MantisBT 2.5.1, 2.5.0 and 2.4.2 released

MantisBT 2.5.1

Maintenance release that fixes installation failure.

  • 0022985: [installation] Initial installation does not continue after clicking install (dregad)

MantisBT 2.5.0

Feature release with main focus on REST API improvements, some of the fixes also applies to the SOAP API.

  • 0022850: [ui] Installation page layout and style issues (dregad)
  • 0022765: [api rest] Implement a test framework for REST API (vboctor)
  • 0022766: [api rest] Enum name should reflect non-localized enum name and label for localized name (vboctor)
  • 0022767: [api rest] Include status color in status enum value for issues (vboctor)
  • 0022768: [api rest] Support retrieving issues based on filter or a project (vboctor)
  • 0022769: [api rest] Note type should be note instead of timelog if time tracking is not accessible to user (vboctor)
  • 0022770: [api rest] Change version from string to an object (vboctor)
  • 0022771: [api rest] Due date access check should be based on project access level rather than global one (vboctor)
  • 0022772: [api rest] Don’t return eta info if feature is disabled (vboctor)
  • 0022773: [api rest] Don’t return projection info if feature is disabled (vboctor)
  • 0022774: [api rest] Some access denied errors don’t show user info correctly (vboctor)
  • 0022775: [api rest] Rename date_submitted to created_at and last_updated to updated_at (vboctor)
  • 0022776: [api rest] Sticky flag should be a boolean rather than a string (vboctor)
  • 0022777: [api rest] Don’t return sponsorship_total (vboctor)
  • 0022778: [api rest] Don’t allow setting version to an undefined version (vboctor)
  • 0022779: [api rest] Don’t return profile information if feature disabled (vboctor)
  • 0022780: [api rest] Don’t return platform, os, and os_build if disabled (vboctor)
  • 0022782: [api rest] Don’t return target_version if user doesn’t have access to view roadmap (vboctor)
  • 0022783: [api rest] Return 400 instead of server side error if summary, description or project fields are missing (vboctor)
  • 0022788: [api rest] Support retrieving projects accessible to users (vboctor)
  • 0022808: [api rest] Use GuzzleHttp for http requests (vboctor)
  • 0021871: [performance] Improve db_fetch_array performance (cproensa)
  • 0021994: [attachments] issue with attachments cannot be moved between projects with different upload directories (uploads saved in file system) (dregad)
  • 0022809: [api rest] Upgrade Slim Framework from 3.7.0 to latest (3.8.1) (vboctor)
  • 0022851: [installation] Installer should display sample table names based on table prefix/suffix settings (dregad)
  • 0022852: [localization] [de] Incorrect label in German “Change status” form (atrol)
  • 0022865: [code cleanup] Login page displays a PHP system notice when using BASIC_AUTH (dregad)
  • 0022864: [code cleanup] phpdoc for ‘print_link_button’ has incorrect order of parameters (cproensa)
  • 0022868: [other] PHP variable misspelt in html_api.php (dregad)
  • 0022904: [db mssql] database_api: db_insert_id returns string not int (mssql) (dregad)
  • 0022905: [code cleanup] The URL of the return button in breadcrumbs div has a trailing ‘?’ (dregad)
  • 0022925: [time tracking] Time Tracking – issue (atrol)
  • 0022928: [administration] $g_anonymous_account is case sensitive, preventing normal users from logging in (vboctor)
  • 0022933: [timeline] Confusing entry in timeline when removing other users from monitoring list (atrol)

MantisBT 2.4.2

Maintenance release for 2.4.x

  • 0022923: [authentication] Logout page on authentication plugins never gets called (community)
  • 0022926: [custom fields] Custom Fields – Date: Field does not show date (view.php), shows other text (vboctor)
  • 0022937: [custom fields] Custom fields of type Email are not properly displayed (vboctor)
  • 0022950: [custom fields] Custom Fields of Type Text showing Link (Url) as Text only (vboctor)

Go ahead and download the release from our website.

Posted in MantisBT | Tagged | Comments Off on MantisBT 2.5.1, 2.5.0 and 2.4.2 released

MantisBT 2.4.1, 2.3.3, and 1.3.11 released

We have just pushed out 3 maintenance and security releases.  All users are encouraged to upgrade to MantisBT 2.4.1.  Go ahead and download the release.

The 3 releases below are still db schema compatible.

