Mantis 1.2.16
8 February 2014
Mantis version 1.2.16 is now available (security release).
Upgrading to Mantis 1.2.16
Mantis 1.2.16 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply Mantis updates as new versions are released, or use Installatron's Clone feature to duplicate an existing Mantis install to test the 1.2.16 upgrade prior to applying it live. Get started managing your Mantis installations with Installatron
What's New in Mantis 1.2.16
This is a security update for the stable 1.2.x branch. All installations that are currently running any 1.2.x version are strongly advised to upgrade to this release.
- 0016879: [security] CVE-2014-1608: soap:Envelope SQL injection attack (dregad).
- 0016880: [security] CVE-2014-1609: SQL injection vulnerabilities (dregad).
- 0016513: [security] CVE-2013-4460: XSS in account_sponsor_page.php project names (atrol).
- 0015770: [security] When $g_limit_reporters = ON; it is still possible to change reporter (dregad).
- 0014301: [documentation] Add SOAP API documentation in the administration guide (rombert).
- 0015572: [attachments] diskfile_is_name_unique() can return non-unique filename (dregad).
- 0015762: [email] email_regex_simple() case sensitive, leading to incorrect e-mail links (dregad).
- 0015775: [other] Wrong reporter when copying an issue (atrol).
- 0015777: [other] Wrong value in field "Date Submitted" when copying issues (atrol).
- 0015791: [other] System notice when json_url() retrieves non-existent member (dregad).
- 0015807: [api soap] Support standard filters like ones in My View page in SOAP API (vboctor).
- 0015812: [documentation] Wrong example code for custom validation functions (atrol).
- 0009936: [api soap] add history information (rombert).
- 0015496: [attachments] Script to move attachments from db to disk not working (dregad).
- 0015774: [attachments] Incorrect number of attached files (dregad).
- 0015893: [email] It should not be possible to reset a user's password if e-mail is blank (dregad).
- 0015920: [administration] Missing config file causes cli scripts to fail silently (dregad).
- 0015921: [code cleanup] Temp variables defined in global scope should be unset() after use (dregad).
- 0015958: [email] Upgrade PHPMailer to 5.2.6 (dregad).
- 0014543: [email] Emails are not sent to addresses with single subdomain (dregad).
- 0015953: [email] 'Could not instantiate mail function' error with safe mode=ON (dregad).
- 0015959: [api soap] SOAP: raw XML when browsing the WSDL (dregad).
- 0016028: [api soap] Adding note via webservice generates wrong email content for assigned user (rombert).
- 0016120: [email] Cannot modify Receive Reminder threshold on Manage Threshold Page (atrol).
- 0009876: [performance] Performance problem with a lot of projects (dregad).
- 0016174: [tools] Travis CI: set up PHP 5.5 build alongside 5.4 (rombert).
- 0012955: [attachments] After updating a project documentation the file is damaged (dregad).
- 0014541: [code cleanup] Remove calls to deprecated functions db_prepare* in "Docs" update page (dregad).
- 0016126: [tools] Setup integration testing on Travis CI (rombert).
- 0016158: [api soap] mc_filter_get_issues does not populate monitors fiels for retrieved issues (rombert).
- 0016187: [administration] Application error on fresh install (dregad).
- 0016202: [tools] Travis CI: set up PHP 5.3 build (atrol).
- 0016204: [tools] User Test fails when bugnote_order is not set to default (dregad).
- 0016205: [tools] Issue History tests fail when history order is descending (dregad).
- 0016203: [tools] Issue History tests randomly fail (dregad).
- 0010071: [administration] Manage Workflow Threshold page: 'Who can alter this value' is not saved (dregad).
- 0012470: [custom fields] Custom fields names aren't translated in several places (dregad).
- 0012480: [bugtracker] Editing a bug with no assigned user and no access to edit assigned to field shows 'user0' (dregad).
- 0015790: [other] url_get() cURL should set User Agent (dregad).
- 0015817: [api soap] SOAP API unit test failures (dregad).
- 0016175: [tools] Customize Travis notifications (dregad).
- 0016252: [api soap] API SOAP provides no answer after MantisBT upgrade (rombert).
- 0016259: [bugtracker] When sorting issues by due_date, unset values should be listed at the end (dregad).
- 0016337: [administration] Creating the first project on a fresh install causes error 2800 (dregad).
- 0016340: [db db2] Error 401 for Manage Tags (dregad).
- 0016341: [db postgresql] Impossible to retrieve attachments from DB with PostgreSQL >= 9.0 (dregad).
- 0016342: [bugtracker] The g_html_valid_tags_single_line configuration variable seems to be ignored in favor of g_html_valid_tags (dregad).
- 0016348: [code cleanup] Duplicated code in MantisCoreFormatting (dregad).
- 0016408: [customization] config_eval() fails on configs that reference array values (vboctor).
- 0016416: [installation] Improve first login experience by auto-redirecting to create project page (vboctor).
- 0016431: [installation] Numerous "Invalid argument supplied for foreach()" errors when installing with DB script printed to screen (grangeway).
- 0016484: [tagging] SOAP: Impossible to attach tags to issues (dregad).
- 0016485: [api soap] SOAP API test failure for due date (dregad).
- 0014563: [db oracle] Use of literal SQL statement causes ORA-01704 error when uploading attachments (dregad).
- 0010873: [roadmap] Change Log/Roadmap do not work with inherited versions. (dregad).
- 0014458: [other] Track third party libs as github repos (dregad).
- 0015196: [api soap] Create history entries when creating issues with non-default status and resolution (rombert).
- 0016376: [customization] Not able to change status without having update issue rights (dregad).
- 0016420: [preferences] Editing user preferences when no project exists triggers application error 20 (dregad).
- 0016607: [documentation] Wrong option html_tags in Admin Guide (atrol).
- 0016767: [upgrade] upgrade_unattended script is no longer working (vboctor).
- 0016768: [mantistouch] Default mantistouch_url correctly when MantisTouch is installed in 'm' subfolder (vboctor).
- 0016769: [mantistouch] MantisTouch redirect can break soap api based on user agent sent (vboctor).
- 0016770: [mantistouch] Redirect from MantisBT issue to MantisTouch should go to the same issue page on MantisTouch (vboctor).
- 0011785: [code cleanup] Comment for access_compare_level in access_api.php is bogus (atrol).
- 0015648: [email] add event signalling to email_build_subject() function (dregad).
- 0015647: [email] email subject is build manually in function email_bug_info_to_one_user() (atrol).
- 0016706: [plug-ins] Plugin pages can be accessed directly when schema upgrade is needed (dregad).
- 0016812: [bugtracker] Moving issue to child->child changes category to default (dregad).
- 0016848: [bugtracker] Remove main page from main menu when news feature is OFF (vboctor).
- 0006343: [bugtracker] Change status using actiongroup does not send email notifiation (dregad).
- 0013659: [email] e-mail notification about priority change is not sent when using bug_actiongroup_page.php (dregad).