027463
- When deleting a project, there should be information of how many (if
any) issues are affected #0027768
* api rest
- /config REST API endpoint reports users as not found when they exist
#0026891
- Errors in API documentation #0026481
- Incorrect documentation for tags #0027969
- REST API update issue triggers errors if payload is empty #0027973
- Upgrade guzzlehttp/guzzle from 6.5.2 to 6.5.5 #0026919
* api soap
- mc_issue_update() throws system warning when Project not specified in
IssueData #0027981
* attachments
- Improve pop-up description for file icons #0027827
* authentication
- Username regex is too strict by default #0026811
* authorization
- reporter allowed to close #0026920
* bugtracker
- Admin check always has "WARN" for magic_quotes checks (PHP 7.4)
#0026964
- Allow printing of standard confirmation alerts without buttons
#0027242
- bugnote_clear_cache() does not work properly #0027217
- clickable summaries in view issues page #0008066
- It is not possible to clear the Default Profile #0027257
- Profile-related operations lack confirmations #0027259
- Refactor Profiles management pages to display a list of records
#0027256
- Standardize on IEEE 1541 units (KiB, MiB) for file sizes #0027700
- Update securimage to 3.6.8 #0027155
* change log
- No hyperlinks in Changelog and Roadmap release notes #0027839
* code cleanup
- Code cleanup around User/Global Profiles #0027258
- Convert Project and User Pref APIs to use DbQuery class #0027145
- Data integrity: ensure users' default_project preference is a valid
project #0027144
- Error handlers use deprecated context parameter #0027703
- Implement ConfigsGetCommand and use from REST API #0026889
- Implement LocalizedStringsGetCommand and use from REST API #0026890
- Move release scripts to main repository #0026903
- New API function to get User Id by cookie string #0028002
- PHP notice in manage_user_edit_page.php when given invalid user id
#0027573
- Refactor printing of project selection menus #0026888
- Remove obsolete 'posted' form param when reporting new issue #0027575
- Remove Project Info page #0027802
- Remove unused and regroup duplicated language strings #0027298
- Remove unused bug_monitor_list_view_inc.php file #0026962
- Standardize access of option database_version #0026821
- System notice in lang_error_handler #0027701
- Unneeded code for option display_project_padding #0027833
- Use user_is_login_request_allowed() instead of duplicating the logic
#0026930
* custom fields
- Custom date field with default value left blank even when field is
required #0027914
- Custom fields with comma can't be used in Manage Config Columns page
#0026665
- Incorrect error message when reporting issue with a custom field
failing validation #0027576
- Remove need to use {} for dynamic dates in custom fields default
value #0027956
- Validate date custom fields default value format #0027950
* db mssql
- Update ADOdb to 5.20.20 #0026837
* db postgresql
- PHP 8.0 PostgreSQL builds fail due to deprecated pg_fieldsize()
function #0027830
* db schema
- Email field in mantis_email_table is shorter than user email in
mantis_user_table #0027982
* documentation
- Admin Guide has various broken links, obsolete info, etc. #0026617
- Fix discrepancies in documentation for $g_display_errors #0027300
- Host the Example Plugin from the Developers Guide in a repository in
mantisbt-plugins organization #0027993
- Improve Custom Fields documentation #0027983
- Out of the box Mantis does not display either a Dependancy or
Relationship Graph #0027584
- Remove helper_alternate_class() calls from Developers Guide and
document alternative #0027992
- REST API documentation #0025998
* email
- Enable S/MIME signed e-mail notifications #0025764
* filters
- Preserving filters does not work correctly on sub-sub-projects
#0027129
- search field at project-selection is not working anymore #0027375
* html
- Standardize the way fontawesome icons are printed #0027828
* installation
- Required PHP json extension not documented and checked #0026974
* installation] Sourceforge [admin/test_langs.php
- File missing from installation packages ( mantisbt-2.24.3.zip &
mantisbt-2.24.3.tar.gz) #0027362
* installation
- Using an empty timezone causes PHP notice on PHP 8 #0027796
* javascript
- MantisGraph: stop using chart.js bundled build #0027123
* ldap
- Add STARTTLS Support to LDAP #0015361
- Changed default $g_ldap_protocol_version from 0 to 3. #0027848
- LDAP configuration options can be set in database #0026822
- LDAP server must be specified as an URI #0027849
* localization
- Confusing message when selecting a project to enter an issue #0011463
- Improve handling of missing language strings #0027241
* other
- Upgrade release build scripts to Python3 #0027384
* performance
- Non visible image previews are transferred from server to client
#0027150
* plug-ins
- 3rd-party plugins cannot use chart.js library bundled with
MantisGraph #0027122
- Admin checks should detect invalid / incorrectly installed plugins
#0026143
- Create cronjob script and plugin event #0027882
- Force-installed plugins are not registered in order of priority
#0027302
- Improve handling of invalid / incorrectly installed plugins #0026142
- MantisGraph: update Chart.js library to v2.9.3 #0027124
- Plugin_force_uninstall is not declared #0012961
- Tag attach group action doesn't trigger EVENT_TAG_ATTACHED #0027881
- Validate plugin folder name and name match during setup #0017487
* preferences
- issue report TOO_MANY_REDIRECTS #0026988
- Non existing field name os_version used where os_build should be used
#0026840
* printing
- Viewer does not get Selection column in View Issues or Print Reports
lists #0026839
* security
- Printing unsanitized user input in account_prof_edit_page.php #0027853
- Update PHPMailer to 6.3.0 #0027118
* sql
- Error in bug_api.php when UPDATEing a bug #0027113
* sub-projects
- Project Menu Bar does not indent subprojects properly #0026887
* time tracking
- User list in time tracking summary is not sorted #0027005
* tools
- TravisCI: add PHP 8.0 to tests, and switch to bionic build
environment #0027829
* ui
- Confusing redirection when editing profiles #0027260
- Horizontal rules (<hr> tag) are nearly invisible #0027978
- Inconsistent form input labels' font size when HTML label element is
used #0027958
- Left-align the Send Reminder textarea #0027972
- Manage users edit page: inconsistent spacing between sections #0027574
- "Move" functionality offered for users that have just access to a
single project #0026861
- Questionable UI / button on "Edit Project Category" page #0027808
- Upgrade to fontawesome version 4.7.0 #0026823
- Username field in Monitor box triggers password managers #0026963
- Wrong page position after bugnote add/edit #0027160
-------------------------------------------------------------------
Mon Jan 18 11:49:28 UTC 2021 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- MantisBT 2.24.4:
Security and maintenance release, addressing 6 CVEs: an XSS issue, an SQL
injection in the SOAP API and several information disclosure issues including a
critical one allowing full access to private issues' contents. All
installations are strongly advised to upgrade as soon as possible.
