Mantis 2.25.4
10 May 2022
Mantis version 2.25.4 is now available (security release).
Upgrading to Mantis 2.25.4
Mantis 2.25.4 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply Mantis updates as new versions are released, or use Installatron's Clone feature to duplicate an existing Mantis install to test the 2.25.4 upgrade prior to applying it live. Get started managing your Mantis installations with Installatron
What's New in Mantis 2.25.4
2.25.4
Maintenance release fixing a couple of regressions introduced in 2.25.3, loading a JavaScript library from CDN and initializing the path on PHP 5.6.
Bug Fixes and Changes
- [authorization] APPLICATION ERROR #13 [access denied] while creating new user when theshold configured as MANAGER in administration interface
- [db mssql] APPLICATION ERROR 401 Database query failed. Error received from database was #-52: SQLState: IMSSP
- [bugtracker] Errors trying to load moment.js library from CDN
- [bugtracker] $g_path incorrectly set in config_defaults_inc.php on PHP 5.6
- [installation] Javascript error in browser console when upgrading
- [installation] Installer's Oracle-specific warning regarding identifiers' length is shown initially for MySQL
- [authorization] Update issue icon on "My View" page is displayed even without having appropriate access rights
- [authorization] Update issue icon on "View Issues" page is displayed even without having appropriate access rights
2.25.3
Security and maintenance release, fixing vulnerabilities in CSV Export (CVE-2021-43257) and Plugins management pages (CVE-2022-26144), as well as in bundled libraries guzzlehttp/psr7 (CVE-2022-24775) and moment.js (CVE-2022-24785). It also addresses several PHP 8.1 compatibility issues.
Security
- CVE-2022-26144: XSS in manage_plugin_page.php and manage_plugin_uninstall.php
- CVE-2021-43257: CSV Injection with CSV Export Feature
- Update moment.js to 2.29.2
- Update ADOdb to 5.20.21
- Update guzzlehttp/psr7 to 1.8.5
Bug Fixes and Changes
- [api soap] SOAP call mc_project_get_id_from_name fails when there is no matching project in PHP 7.2
- [bugtracker] Passing null to parameter of type XXX is deprecated
- [api rest] Slim Application Error when RestFault generated
- [bugtracker] Constant FILTER_SANITIZE_STRING is deprecated
- [attachments] Adding an attachment with a long filename causes "Data too long for column 'filename'" application error
- [bugtracker] 'format_issue_summary' custom function not called from View Issue Details page
- [ui] Missing closing div tag causes incorrect page footer display
- [installation] Unable to install
- [custom fields] APPLICATION ERROR 1300 Custom field not found with case-sensitive database