Current File : //var/softaculous/mantis/changelog.txt
mantisbt - 2.25.5 Released 2022-06-24
======================================
Security and maintenance release fixing vulnerabilities with SVG files attachments (CVE-2022-33910), which are now disabled by default; instances with a custom $g_disallowed_files should add svg to the list. Support for PHP 5.6 has been restored, fixing the regression introduced in 2.25.4.
0029135: [security] CVE-2022-33910: Unrestricted SVG File Upload leads to CSS Injection (dregad)
0030541: [documentation] Impossibility of deleting attachment with form security validation turned on (dregad)
0030193: [bugtracker] PHP 5.6 support broken (dregad)
0030204: [filters] Create Permalink - special characters handling (dregad)
0030533: [security] Wrong bugnote_user_edit_threshold value used when checking permissions to edit bugnote (community)
0030384: [security] CVE-2022-33910: Stored XSS via SVG file upload (dregad)
0030416: [security] Upgrade guzzlehttp/guzzle from 6.5.5 to 6.5.8 (dregad)
mantisbt - 2.25.4 Released 2022-05-10
======================================
Maintenance release fixing a couple of regressions introduced in 2.25.3, loading a JavaScript library from CDN and initializing the path on PHP 5.6.
0024393: [db mssql] APPLICATION ERROR 401 Database query failed. Error received from database was #-52: SQLState: IMSSP (dregad)
0029751: [authorization] APPLICATION ERROR #13 (access denied) while creating new user when theshold configured as MANAGER in administration interface (atrol)
0029857: [bugtracker] Errors trying to load moment.js library from CDN (dregad)
0029853: [bugtracker] $g_path incorrectly set in config_defaults_inc.php on PHP 5.6 (dregad)
0029991: [installation] Javascript error in browser console when upgrading (dregad)
0030077: [installation] Installer's Oracle-specific warning regarding identifiers' length is shown initially for MySQL (dregad)
0030178: [authorization] Update issue icon on "My View" page is displayed even without having appropriate access rights (atrol)
0030182: [authorization] Update issue icon on "View Issues" page is displayed even without having appropriate access rights (atrol)
mantisbt - 2.25.3 Released 2022-04-13
======================================
Security and maintenance release, fixing vulnerabilities in CSV Export (CVE-2021-43257) and Plugins management pages (CVE-2022-26144), as well as in bundled libraries guzzlehttp/psr7 (CVE-2022-24775) and moment.js (CVE-2022-24785). It also addresses several PHP 8.1 compatibility issues.
0029485: [security] Update ADOdb to 5.20.21 (dregad)
0029848: [security] Update guzzlehttp/psr7 to 1.8.5 (dregad)
0029034: [api soap] SOAP call mc_project_get_id_from_name fails when there is no matching project in PHP 7.2 (community)
0029846: [bugtracker] Passing null to parameter of type XXX is deprecated (dregad)
0028927: [api rest] Slim Application Error when RestFault generated (community)
0029845: [bugtracker] Constant FILTER_SANITIZE_STRING is deprecated (dregad)
0029130: [security] CVE-2021-43257: CSV Injection with CSV Export Feature (dregad)
0029144: [attachments] Adding an attachment with a long filename causes "Data too long for column 'filename'" application error (dregad)
0029181: [bugtracker] 'format_issue_summary' custom function not called from View Issue Details page (dregad)
0029416: [ui] Missing closing div tag causes incorrect page footer display (dregad)
0029462: [installation] Unable to install (dregad)
0029413: [custom fields] APPLICATION ERROR 1300 Custom field not found with case-sensitive database (dregad)
0029849: [security] Update moment.js to 2.29.2 (dregad)
0029688: [security] CVE-2022-26144: XSS in manage_plugin_page.php and manage_plugin_uninstall.php (dregad)
mantisbt - 2.25.2 Released 2021-06-16
======================================
Security and maintenance release, fixes vulnerabilities in Custom Fields management page (CVE-2021-33557) and in the PHPMailer library, as well as a PHP 8 compatibility issue.
0028552: [security] CVE-2021-33557: XSS in manage_custom_field_edit_page.php (dregad)
0028803: [custom fields] PHP 8: "Bad Request" error on custom field filters (dregad)
0028821: [security] Update PHPMailer to 6.5.0 (dregad)
mantisbt - 2.25.1 Released 2021-05-12
======================================
Security and maintenance release, fixes a couple of vulnerabilities in PHPMailer and Chart.js libraries, as well as a few other minor issues.
0028084: [ui] Labels for email notifications in User Prefs page appear in bold (dregad)
0028082: [ui] Project Edit Page does not display check boxes (dregad)
0028076: [plug-ins] Bundled plugins 2.25.0: incorrect Mantis requirement (dregad)
0028080: [ui] Unsightly vertical offset of the "Update Prefs" and "Reset Prefs" buttons. (dregad)
0028106: [administration] Error removing project (dregad)
0028112: [ui] Incorrect spacing between icon and text on manage_user_edit_page.php (dregad)
0028530: [security] Update PHPMailer to 6.4.1 (fixes CVE-2020-36326) (dregad)
Mini Shell