This release also includes a few PHP 8.0 compatibility fixes, including a
major one causing an access denied error for all users when updating issues.
* Attacker can leak private information via different functionality
- CVE-2020-29604: Full disclosure of private issue contents, including bugnotes and attachments
- CVE-2020-29605: Disclosure of private issue summary
- CVE-2020-29603: Disclosure of private project name
* Private category can be access/used by a non member of a private project (IDOR)
* CVE-2020-35571: XSS in helper_ensure_confirmed() calls
* User Account - Takeover
* Fixed in version can be changed to a version that doesn't exist
* When updating an issue, a Viewer user can be set as Reporter
* CVE-2020-35849: Revisions allow viewing private bugnotes id and summary
* CVE-2020-28413: SQL injection in the parameter "access" on the mc_project_get_users function throught the API SOAP.
* inconsistent UI for view bugnote revision
* Printing unsanitized user input in install.php
* print_manage_user_sort_link Function Parameter Required after Optional
* Declaring a required parameter after an optional one is deprecated in PHP 8
* Javascript error in View Issues page
* Adapt Error handler to PHP 8
* Impossible to edit issues with PHP8
-------------------------------------------------------------------
Sat Sep 26 16:53:47 UTC 2020 - Andreas Stieger <andreas.stieger@gmx.de>
- MantisBT 2.24.3:
* CVE-2020-25781: Access to private bug note attachments
* Admin can get issues assigned to users not allowed to handle them
* CVE-2020-25288: HTML Injection on bug_update_page.php
* Send reminder to viewer
* Admin can set viewer as a tag creator
* Priority can override to any positive integer
* Remove code duplication in File API
* When processing categories, it is not necessary to know the project id
* CVE-2020-25830: HTML Injection in bug_actiongroup_page.php
-------------------------------------------------------------------
Tue Aug 11 09:11:56 UTC 2020 - Andreas Stieger <andreas.stieger@gmx.de>
- MantisBT 2.24.2:
* CVE-2020-16266: HTML injection (maybe XSS) via custom field on
view_all_bug_page.php
* update PHPMailer from 6.1.4 to 6.1.6
- MantisBT 2.24.1:
* security
- APIs expose private attachments to users who has access to
issue but not private notes
- file_get_visible_attachments shows private files that should
be invisible to the user
* various bug fixes and improvements
-------------------------------------------------------------------
Thu Apr 23 14:02:02 UTC 2020 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- MantisBT 2.24.0
* administration
- how can I allow user to view only the issue that assigned to them #0010831
* api rest
- Passing invalid id to rest api custom field update causes program crash #0026541
- Passing out of range custom field id causes multiple PHP warnings /
incorrect response #0026542
- Passing unsanitized data to type hinted function causes program crash #0026540
- Support user password reset via REST API #0026632
- Update GuzzleHttp from 6.4.1 to 6.5.2 #0026441
* authentication
- login username is not trimmed #0025097
* bugtracker
- Allow multiple, customizable due date levels #0026438
- Change of due date background color #0016869
- Implement limit_reporters as a threshold #0023570
- Inheritance of sub project not read correctly from database #0026765
- Make category on bug_report_page a required field when
$g_allow_no_category = OFF; #0026686
- Mass update does not allow setting an empty category #0026690
- Reporter can't see an issue they have been made a monitor of #0015466
- Required fields when reporting an issue, should also be when updating it #0026687
* code cleanup
- Code Cleanup #0026567
- Remove $g_log_destination 'firebug' option, as the project is dead
since 2017 #0026572
* customization
- Retire bug_change_status_page_fields config option #0026778
* db mssql
- Update ADOdb to 5.20.16 #0026598
* documentation
- Admin Guide: remove doc for long-deprecated $g_ldap_port config #0026589
* email
- Update phpmailer/phpmailer from 6.1.3 to 6.1.4 #0026475
* feature
- Limit reporter's access to their own issues #0009534
* filters
- BugFilterQuery - issue? - trying to add join & where conditions #0024600
- Wrong filtering by none-relationship #0026621
* installation
- Add informational comments to SQL script generated by installer #0026661
- Allow admin to reset table pre/suffix to their default values #0026664
- Apostrophe in custom_field_string table causes upgrade from < 1.2.0
to fail #0026636
- Final statement to set database version not logged in SQL script #0026662
- improve installer messages when generating SQL script #0026663
- Use appropriate statement to update DB schema when generating SQL
#0026568
* localization
- lang_get_defaulted does not search for fallback language #0021201
* plug-ins
- Improve MantisColumn sort capability to allow sorting by more complex
expressions #0026612
- New Event: EVENT_MENU_ISSUE_RELATIONSHIP #0011365
- No equivalent to lang_get_defaulted() in plugin_api() #0026747
* relationships
- Dependency Graph crash on circular parent child relationships #0011381
- Relationship Graph - inconsistency between button label and title #0026165
- Relationship Graph page is missing legend #0026164
- Relationship Graph page UI lacks MantisBT 2.x layout #0026163
* reports
- Display issue Summary inside relation graph nodes #0017594
- Wrong number of displayed rows on summary page #0026555
* roadmap
- User can't see in roadmap a private issue that they reported #0025115
* rss
- Access of non existent image in RSS feeds #0021133
* time tracking
- Cell coloring for due date indicates "overdue" when not overdue yet. #0009155
* ui
- Generate token with empty name and APPLICATION ERROR #11 #0026623
- Incorrect CSS rules get applied if a word in custom field name
matches an existing CSS class #0026473
- Issue list throws warning on every issue without bug notes. #0026439
- on mantisbt.org Roadmap progress bar 'data-percent' class could stand
out better #0022142
- Provide a way to 'show content' for all complex items on Manage
Configuration Report page #0026712
-------------------------------------------------------------------
Wed Jan 8 08:53:24 UTC 2020 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- Move admin files to /usr/share/php[57] to have them available for system updates
- A POST script has been added which copies the admin files, executes them
and removes the files after a successfull update
- Cleaned up the spec
-------------------------------------------------------------------
Fri Dec 13 07:53:08 UTC 2019 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- MantisBT 2.23.0:
* administration
- Custom fields selector in manage project page are not ordered by name
#0026368
- Use empty value as default project in "manage project" subproject
