MantisBT 2.4.1, 2.3.3, and 1.3.11 released

We have just pushed out 3 maintenance and security releases.  All users are encouraged to upgrade to MantisBT 2.4.1.  Go ahead and download the release.

The 3 releases below are still db schema compatible.

MantisBT 2.4.1

  • 0022428: [markdown] CSV and Excel exports with markdown on (vboctor)
  • 0022906: [security] CVE-2017-7620: Open redirection vulnerability in /login_page.php (dregad)
  • 0022909: [security] CVE-2017-7620: CSRF – Arbitrary Permalink Injection (dregad)
  • 0022867: [markdown] Markdown formatting is broken for notes column on View Issues page (vboctor)

MantisBT 2.3.3

  • 0022907: [security] CVE-2017-7620: Open redirection vulnerability in /login_page.php (dregad)
  • 0022908: [security] CVE-2017-7620: CSRF – Arbitrary Permalink Injection (dregad)

MantisBT 1.3.11

  • 0020168: [db schema] Use of ‘mantis’ as plugin table prefix prevents plugin’s installation (dregad)
  • 0022702: [security] CVE-2017-7620: CSRF – Arbitrary Permalink Injection (dregad)
  • 0022816: [security] CVE-2017-7620: Open redirection vulnerability in /login_page.php (dregad)
Posted in MantisBT | Tagged | Leave a comment

MantisBT 2.4.0 and 2.3.2 released

MantisBT 2.4.0

This is a feature release that includes all fixes from MantisBT 2.3.2 plus the features and fixes listed below.  The big new feature in this release is the new Authentication Plugin model that enables plugins to provide custom authentication models (see Sample Auth Plugin) where different users can have different authentication mechanism.  For example, SAML for team members and MantisBT native for customers.

  • 04235: [authentication] Support Generic Authentication through Plug-ins (vboctor)
  • 21558: [ui] log destination for page produces messed output (syncguru)
  • 22665: [documentation] Wrong documentation of option bug_resolution_fixed_threshold (atrol)
  • 22689: [bugtracker] HTTP_X_FORWARDED_PROTO is not honored when loading Gravatar (vboctor)
  • 22744: [signup] Signup is not working on mantisbt.org/bugs (vboctor)
  • 22740: [performance] Allowed memory size of 268435456 bytes exhausted (vboctor)
  • 22140: [administration] Getting error dialog when reporting issues and file upload is disabled (cproensa)
  • 22635: [time tracking] Empty notes with time tracking show as empty notes for users that can’t view time tracking (vboctor)
  • 22673: [attachments] Dropzone uploads files when submitting other forms (cproensa)
  • 22762: [api rest] Bug in error handling when user doesn’t have access level to handle issue (vboctor)

MantisBT 2.3.2

A maintenance and security fixes release.

  • 22742: [security] CVE-2017-7897: XSS in timeline_inc.php (affects my_view_page.php and view_user_page.php) (dregad)
  • 22743: [timeline] Timeline “More Events” button also acts as “Next” button (dregad)
  • 22746: [authentication] Lost password redirects to login page if email address is empty and anonymous access is disabled (vboctor)

 

Posted in MantisBT | Tagged | Leave a comment

Critical Security Fix Releases: 2.3.1, 2.2.4, and 1.3.10

This is the release announcement for releases including the fixes for a critical security issue (#22690 for CVE-2017-7615), allowing a remote attacker to reset any user’s password, on all MantisBT instances where user signup or password reset are enabled, via a vulnerability in the Account verification page (verify.php).

MantisBT since 1.3.0-rc.2 (included) is affected, as well as all 2.x releases. The issue will be fixed in versions 1.3.10, 2.2.4, and 2.3.1, to be released soon.

This issue has been fixed in release 1.3.10, 2.2.4, and 2.3.1 that we just published.

Due to the nature and criticality of the bug, we sent last night an advance notification to users that are registered on our bug tracker, providing the following patch that can mitigate the issue.  If for any reason you can’t upgrade, go ahead and use the one line change below to patch your MantisBT instance.

Locate the if statement (at line 72 in 2.0.0-beta.3 and later, line 66 in older versions):

if( $f_confirm_hash != $t_token_confirm_hash ) {

change it to

if( $t_token_confirm_hash == null || $f_confirm_hash !== $t_token_confirm_hash ) {

You are strongly advised to patch your systems immediately.

We would like to take this opportunity to thank John Page aka hyp3rlinx from ApparitionSec (http://hyp3rlinx.altervista.org) for discovering, responsibly reporting and working with us towards resolution of this vulnerability.

Thanks,
-MantisBT Team

Posted in MantisBT | Tagged | Leave a comment

MantisBT 2.3.0, 2.2.3, and 1.3.9 released

MantisBT 2.3.0

Feature release including security fixes and our brand new experimental REST API.  The REST API can be extended by plugins and power web UI ajax features.  In this release the REST API is disabled by default (expect for calls from within the web UI using cookie authentication) – see 22598 for more details.