MantisBT 2.4.1

  • 0022428: [markdown] CSV and Excel exports with markdown on (vboctor)
  • 0022906: [security] CVE-2017-7620: Open redirection vulnerability in /login_page.php (dregad)
  • 0022909: [security] CVE-2017-7620: CSRF – Arbitrary Permalink Injection (dregad)
  • 0022867: [markdown] Markdown formatting is broken for notes column on View Issues page (vboctor)

MantisBT 2.3.3

  • 0022907: [security] CVE-2017-7620: Open redirection vulnerability in /login_page.php (dregad)
  • 0022908: [security] CVE-2017-7620: CSRF – Arbitrary Permalink Injection (dregad)

MantisBT 1.3.11

  • 0020168: [db schema] Use of ‘mantis’ as plugin table prefix prevents plugin’s installation (dregad)
  • 0022702: [security] CVE-2017-7620: CSRF – Arbitrary Permalink Injection (dregad)
  • 0022816: [security] CVE-2017-7620: Open redirection vulnerability in /login_page.php (dregad)
Posted in MantisBT | Tagged | Comments Off on MantisBT 2.4.1, 2.3.3, and 1.3.11 released

MantisBT 2.4.0 and 2.3.2 released

MantisBT 2.4.0

This is a feature release that includes all fixes from MantisBT 2.3.2 plus the features and fixes listed below.  The big new feature in this release is the new Authentication Plugin model that enables plugins to provide custom authentication models (see Sample Auth Plugin) where different users can have different authentication mechanism.  For example, SAML for team members and MantisBT native for customers.

  • 04235: [authentication] Support Generic Authentication through Plug-ins (vboctor)
  • 21558: [ui] log destination for page produces messed output (syncguru)
  • 22665: [documentation] Wrong documentation of option bug_resolution_fixed_threshold (atrol)
  • 22689: [bugtracker] HTTP_X_FORWARDED_PROTO is not honored when loading Gravatar (vboctor)
  • 22744: [signup] Signup is not working on (vboctor)
  • 22740: [performance] Allowed memory size of 268435456 bytes exhausted (vboctor)
  • 22140: [administration] Getting error dialog when reporting issues and file upload is disabled (cproensa)
  • 22635: [time tracking] Empty notes with time tracking show as empty notes for users that can’t view time tracking (vboctor)
  • 22673: [attachments] Dropzone uploads files when submitting other forms (cproensa)
  • 22762: [api rest] Bug in error handling when user doesn’t have access level to handle issue (vboctor)

MantisBT 2.3.2

A maintenance and security fixes release.

  • 22742: [security] CVE-2017-7897: XSS in timeline_inc.php (affects my_view_page.php and view_user_page.php) (dregad)
  • 22743: [timeline] Timeline “More Events” button also acts as “Next” button (dregad)
  • 22746: [authentication] Lost password redirects to login page if email address is empty and anonymous access is disabled (vboctor)


Posted in MantisBT | Tagged | Comments Off on MantisBT 2.4.0 and 2.3.2 released

Critical Security Fix Releases: 2.3.1, 2.2.4, and 1.3.10

This is the release announcement for releases including the fixes for a critical security issue (#22690 for CVE-2017-7615), allowing a remote attacker to reset any user’s password, on all MantisBT instances where user signup or password reset are enabled, via a vulnerability in the Account verification page (verify.php).

MantisBT since 1.3.0-rc.2 (included) is affected, as well as all 2.x releases. The issue will be fixed in versions 1.3.10, 2.2.4, and 2.3.1, to be released soon.

This issue has been fixed in release 1.3.10, 2.2.4, and 2.3.1 that we just published.

Due to the nature and criticality of the bug, we sent last night an advance notification to users that are registered on our bug tracker, providing the following patch that can mitigate the issue.  If for any reason you can’t upgrade, go ahead and use the one line change below to patch your MantisBT instance.

Locate the if statement (at line 72 in 2.0.0-beta.3 and later, line 66 in older versions):

if( $f_confirm_hash != $t_token_confirm_hash ) {

change it to

if( $t_token_confirm_hash == null || $f_confirm_hash !== $t_token_confirm_hash ) {

You are strongly advised to patch your systems immediately.

We would like to take this opportunity to thank John Page aka hyp3rlinx from ApparitionSec ( for discovering, responsibly reporting and working with us towards resolution of this vulnerability.