section #0026367
* api rest
- Error requesting issues using saved filter #0026195
- Implement IssueViewPageCommand to separate logic from rendering of
issue view page #0025902
- Update GuzzleHttp from 6.3.3 to 6.4.1 #0026374
- Update Slim Framework to 3.12.3 #0026086
* attachments
- Add files information to EVENT_BUGNOTE_ADD event #0025960
- Attaching files to a note creates a second note with only the
attachments #0024113
- Attachments should be linkable to notes in db #0021733
- Comments on attachments #0009363
- Create a place holder note when submitting attachments without text
#0026082
- Deleting a note, should delete associated attachments #0024577
- "private bugnotes" as default setting prevents uploading further
attachments #0022817
- Support attachments associated with private notes #0009802
- Support inline playing of audio attachments #0026095
- Support inline playing of video attachments #0026102
- Switching note to private/public, should impact associated
attachments #0026081
- Warning for users when making public notes with attachments private
#0025935
* auditing
- Link attachments issue history events to attachments to determine
visibility #0026083
* bugtracker
- Closing issues via group action with empty note creates a bugnote
record #0026150
- PHP notice in bug view page when viewing issue without category
#0026094
- Tags are not copied from master issue when cloning #0026326
* custom fields
- Filter value "none" is not available for multiselection list custom
fields #0026030
- Manage custom fields page does not show fields in order #0025975
- Use custom field regular expression in the html input #0025972
- Use max length property of custom field in inputs #0026141
* db postgresql
- check_pgsql_bool_columns: check wrongly suggests that the
redirect_delay should be in boolean format #0026109
* documentation
- Invalid URL for GraphViz home page #0026092
- preview_*_extensions config options not documented #0026096
- Update ERD diagram to reflect new field in bug_file table #0026098
- Wrong data types in ERD #0021799
* email
- Bump phpmailer/phpmailer from 6.0.7 to 6.1.3 #0026265
- "Email on monitoring" not configurable in manage_config_email_page
#0026002
* feature
- Allow setting reminder bugnotes' view status #0010107
* filters
- Filter for a date custom field fails when no values for this field
exists #0026062
- No way to filter "negative" for checkbox custom fields #0021712
* javascript
- Update corejs-typeahead.js library to 1.3.0 #0026382
* performance
- Issue view api uses many custom field database queries #0026166
- Issue view history api repeated calls to bug_get_attachments database
query #0026167
* plug-ins
- Content Security Policy directive 'frame-ancestors' contains an
invalid source when http_csp_add is called for it #0026093
* reports
- Move MantisGraph pages to their own tab #0026139
* security
- Update ADOdb to 5.20.15 #0026388
- Vulnerability from library Moment.js 2.15.2 #0026358
* tagging
- Add $g_tag_create_threshold to Workflow Thresholds in the GUI #0026119
- Tag attachments list includes tags already attached to the bug
#0026353
* time tracking
- Application Error 401 when clicking Time Tracking at the bottom of a
bug notes page #0026132
- Bugnotes time spent info is always shown even if time tracking is
disabled #0026134
* ui
- Attachments displayed with empty user #0026128
- Attachments without note text are not displayed #0026294
- Both "monitor" and "end monitoring" buttons are displayed #0026123
- Clone button is not displayed correctly #0026295
- Inline actions user experience is inconsistent between different
features #0025905
- "Users monitoring this issue" section not shown if nobody is
monitoring the issue #0026125
-------------------------------------------------------------------
Tue Dec 10 08:38:37 UTC 2019 - Andreas Stieger <andreas.stieger@gmx.de>
- MantisBT 2.22.2:
* fix bug: Field "EXCEL columns" has space or tabulation
-------------------------------------------------------------------
Sun Sep 29 06:33:58 UTC 2019 - Andreas Stieger <andreas.stieger@gmx.de>
- MantisBT 2.22.1:
* CVE-2019-15715: Command Execution / Injection Vulnerability
* CVE-2019-8331: bundled Bootstrap updated to 3.4.1
* Enable integrity hashes for CSS ressources from CDNs
* Show content for Complex Configuration option did not work when
mod_rewrite is disabled
-------------------------------------------------------------------
Fri Aug 30 13:17:55 UTC 2019 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- MantisBT 2.22.0
* administration
- Impossible to set add/remove monitors thresholds from manage page #0025826
- Simplify displaying of complex values in adm_config_report page #0025910
* api rest
- Adding issue via REST API should fail if requested tags can't be
attached #0026076
- Invalid JSON response when creating issue with tag by name via REST
API #0025997
- IssueAddCommand should create tag specified by name if they do not
exist #0026077
- Missing tag name in error message when creating issue via REST API
#0025996
- REST API support for multiple authorization headers #0025362
* api soap
- SOAP API return value does not match definition in WSDL #0025470
* attachments
- Add support for pasting images as attachments #0021797
* bugtracker
- Ability to add monitors to a bug when the bug is first reported #0006128
- error_string() does not allow HTML tags inside of error messages #0025749
- IssueAddCommand does not create history entries identical to the code
it replaced #0025962
- PHP Notices in User API #0025850
- Replace mailto: by link to user profile page in view.php #0025686
- Status color squares become black #0024189
- Users can't add monitors if access < show_monitor_list_threshold and
>= monitor_add_others_bug_threshold #0025815
* code cleanup
- Glue after String Array is being Deprecated #0026063
- MantisGraph: define Chart.js-related constants in the plugin #0025952
- New prepare_mailto_url() API function #0025849
- Remove get_email_link() API function #0025848
- Remove unused $p_can_report_only parameter in
layout_navbar_projects_list() #0025894
* documentation
- Admin guide: remove reference to unmaintained Firefox add-on #0025904
- Improve documentation for monitors-related configs #0025827
* html
- Invalid HTML in manage_config_workflow_page.php #0025784
- Leading newlines disappear when editing data in textarea elements #0025839
* installation
- Reflect PHP requirements in Composer config #0025774
* javascript
- Improve client-side sortable tables script #0025911
* other
- bug_report_page is forced to be cached #0025969
* plug-ins
- Add EVENT_MENU_MAIN_FILTER to allow complete customisation of main
menu #0024590
- EVENT_BUGNOTE_DATA event not documented in developer manual #0025914
- Gravatar Plugin Description #0026066