  • 22445[ui] Manage users page does not show filters ‘0’-‘9’ as selected (atrol)
  • 22474[administration] “Obsolete configuration” warnings when running admin checks (atrol)
  • 22499[documentation] Document reuse of language strings (dregad)
  • 22501[ui] Enhance layout of “View Issue Details” page (atrol)
  • 22505[ui] Enhance layout of “Updating Issue Information” (atrol)
  • 22506[attachments] Error updating project document (atrol)
  • 22507[ui] On Edit Filter page, ‘Filter name’ input field is too narrow (dregad)
  • 08957[custom fields] Date Selector for Custom Fields (syncguru)
  • 22423[html] ID attribute for bugnote_text (community)
  • 22541[localization] Enhance wording in manage_config_email_page.php and manage_config_work_threshold_page.php pages (atrol)
  • 22548[ui] Remove unnecessary ‘center’ class from textarea in bugnote edit page (community)
  • 22571[html] Add ID attribute for bugnote_text textarea (community)
  • 22572[documentation] Wrong default value in documentation of “g_show_version” (atrol)
  • 21552[ui] My account preferences: move project list outside the form (cproensa)
  • 22140[administration] Getting error dialog when reporting issues and file upload is disabled (cproensa)
  • 22543[ui] Open images in the browser rather than download them (vboctor)
  • 22582[relationships] Relationships box layout is not right for reporters (vboctor)
  • 22583[attachments] Open PDFs in the browser rather than downloading them (vboctor)
  • 04454[filters] 31 February ??? (syncguru)
  • 15276[custom fields] Custom field “Date” 31 days every month. (syncguru)
  • 21873[filters] Use datetime picker for date ranges in filter (syncguru)
  • 21874[time tracking] Use datetime picker for date ranges in time tracking (syncguru)
  • 22469[time tracking] Enabling Time Tracking distorts View Issue Details page layout. (syncguru)
  • 22473[plug-ins] Avatars should respect image aspect ratio (community)
  • 22585[timeline] Show timeline for specific user (cproensa)
  • 22590[ui] Broken javascript and missing footer in My View Page (cproensa)
  • 22593[plug-ins] Broken Snippet plugin (vboctor)
  • 22598[api rest] REST API Framework (vboctor)
  • 22599[code cleanup] Use composer to pull in dependencies (vboctor)
  • 22600[api rest] Enable plugins to publish their own REST APIs (vboctor)
  • 22601[api rest] Support using REST API from Web UI Javascript (vboctor)
  • 22602[api rest] Provide a sandbox for interacting with REST API using Swagger UI (vboctor)
  • 22617[code cleanup] Unneeded CSS file calendar-blue.css (atrol)
  • 22291[time tracking] Issue history box is narrower than other boxes above it on View Issue page (syncguru)

MantisBT 2.2.3

Security fixes and maintenance release

  • 22392[filters] Sorting all bugs list using a column header after applying a filter resets the filter (cproensa)
  • 22496[filters] Permalink does not work with “Note By” (cproensa)
  • 22566[filters] Filter error due to “view status” having an array value (cproensa)
  • 22555[filters] Regression in custom field sorting (cproensa)
  • 22613[security] CVE-2017-7309: XSS in adm_config_report.php (dregad)
  • 22615[security] CVE-2017-7241: XSS in move_attachments_page.php (dregad)
  • 22333[markdown] Markdown starts heading in the middle of a line (joel)
  • 22545[markdown] Markdown still converting ‘& amp;’ to & and ‘& lt;’ to < (dregad)

MantisBT 1.3.9

Security fixes and maintenance release

  • 22568[security] CVE-2017-7241: XSS in move_attachments_page.php (dregad)
  • 22579[security] CVE-2017-7309: XSS in adm_config_report.php (dregad)
  • 22063[db mssql] Installation on MSSQL fails at step 209 (dregad)
  • 22208[db mssql] File upload to MS-SQL not working (dregad)
Posted in MantisBT | Tagged | 1 Comment

MantisBT Security releases 1.3.8, 2.1.2 and 2.2.2

Maintenance releases including security fixes for Cross-Site Scripting (XSS) issues have just been released. We advise all installations to upgrade; releases can be downloaded from our website.

Patched vulnerabilities:

  • 22537: CVE-2017-6973 – XSS in adm_config_report.php (affects 1.3.0-rc.2 and later)

Additionally, version 2.1.1 also includes fixes previously released in 1.3.7 and 2.2.1:

  • 22486: CVE-2017-6797 – XSS in bug_change_status_page.php
  • 22497: CVE-2017-6799 – XSS in view_filters_page.php
Posted in MantisBT | Tagged , , | Leave a comment