-MantisBT Team

Posted in MantisBT | Tagged | Comments Off on Critical Security Fix Releases: 2.3.1, 2.2.4, and 1.3.10

MantisBT 2.3.0, 2.2.3, and 1.3.9 released

MantisBT 2.3.0

Feature release including security fixes and our brand new experimental REST API.  The REST API can be extended by plugins and power web UI ajax features.  In this release the REST API is disabled by default (expect for calls from within the web UI using cookie authentication) – see 22598 for more details.

  • 22445[ui] Manage users page does not show filters ‘0’-‘9’ as selected (atrol)
  • 22474[administration] “Obsolete configuration” warnings when running admin checks (atrol)
  • 22499[documentation] Document reuse of language strings (dregad)
  • 22501[ui] Enhance layout of “View Issue Details” page (atrol)
  • 22505[ui] Enhance layout of “Updating Issue Information” (atrol)
  • 22506[attachments] Error updating project document (atrol)
  • 22507[ui] On Edit Filter page, ‘Filter name’ input field is too narrow (dregad)
  • 08957[custom fields] Date Selector for Custom Fields (syncguru)
  • 22423[html] ID attribute for bugnote_text (community)
  • 22541[localization] Enhance wording in manage_config_email_page.php and manage_config_work_threshold_page.php pages (atrol)
  • 22548[ui] Remove unnecessary ‘center’ class from textarea in bugnote edit page (community)
  • 22571[html] Add ID attribute for bugnote_text textarea (community)
  • 22572[documentation] Wrong default value in documentation of “g_show_version” (atrol)
  • 21552[ui] My account preferences: move project list outside the form (cproensa)
  • 22140[administration] Getting error dialog when reporting issues and file upload is disabled (cproensa)
  • 22543[ui] Open images in the browser rather than download them (vboctor)
  • 22582[relationships] Relationships box layout is not right for reporters (vboctor)
  • 22583[attachments] Open PDFs in the browser rather than downloading them (vboctor)
  • 04454[filters] 31 February ??? (syncguru)
  • 15276[custom fields] Custom field “Date” 31 days every month. (syncguru)
  • 21873[filters] Use datetime picker for date ranges in filter (syncguru)
  • 21874[time tracking] Use datetime picker for date ranges in time tracking (syncguru)
  • 22469[time tracking] Enabling Time Tracking distorts View Issue Details page layout. (syncguru)
  • 22473[plug-ins] Avatars should respect image aspect ratio (community)
  • 22585[timeline] Show timeline for specific user (cproensa)
  • 22590[ui] Broken javascript and missing footer in My View Page (cproensa)
  • 22593[plug-ins] Broken Snippet plugin (vboctor)
  • 22598[api rest] REST API Framework (vboctor)
  • 22599[code cleanup] Use composer to pull in dependencies (vboctor)
  • 22600[api rest] Enable plugins to publish their own REST APIs (vboctor)
  • 22601[api rest] Support using REST API from Web UI Javascript (vboctor)
  • 22602[api rest] Provide a sandbox for interacting with REST API using Swagger UI (vboctor)
  • 22617[code cleanup] Unneeded CSS file calendar-blue.css (atrol)
  • 22291[time tracking] Issue history box is narrower than other boxes above it on View Issue page (syncguru)

MantisBT 2.2.3

Security fixes and maintenance release

  • 22392[filters] Sorting all bugs list using a column header after applying a filter resets the filter (cproensa)
  • 22496[filters] Permalink does not work with “Note By” (cproensa)
  • 22566[filters] Filter error due to “view status” having an array value (cproensa)
  • 22555[filters] Regression in custom field sorting (cproensa)
  • 22613[security] CVE-2017-7309: XSS in adm_config_report.php (dregad)
  • 22615[security] CVE-2017-7241: XSS in move_attachments_page.php (dregad)
  • 22333[markdown] Markdown starts heading in the middle of a line (joel)
  • 22545[markdown] Markdown still converting ‘& amp;’ to & and ‘& lt;’ to < (dregad)

MantisBT 1.3.9

Security fixes and maintenance release

  • 22568[security] CVE-2017-7241: XSS in move_attachments_page.php (dregad)
  • 22579[security] CVE-2017-7309: XSS in adm_config_report.php (dregad)
  • 22063[db mssql] Installation on MSSQL fails at step 209 (dregad)
  • 22208[db mssql] File upload to MS-SQL not working (dregad)
Posted in MantisBT | Tagged | 1 Comment