- Improve plugin schema upgrade error message #0025162
- MantisGraph: update Chart.js library to v2.8.0 #0025951
- Missing an API function to check if a plugin event has been declared #0025953
* printing
- Remove hyperlinks on usernames in Word export #0025851
* security
- Email for a new private bugnote was send to a non authorized reporter #0022898
- CVE-2019-15539: Stored XSS on Project Documentation
* tagging
- Creating an invalid tag should fail with an error #0026074
- Report issue doesn't support multiple new tags #0024441
- Tag-related error messages should reference the tag's name #0026075
* time tracking
- Time tracking box rendering is broken #0023725
* tools
- PHPUnit tests as run by Travis CI builds do not execute all defined
suites #0025961
* ui
- Gravatar plugin should always use https #0025963
-------------------------------------------------------------------
Thu Jun 27 07:45:46 UTC 2019 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- MantisBT 2.21.1
* administration
- Button label truncated on manage_config_workflow_page #0025783
- LOGFILE_NOT_WRITABLE error triggered if file does not exist #0025734
- Wrong access_level settings when updating rights in the project admin
page #0025722
* attachments
- File upload timeout #0025763
* other
- Summary "By Date (days)" gets wrong number #0025742
* reports
- Summary statistics db error message #0025781
-------------------------------------------------------------------
Wed May 22 07:27:20 UTC 2019 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- MantisBT 2.21
* administration
- E_USER_DEPRECATED errors are no longer displayed inline #0025629
- If log file is not writable, log_event() fails silently #0019642
- PHP Notice or incorrect file+line number when displaying DEPRECATED
error #0025631
* api rest
- Inconsistent naming of username field in REST API #0025688
- Update Slim Framework to 3.12.1 #0025703
* bugtracker
- Redirect to the new issue's page after reporting it #0025695
* customization
- Modification to status colors css #0023550
* documentation
- Encoding of custom files not documented #0022143
- Upgrade guide does not mention plugins #0022972
* filters
- sub-project assignments missing from project-specific My View page
#0023333
* installation
- Missing file (api/rest/web.config) in installer #0025614
* ldap
- LDAP documentation - Remove invalid 'hostname:port' example #0025664
* performance
- Improve performance of Summary Page queries #0025693
- Update color when new Status is selected in Bug Update Page #0025651
* plug-ins
- View Issue page menu links from EVENT MENU_ISSUE event are
wrapped with "[", "-" characters #0023694
* timeline
- My View page without timeline does not respect the
$g_my_view_boxes_fixed_position setting #0022096
* ui
- Focus on project search #0023037
- My View Page layout misses some boxes #0022104
- Plugin tab in Summary section not highlighted when selected #0023418
- Projects menu search box should be hidden when having a small number
of projects #0025594
- Show Invite button for users with manage users access level, not just
administrators #0025682
- Show status with a color square instead of background color on Bug
Update Page #0025650
- Uneven distribution of boxes on My View page when Timeline is OFF
#0025679
-------------------------------------------------------------------
Mon Mar 18 10:36:27 UTC 2019 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- MantisBT 2.20
* administration
- Cant modify configuration for All projects if only one project exists
#0020054
- "Check Installation" is missing from Admin menu #0025130
- inconvenience while handling user's accounts #0005151
- Manage project, copy from/to forms are easy to click accidentally and
don't ask for confirmation #0025368
* api rest
- Allow adding/updating/deleting subprojects via REST API #0025400
- /api/rest/issues endpoint supposedly returns all issues, but doesn't
#0025102
- Get project doesn't return all versions #0025381
- Simple and Advanced filters are not consistent for handling
sub-project issues #0025515
- Undefined variable t_show_detailed_errors in API REST #0025429
- Update Slim Framework to 3.12.0 #0025437
* attachments
- Dropzone max-filesize option is not correct #0025463
- Dropzone preview does not work #0025465
- Enforce max-filesize in dropzone to alert and drop big files before
form submission #0025464
- Redesign Dropzone file previews #0025572
* authentication
- Token error when login with a newly created user #0025110
* code cleanup
- default_email_on_status, misleading comments in config_defaults
#0020069
- Take care of released/obsolete flag when accessing
version_cache_array_rows() cache #0022100
- Wrong caching in version API #0024821
* db mssql
- Wrong/duplicate bugnote_text_id in mantis_bugnote_table #0025442
* documentation
- $g_notify_new_user_created_threshold_min is ignored on new account
creation #0025403
- Manual does not describe variable "g_from_name" #0017304
- Minor documentation fixes #0025408
* email
- Bump phpmailer/phpmailer from 6.0.6 to 6.0.7 #0025436
- check all/ uncheck all checkbox for email notifcation #0025434
* excel
- Float custom field saved as String in XML-Excel export #0025174
* feature
- Add filtered summary #0004624
- Usability suggestion at Report Issue screen #0023045
* filters
- Cannot filter by versions of parent project when child project
selected #0012261
- Improve presentation of temporary filters #0024775
- Permalink - Filter lose information after click on view issues
#0024549
- Switching simple/advanced for a temporary filter loses the filter
#0024776
* html
- Filter widget does not hide botton bar when collapsed #0025109
* performance
- Massive queries to user table in edit project #0023904
- project versions are not cached efficiently #0023245
* plug-ins
- MantisGraph: improve display of By Category Bar chart #0025524
- MantisGraph: improve handling of colors in Pie charts #0025523
- MantisGraph: limit number of slices in By Category pie chart #0025522
* relationships
- Error when adding a relationship if bug id contains whitespace as
prefix or suffix #0025532
- When adding multiple relationships, ignore source issue and empty
issue ids #0025533
* reports
- Filter by dates in Summary Graphs #0014656
- Filtered Summary #0021931
- MantisGraph, implement filtered summary for graphs #0025164
- MantisGraph. Reporter graph does not fit width of page #0025168
- MantisGraph summary links don't hghlight current graph page #0025163
- Missing pie chart in "By Category Graphs" #0022099
- Script error in graphs #0025210
- Summary doesn't honour issue access #0025165
- SYSTEM NOTICE on graph pages #0025466
- Update Chart.js to 2.7.3 #0025488
- View Issues - Select a Filter - Graph are not linked on this choice
#0009757
* rss
- RSS feeds broken when using PHP >= 7.0 #0025213
