Mantis 1.2.19
27 January 2015
Mantis version 1.2.19 is now available.
Upgrading to Mantis 1.2.19
Mantis 1.2.19 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply Mantis updates as new versions are released, or use Installatron's Clone feature to duplicate an existing Mantis install to test the 1.2.19 upgrade prior to applying it live. Get started managing your Mantis installations with Installatron
What's New in Mantis 1.2.19
This is a security update for the stable 1.2.x branch that resolves 5 security-related bugs and vulnerabilities and 2 regression issues introduced in 1.2.18. All installations that are currently running any 1.2.x version are strongly advised to upgrade to this release.
Security
- #17938/CVE-2014-9571: XSS in install.php
- #17939/CVE-2014-9572: Improper Access Control in install.php
- #17940/CVE-2014-9573: SQL Injection in manage_user_page.php
- #17984/CVE-2014-9624: CAPTCHA bypass
- #17997/CVE-2015-1042: URL redirection issue
Regression
- #17993 prevents new users from signing up on systems using CAPTCHA.
- #17967 which causes a PHP error when reporting issues on systems with checkbox custom fields.
Full Changelog
- 0017940: [security] CVE-2014-9573: SQL Injection in manage_user_page.php (dregad)
- 0017984: [security] CVE-2014-9624: CAPTCHA bypass is way easier than it should be (dregad)
- 0017997: [security] CVE-2015-1042: URL redirection issue (dregad)
- 0017938: [security] CVE-2014-9571: XSS in install.php (dregad)
- 0017939: [security] CVE-2014-9572: Improper Access Control in install.php (dregad)
- 0017967: [bugtracker] Reporting an issue gives: 'Invalid argument supplied for foreach()' in '/opt/mantisbt-1.2.18/core/gpc_api.php' line 259 (dregad)
- 0017925: [email] Order of notes in email notifications seem to be based on user who triggered the action (dregad)
- 0017977: [bugtracker] Fix handling of due dates (dregad)
- 0018025: [administration] Installer UI tweaks (dregad)
- 0011742: [bugtracker] Sort bug notes by date, not by ID (dregad)
- 0017993: [authentication] User creation with captcha broken by fix for issue 0017811 (dregad)