Mantis 1.2.18
7 December 2014
Mantis version 1.2.18 is now available (security release).
Upgrading to Mantis 1.2.18
Mantis 1.2.18 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply Mantis updates as new versions are released, or use Installatron's Clone feature to duplicate an existing Mantis install to test the 1.2.18 upgrade prior to applying it live. Get started managing your Mantis installations with Installatron
What's New in Mantis 1.2.18
This is a security update for the stable 1.2.x branch that resolves 23 security-related bugs and vulnerabilities, including 7 Cross-Site Scripting (XSS) issues, 2 Code injection issues, 2 SQL injection (XSS) issues, 5 Information disclosure issues, and 7 Other security issues. All installations that are currently running any 1.2.x version are strongly advised to upgrade to this release.
- 0009885: [security] Emails on relations is send to people who cannot see the related issue (vboctor).
- 0017878: [security] Prevent unauthorized users setting handler when reporting issue (dregad).
- 0017362: [security] Multiple vulnerabilities in MantisBT (dregad).
- 0017877: [security] CVE-2014-9279: Db Credentials leak via unattended upgrade script (dregad).
- 0017876: [security] CVE-2014-9281: Reflected XSS in admin panel / copy_field.php (dregad).
- 0017874: [security] CVE-2014-9271: Persistent XSS in file uploads/attachments (dregad).
- 0017875: [security] CVE-2014-9280: PHP Object Injection in filter API (dregad).
- 0017297: [security] CVE-2014-9272: XSS in string_insert_hrefs allows script execution (dregad).
- 0017648: [security] CVE-2014-6316: URL redirection issue (dregad).
- 0017073: [other] Incorrect $specific_where (dregad).
- 0017289: [documentation] Code allows display of Resolution and Status in bug report page, but doc says it's not allowed (dregad).
- 0017292: [code cleanup] Use of deprecated PREG_REPLACE_EVAL ('e') pattern modifier (dregad).
- 0017322: [attachments] Warning in bug report when attachments are disabled (dregad).
- 0017324: [attachments] Debug output displayed when adding files (dregad).
- 0017405: [bugtracker] proj_doc_update.php on document update crashes if new file is not uploaded (dregad).
- 0017407: [bugtracker] Missing error param when updating project doc (dregad).
- 0017457: [filters] Column summary of the free text search is not prefixed by table (filter_api) (dregad).
- 0009460: [bugtracker] Default profile doesn't work (dregad).
- 0010966: [security] No Errors shown at all if error_reporting=0 configured at server (dregad).
- 0015420: [bugtracker] Invalid category check is not made (vboctor).
- 0016957: [news] News section shouldn't show in permissions report when feature is disabled (vboctor).
- 0016993: [api soap] Handler can be set without having appropriate access rights (vboctor).
- 0017011: [db mssql] Graph « Cumulative by date » is not displayed in Summary > Advanced Summary (dregad).
- 0017075: [migration] Import plugins should be able to set last_updated field to a date in the past (vboctor).
- 0017076: [bugtracker] Issue history show date submitted and last updated as integers rather than dates (vboctor).
- 0017847: [bugtracker] New BugData object due_date should be blank (dregad).
- 0017848: [plug-ins] XML import plugin only replaces links in 'description' (dregad).
- 0017640: [security] CVE-2014-6387: Null byte poisoning in LDAP authentication (dregad).
- 0017725: [security] CVE-2014-7146 : PHP Code Injection Vulnerability in XmlImportExport plugin (dregad).
- 0017744: [security] Attachments displayed in history despite user not authorised to view them (dregad).
- 0017763: [api soap] mc_issue_update() email notification doesn't include added notes (vboctor).
- 0017780: [security] CVE-2014-8598: XML plugin should restrict ability to import data (dregad).
- 0017812: [api soap] CVE-2014-8554: SQL injection in SOAP API (dregad).
- 0017890: [security] CVE-2014-9269: XSS in extended project browser (dregad).
- 0017870: [security] CVE-2014-8987: XSS in adm_config_report.php (dregad).
- 0017889: [security] CVE-2014-8986: adm_config_report.php filtering does not check config option is valid (dregad).
- 0017583: [security] CVE-2014-9270: Stored XSS in Mantis (dregad).
- 0017841: [security] CVE-2014-9089: SQL injection in view_all_set.php (vboctor).
- 0017811: [security] CVE-2014-9117: CAPTCHA bypass (vboctor).
- 0017827: [email] Disposable library triggers PHP STRICT warnings (dregad).
- 0017924: [news] Not possible to set 'announcement' flag when editing News (dregad).