* security
- Fix Bootstrap security issues (CVE-2018-14040, CVE-2018-14041,
CVE-2018-14042) #0024672
- web.config file is missing in api/rest #0024347
* sql
- Page adm_config_report has queries missing db_param_push() #0025456
* tools
- Travis CI builds fail for PHP 7.3 #0025390
* ui
- Enable selection of a range in checkboxes lists. #0025217
- Incorrect spacing between submenu and main div for some MantisGraph
screens #0025386
- MantisGraph: redundant subtitle on Issue Trends page #0025387
- Page adm_config_report does not cache users and generate many
database queries #0025454
- Page adm_config_report, users in filter list are not correctly
ordered #0025455
- Project selection is shown even if the user has no accesible projects
#0025133
- Provide sortable functionality to simple tables #0025378
- 'show_queries_count' is a global setting, but 'show_memory_usage',
'show_timer' are not #0025446
- Summary page submenu not aligned when screen narrower than buttons
#0025385
-------------------------------------------------------------------
Fri Jan 11 10:03:50 UTC 2019 - jweberhofer@weberhofer.at
- MantisBT 2.19
https://www.mantisbt.org/bugs/changelog_page.php?project=mantisbt&version=2.19.0
* Updates: ADOdb, Guzzle, Slim Framework, PHPMailer,
Disposable Email Checker
* Fixed installation issue (memory_limit test fails when memory_limit
is set to -1, PHP 7.3 issue)
* Fixed authentication issues
* Improved form handling for password managers
* Fixed some UI issues
* Code cleanup
- Updated file lists, removed additional files not used in distribution
-------------------------------------------------------------------
Thu Nov 29 12:08:59 UTC 2018 - jweberhofer@weberhofer.at
- MantisBT 2.18
* Code Cleanup
* Plugin Columns - Export CSV or Excel - PHP 7.2.7 - crash error 500
* Changes to project_view_state and view_state to create only private projects
* Missing fallback for "Open Sans" font
* Error Creating Issue with new TAG
* Performance enhancements of string processing
- MantisBT 2.17.2
* CVE-2018-17783: XSS in manage_filter_edit_page.php
* CVE-2018-17782: XSS in manage_filter_page.php
-------------------------------------------------------------------
Mon Oct 1 09:46:19 UTC 2018 - jweberhofer@weberhofer.at
- MantisBT 2.17.1
CVE-2018-16514: Reflected XSS in view_filters_page.php via core/filter_form_api.php
- MantisBT 2.17.0
https://www.mantisbt.org/bugs/changelog_page.php?project=mantisbt&version=2.17.0
This is a selection of improvements among many others:
* better visibility of relationships
* search for users in the administration
* REST and SOAP API improvements
-------------------------------------------------------------------
Fri Sep 14 07:14:29 UTC 2018 - astieger@suse.com
- MantisBT 2.16.1:
* CVE-2018-14895: XSS in bug_actiongroup.php
-------------------------------------------------------------------
Mon Aug 6 05:58:35 UTC 2018 - jweberhofer@weberhofer.at
- MantisBT 2.16.0
https://www.mantisbt.org/bugs/changelog_page.php?project=mantisbt&version=2.16.0
* ui
- Local copy of Open Sans font does not include Latin-ext characters
- Fonts are not rendered correctly in Windows clients
- Font = Times News Roman after Upgrade from v2.7.0
* upgrade
- Improve handling of unserialize errors when upgrading
- Error in upgrade process 1.2.17 --> 1.3.0
* performance
- Unneeded information in Change Log and Roadmap
- Performance enhancement of config_get_global function
* timeline
- Missing display of events in Timeline if All Projects is selected
* code cleanup
-------------------------------------------------------------------
Thu Jun 28 10:22:27 UTC 2018 - jweberhofer@weberhofer.at
- MantisBT 2.15.0
https://www.mantisbt.org/bugs/changelog_page.php?version_id=321
* filters
- Cannot save private filter if not allowed to save shared filter
- show_user_realname_threshold is not considered when sorting by reporter or handler
* bugtracker: Incorrect issue status setting when changing status
* wiki: URL encoding precludes reasonable wiki root_namespace values
* tagging: Exception Missing Class
* security: Update-Blocker:User-ID instead of Realname 0024139 as due
to security policy requirements which prohibit IDs in mails and masks
* ui
- Selecting users is not easy if show_realname is set to ON
- $g_show_realname for making usernames private
* other: System warning if $g_log_destination = 'page' when using PHP 7.2
* api soap: Error while querying for issue header with PHP 7.2
* api rest: Support create project versions via REST API
* performance: Unneeded <meta> tag in <head> section
- Removed unused adodb scripts
- Don't package several test-cases from sub-packages as well
as vendor/phpunit. As the mantisbt test-cases are not in the upstream package
we don't run any checks.
-------------------------------------------------------------------
Tue May 15 08:40:23 UTC 2018 - jweberhofer@weberhofer.at
- MantisBT 2.14.0
https://www.mantisbt.org/bugs/changelog_page.php?version_id=316
* IssueAddCommand Prevents API Folder Removal
* Update ADOdb to 5.20.12
* E_DEPRECATED error on php7.2: each() function
* Update Slim Framework from 3.8.1 to 3.9.2
* Update GuzzleHttp from 6.3.0 to 6.3.2
* Wrong documentation of datetime_picker_format in Admin Guide
* Wrong documentation of my_view_boxes in Admin Guide
* Support getting a single project via REST API
* Plugin priority changed without being changed by user interaction
- MantisBT 2.13.2
https://www.mantisbt.org/bugs/changelog_page.php?version_id=319
* CVE-2018-9839: Private issues accessible to unauthorized users using
the "Clone" functionality
* Markdown quoting rendered with broken HTML
* email: Inconsistent realname display
* REST API:
- Get all filter or specific filter returns incorrect information
- REST API returns too much info for default category handler
- Don't show category default handler for users that can't manage the project
* api soap: API method mc_filter_get does not work
* mb_internal_encoding no longer being set because of removal utf8 library
* SYSTEM WARNING 'count(): Parameter must be an array or an object that
implements Countable' in 'IssueNoteAddCommand.php
-------------------------------------------------------------------
Thu Apr 5 15:33:42 UTC 2018 - jweberhofer@weberhofer.at
- MantisBT 2.13.1
https://www.mantisbt.org/bugs/changelog_page.php?version_id=317
* Fixed broken rendering of @ mentions, # issue and ~ note links
- MantisBT 2.13.0
https://www.mantisbt.org/bugs/changelog_page.php?version_id=315
* Filter improvements
* Support adding attachments when reporting issues
* Several REST and SOAP API improvements
* Can't login if admin directory has restricted access
* Filtering with "note by" shows results from private notes for unprivileged users
* Entering Emojis in comments with a user mention crashes with an error (mysql)
- MantisBT 2.12.1
https://www.mantisbt.org/bugs/changelog_page.php?version_id=314
* Account page required change password on any field modification
* Username (Realnames) format not showing on timeline (my_view_page)
* Wrong color of username in timeline
* History entries display realname instead of username
- MantisBT 2.12.0
https://www.mantisbt.org/bugs/changelog_page.php?version_id=312
* Improvements to menioning users with @user
* Language updates
* User realname uniqueness check doesn't work
-------------------------------------------------------------------
Wed Feb 14 07:29:40 UTC 2018 - jweberhofer@weberhofer.at
- MantisBT 2.11.1
* https://www.mantisbt.org/bugs/changelog_page.php?project=mantisbt&version=2.11.1
* Bugfix: REST API doesn't work from UI for some users
* Bugfix: Warning message on login page after new installation
-------------------------------------------------------------------
Fri Feb 9 10:24:13 UTC 2018 - jweberhofer@weberhofer.at
- Removed vendor/adodb/adodb-php/server.php file which isn't required
but leads into CVE-2018-6382 and bsc#1078308
- Require fileinfo extension
- MantisBT 2.11.0
* https://www.mantisbt.org/bugs/changelog_page.php?project=mantisbt&version=2.11.0
* Administration:
- Allow unprotecting protected users
- Other fixes
* REST API:
- Added handling of tags, users, relationships, monitoring,
attachements, time-tracking
* Reports:
- Several improvements
* Installation fixes
* Further improvements and code-cleanups
-------------------------------------------------------------------
Thu Feb 8 11:29:22 UTC 2018 - astieger@suse.com
- MantisBT 2.10.1, a bugfix and security release:
* unable to create a bug with customfields via SOAP
* Wrong constructor name in class FilterConverter
* Resolving as duplicate does not add reporter and handler to
monitoring list of duplicate issue
* CVE-2018-6403: XSS in adm_config_report.php 'value' parameter
-------------------------------------------------------------------
Tue Jan 30 07:04:11 UTC 2018 - jweberhofer@weberhofer.at
- Update to 2.10.0
* https://www.mantisbt.org/bugs/changelog_page.php?project=mantisbt&version=2.10.0
* REST API: Filter improvements
* Fixes in time-tracking
* Further fixes and refactorings
-------------------------------------------------------------------
Tue Dec 19 21:06:26 UTC 2017 - jweberhofer@weberhofer.at
- Update to 2.9.0
* https://www.mantisbt.org/bugs/changelog_page.php?project=mantisbt&version=2.9.0
* fixes and refactorings
* REST API ipmrovements
-------------------------------------------------------------------
Fri Nov 3 17:38:03 UTC 2017 - jweberhofer@weberhofer.at
- update to 2.8.0
* https://www.mantisbt.org/bugs/changelog_page.php?project=mantisbt&version=2.8.0
* fixes
* REST API: updates, on by default
* DKIM support for E-Mail signing
- REST API requires php-soap
- MatisBT requires php 5.5.0+
-------------------------------------------------------------------
Sat Oct 14 19:09:50 UTC 2017 - astieger@suse.com
- update to 2.7.0:
* ui rendering fixes
* performance improvements
* fixes related to custom fields and filters
-------------------------------------------------------------------
Tue Sep 19 11:22:40 UTC 2017 - jweberhofer@weberhofer.at
- MantisBT 2.6.0
REST API
* projects doesn't return child projects (vboctor)
* Notes returned by /issues REST API have incorrect timestamps (vboctor)
* Support adding/deleting notes via REST API (vboctor)
* Support issue id as part of the path for REST API (vboctor)
Attachments
* Can't open image attachments in browser windows (dregad)
Bugtracker
* AJAX calls with invalid endpoints fail with syntax error (dregad)
* bug_actiongroup_page, on copy, & move, poject combo lists projects wich the user has no rights (cproensa)
* Update GuzzleHttp from 6.2.3 to 6.3.0 (vboctor)
* Sutomization
* Custom fields badly filtered when multi-projects (cproensa)
* Field is appearing in email notification but not used in UI. (joel)
E-Mail
Update disposable-email-checker to v3.0.1 using Composer (vboctor)
* Update PHPMailer v5.2.23 to v5.2.24 (vboctor)
* Removing "Report an issue" permission removes user from Monitoring filter dropdown (atrol)
* Due date field not displayed correctly when editing ticket (community)
* Unused code and unused CSS delivered for obsoleted functionality (atrol)
* Unused CSS delivered (atrol)
Markdown
* Update Parsedown 1.6.2 to 1.6.3 (vboctor)
Performance
* Project cache is not efficient with navbar project selection. (cproensa)
* Unused and inefficient code in function layout_print_sidebar (atrol)
Time Tracking
* Enabling Time Tracking distorts View Issue Details page layout. (cproensa)
* Issue history box is narrower than other boxes above it on View Issue page (cproensa)
* Time Tracking "auto count" is giving the wrong elapsed time (dregad)
* Time tracking report excludes issues with no category assigned (cproensa)
* Unable to access time tracking reports (atrol)
UI
* 'Manage Configuration' tab usually does not highlight (dregad)
* "notify user" check should be moved outside the form (cproensa)
* Calendar doesn't show the correct date the first time it opens (dregad)
* Display of hardcoded string on view_user_page if e-mail address is empty (atrol)
* Graph display is too faint and blurred (atrol)
* print_manage_menu() does not highlight active plugin pages (dregad)
* Questionable display of "Access Denied" on view_user_page (atrol)
* Questionable order and functionality of top buttons on "View Issue" page (atrol)
* The required fields are not explicitly visible when updating, resolving or closing an issue (community)
* When specifiying top_buttons display, the button on update screen has no styling. (atrol)
-------------------------------------------------------------------
Mon Sep 4 15:08:03 UTC 2017 - astieger@suse.com
- MantisBT 2.5.2:
* Login page no longer warns about 'admin' directory being present
* Checks on login page are never executed if "admin" dir does not exist
* Improve doc and notifications when admin dir is present (CVE-2017-12419)
* drop patches:
CVE-2017-12061.patch CVE-2017-12062.patch
- make mantis a versioned provides capability
-------------------------------------------------------------------
Tue Aug 1 22:46:27 UTC 2017 - astieger@suse.com
- Fix two XSS vulnerabilities:
* CVE-2017-12061: XSS in /admin/install.php script (bsc#1051697)
add CVE-2017-12061.patch
* CVE-2017-12062: XSS in manage_user_page.php (bsc#1051698)
add CVE-2017-12062.patch
-------------------------------------------------------------------
Tue Aug 1 22:36:15 UTC 2017 - astieger@suse.com
- MantisBT 2.5.1:
* REST API improvements, SOAP API fixes
-------------------------------------------------------------------
Mon May 22 20:43:26 UTC 2017 - astieger@suse.com
- MantisBT 2.4.1:
* Support Generic Authentication through Plug-ins
* various fixes and improvements
-------------------------------------------------------------------
Mon Apr 17 08:05:04 UTC 2017 - astieger@suse.com
- MantisBT 2.2.4:
* CVE-2017-7615: Account verification page allows resetting any
user's password (bsc#1034333)
- includes changes from 2.2.3:
* Sorting all bugs list using a column header after applying a
filter resets the filter
* Permalink does not work with "Note By"
* Filter error due to "view status" having an array value
* Regression in custom field sorting
* CVE-2017-7309: XSS in adm_config_report.php (bsc#1031807)
* CVE-2017-7241: XSS in move_attachments_page.php (bsc#1031807)
* Markdown starts heading in the middle of a line
* Markdown still converting '& amp;' to & and '& lt;' to <
- includes changes from 2.2.2:
* CVE-2017-6973: XSS in adm_config_report.php (bsc#1031807)
-------------------------------------------------------------------
Mon Mar 20 19:47:58 UTC 2017 - astieger@suse.com
- MantisBT 2.2.1:
* various improvements and bug fixes
* fix XSS in Source Integration Plugin (CVE-2017-6958)
* fix XSS in bug change status page (CVE-2017-6797)
* fix XSS in view filters pages (CVE-2017-6799)
-------------------------------------------------------------------
Thu Jan 19 15:07:06 UTC 2017 - branislav.havel@suse.com
- MantisBT 2.0.0
- package moved to mantisbt
* System utilities page for moving attachments should support move
all attachments
* Replace jscalendar by a newer widget
* Incorrect text for the remove file button in the file upload dropzone
* Section 2.2.2.1 Admin Guide: Misaligned row in Table
* Missing leading zeroes in due date display
* datetime picker does not work if 'cdn_enabled' is ON
* Due Date calendar icon wraps below the field
-------------------------------------------------------------------
Thu Jan 5 14:37:21 UTC 2017 - astieger@suse.com
- MantisBS 1.3.5:
* security fix: Potentially serious RCE vulnerability in bundled
PHPMailer before 5.2.18 (CVE-2016-10033)
* performance improvements, bugfixes, UI fixes and improvements
- MantisBS 1.3.4:
* security fix: Handlers(Assignees) are visible when editing an
issue even if they are not visible when viewing it
* performance improvements, bugfixes, UI fixes and improvements
-------------------------------------------------------------------
Mon Oct 31 07:32:49 UTC 2016 - astieger@suse.com
- MantisBT 1.3.3, a bugfix release:
* various fixes for bugs in the UI, behavior and code
* documentation updates
-------------------------------------------------------------------
Sun Oct 30 09:55:01 UTC 2016 - astieger@suse.com
- MantisBt 1.3.2, a bugfix update:
* documentation updates
* Various bug fixes and compatible feature updates
* Fix Invalid Strict-Transport-Security header when server would
already send it anyway
-------------------------------------------------------------------
Thu Sep 1 00:28:49 UTC 2016 - astieger@suse.com
- MantisBt 1.3.1, a security and bugfix update
* CVE-2016-7111: Content Security Policy is weakened by Gravatar plugin
* CVE-2016-6837: XSS vulnerability in view_all_bug_page.php
* various bug fixes
-------------------------------------------------------------------
Tue Jul 12 16:59:23 UTC 2016 - astieger@suse.com
- MantisBT 1.3.0, a security and feature update
- New features:
* @ mentions support
* Support for avatar plugins - shipping Gravatar out of the
* Support for user lifecycle plugin events
* Allow administrators to impersonate users
* Support for notes and tags as columns to configure for view
issues, print issues, csv/excel export
* Support for login using email address
* Enforcing email uniqueness
* Enable configuration for email notifications for category owner
* Re-implemented parsing of complex configuration types for
Configuration Report
* Tagging directly from report issue page
* Timeline feature
* Users can now generate API tokens
* Anti-spam feature to limit the number of issues from new users
* Memo custom fields
* jQuery and jQueryUI are now included in core
* PHP version compatibility up to PHP 5.6 and PHP 7.
* Better generated HTML, relying on CSS instead of inline styles
and reducing use of tables for layout
* HTML5 doctype – Lots of improvements to generated markup.
* Out-of-the-box support for Oracle (oci8)
* Greatly enhanced support for PostgreSQL
* Improved installation and admin utilities (system check, tools)
* Mechanism to prevent concurrent updates to the same issue
* Detailed filters hidden by default
* Improved XmlImportExport core plugin
* Bigger e-mail and realname fields
* Improved documentation, migrated to Publican
* Improved email notifications when an issue is unassigned or re-assigned
* Support attaching files while adding a note + attaching multiple files with same name
* Added new log level LOG_EMAIL_VERBOSE.
* Extensibility, add more events
- Security fixes:
* CVE-2016-5364: Reflected XSS inside
manage_custom_field_edit_page.php [boo#984334]
* Cannot change password in second enter to verification page
* bugnote actions in view bug page should send data as POST
* CVE-2014-9759: SOAP API can be used to disclose confidential settings
* CVE-2014-9572: Improper Access Control in install.php
* CVE-2014-9571: XSS in install.php
* CVE-2015-1042: URL redirection issue
* CVE-2014-9573: SQL Injection in manage_user_page.php
* PHP remote code execution in install.php
* CVE-2014-9701: XSS vulnerability in permalink_page.php
* Registrations by bots via captcha exploit
* Support Content-Security-Policy (CSP) per W3C specification
* install.php: do not send the value of crypto_master_salt over http
* Redirect user to change password if logged in with default admin password
* plugins directory must be secured/fixed
* Provide additional random number generators
* allow_reporter_reopen lets reporter make any update, not just reopen
* Add support for Strict-Transport-Security header
* Improve random number generation with openssl_random_pseudo_bytes
* Do not allow to send a reminder on a private issue to users under threshold
* Remove input side XSS validation of user real names
* When user reports an issue, the unpermitted project can be selected
* Remove all inline JavaScript from MantisBT (use external scripts instead)
- Deprecated Features:
* Custom Functions in favor of Plugins
* DB2 support – removed in 2.0.x
* News feature – already deprecated
* Time tracking – already deprecated
* Project Docs – already deprecated
* Sponsorships – already deprecated
- Removed Features:
* Built-in source code integration support
* FTP for attachments
* Removed nusoap in favor of native php soap extension
* Removed feature extended project browser
-------------------------------------------------------------------
Mon Feb 23 11:39:33 UTC 2015 - astieger@suse.com
- MantisBT 1.2.19:
This release resolves 5 security issues and fixes 2 regressions
introduced in 1.2.18.
* [security] CVE-2014-9573: SQL Injection in manage_user_page.php
* [security] CVE-2014-9624: CAPTCHA bypass is way easier than it should be
* [security] CVE-2015-1042: URL redirection issue
* [security] CVE-2014-9571: XSS in install.php
* [security] CVE-2014-9572: Improper Access Control in install.php
* [bugtracker] Reporting an issue gives: 'Invalid argument supplied for foreach()' in '/opt/mantisbt-1.2.18/core/gpc_api.php' line 259
* [email] Order of notes in email notifications seem to be based on user who triggered the action
* [bugtracker] Fix handling of due dates
* [administration] Installer UI tweaks
* [bugtracker] Sort bug notes by date, not by ID
* [authentication] User creation with captcha broken by fix for issue 0017811
- includes changes from MantisBT 1.2.18:
This release resolves 23 security-related bugs and vulnerabilities:
* 7 Cross-Site Scripting (XSS) issues
* 2 Code injection issues
* 2 SQL injection (XSS) issues
* 5 Information disclosure issues
- 7 Other security issues
* [security] CVE-2014-8986: adm_config_report.php filtering does not check config option is valid
* [security] CVE-2014-9117: CAPTCHA bypass
* [security] CVE-2014-9089: SQL injection in view_all_set.php
* [security] Multiple vulnerabilities in MantisBT
* [security] CVE-2014-9279: Db Credentials leak via unattended upgrade script
* [security] CVE-2014-9281: Reflected XSS in admin panel / copy_field.php
* [security] CVE-2014-9271: Persistent XSS in file uploads/attachments
* [security] CVE-2014-9280: PHP Object Injection in filter API
* [security] CVE-2014-9272: XSS in string_insert_hrefs allows script execution
* [security] CVE-2014-6316: URL redirection issue
* [security] Emails on relations is send to people who cannot see the related issue
* [security] CVE-2014-8553: SOAP API: leak of user personal information
* [security] Login_page.php: Ensure username is valid
* [security] CVE-2014-6387: Null byte poisoning in LDAP authentication
* [security] CVE-2014-8988: Attachments can be downloaded without permission
* [security] Prevent unauthorized users setting handler when reporting issue
* [other] Incorrect $specific_where
* [documentation] Code allows display of Resolution and Status in bug report page, but doc says it's not allowed
* [code cleanup] Use of deprecated PREG_REPLACE_EVAL ('e') pattern modifier
* [attachments] Warning in bug report when attachments are disabled
* [attachments] Debug output displayed when adding files
* [bugtracker] proj_doc_update.php on document update crashes if new file is not uploaded
* [bugtracker] Missing error param when updating project doc
* [filters] Column summary of the free text search is not prefixed by table (filter_api)
* [bugtracker] Default profile doesn't work
* [security] No Errors shown at all if error_reporting=0 configured at server
* [bugtracker] Invalid category check is not made
* [news] News section shouldn't show in permissions report when feature is disabled
* [api soap] Handler can be set without having appropriate access rights
* [db mssql] Graph « Cumulative by date » is not displayed in Summary > Advanced Summary
* [migration] Import plugins should be able to set last_updated field to a date in the past
* [bugtracker] Issue history show date submitted and last updated as integers rather than dates
* [bugtracker] New BugData object due_date should be blank
* [plug-ins] XML import plugin only replaces links in 'description'
* [security] CVE-2014-7146 : PHP Code Injection Vulnerability in XmlImportExport plugin
* [security] Attachments displayed in history despite user not authorised to view them
* [api soap] mc_issue_update() email notification doesn't include added notes
* [security] CVE-2014-8598: XML plugin should restrict ability to import data
* [api soap] CVE-2014-8554: SQL injection in SOAP API
* [security] CVE-2014-9269: XSS in extended project browser
* [security] CVE-2014-8987: XSS in adm_config_report.php
* [security] CVE-2014-9270: Stored XSS in Mantis
* [email] Disposable library triggers PHP STRICT warnings
* [news] Not possible to set 'announcement' flag when editing News
- Fix XSS in adm_config_report.php
- mantisbt-1.2.19-CVE-2015-2046.patch CVE-2015-2046 [boo#919035]
-------------------------------------------------------------------
Wed Oct 8 18:37:57 UTC 2014 - andreas.stieger@gmx.de
- MantisBT 1.2.17:
* undefined function db_params() in core/news_api.php
* The bug_get_bugnote_count() function in the bug API always
returns 0
* duplicate "<a " tag
* [security] CVE-2014-2238: SQL injection vulnerability in
adm_config_report.php
- includes changes from 1.2.26, including:
[security] CVE-2014-1609: SQL injection vulnerabilities
* [security] CVE-2014-1608: soap:Envelope SQL injection attack
* [security] When $g_limit_reporters = ON; it is still possible
to change reporter
* [security] CVE-2013-4460: XSS in account_sponsor_page.php
project names
* For a full list, see
http://www.mantisbt.org/bugs/changelog_page.php?project=mantisbt&version=1.2.16
- clean up spec file
- verify source signature
-------------------------------------------------------------------
Thu Aug 8 21:01:23 UTC 2013 - robert.munteanu@gmail.com
- Rename changes file to package name
- Do not package the root directory in both main and -install
package
- Update summary and description
- Do not package build and test files
- Corrected license name
-------------------------------------------------------------------
Fri Oct 7 21:38:44 UTC 2011 - mrdocs@opensuse.org
-Update to 1.2.8
+numerous bugfxes and security updates
- Versioned changelogs 1.2.4 - 1.2.8:
- http://www.mantisbt.org/bugs/changelog_page.php?version_id=139
- http://www.mantisbt.org/bugs/changelog_page.php?version_id=138
- http://www.mantisbt.org/bugs/changelog_page.php?version_id=137
- http://www.mantisbt.org/bugs/changelog_page.php?version_id=114
- http://www.mantisbt.org/bugs/changelog_page.php?version_id=133
- renamed spec file to eliminate rpmlint warning
-------------------------------------------------------------------
Wed Jan 12 16:25:22 UTC 2011 - nix@opensuse.org
- Update to version 1.2.4
- Delete useless .gitignore
- Disable rpmlint check for zero length *.html files
- change file ownership to root instead of apache!!
-------------------------------------------------------------------
Fri Jun 11 15:09:58 UTC 2010 - rpms@ilmi.fi - 1.2.1
- Update to version 1.2.1
-------------------------------------------------------------------
Mon Mar 8 15:09:58 UTC 2010 - nix@opensuse.org
- Update to version 1.2.0
- Migrate changelog to changes file
-------------------------------------------------------------------
Mon Dec 8 00:00:00 UTC 2008 - Tuukka Pasanen <rpms@ilmi.fi>
- New version 1.1.5.
- Name changed
- Directories added
* Wed Jun 25 2008 Tuukka Pasanen <rpms@ilmi.fi> - 1.1.2
- New version 1.1.2
* Wed Jan 16 2008 Tuukka Pasanen <rpms@ilmi.fi> - 1.1.0
- Separate Admin package.
* Tue Jul 10 2007 Tuukka Pasanen <rpms@ilmi.fi> - 1.0.8
- New version 1.0.8
* Wed Feb 28 2007 Tuukka Pasanen <rpms@ilmi.fi> - 1.0
- Initial build
