MantisBT 2.26.1 Released

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X and retweet to spread the word!

Go ahead and download the release from our website.

MantisBT 2.26.1

Security and maintenance release addressing a host header injection vulnerability (CVE-2024-23830).

It also resolves several regression issues introduced in 2.26.0 release, and includes fixes for PHP 8.x compatibility as well as other issues.

All installations are strongly advised to upgrade as soon as possible.

  •  0033171[db schema] Update ADOdb to 5.22.7 (dregad)
  •  0033481[ui] Missing space between “*” and label for required fields on bug report page (dregad)
  •  0033426[authentication] User not authenticated when following link from notification email (dregad)
  •  0033422[api rest] Updating an issue with bugnote having empty text causes PHP errors (dregad)
  •  0033418[documentation] Document PHP ctype extension as required (dregad)
  •  0033402[api rest] Updating an Issue through the API sets all comments last edit timestamp (community)
  •  0033374[other] Erratic behavior of RestProjectVersionTest::testProjectUpdateVersion PHPUnit test case (dregad)
  •  0033372[db mssql] SQL error opening Manage Users page with MSSQL (dregad)
  •  0033248[custom fields] APPLICATION ERROR 2800 Invalid form security token when trying to delete custom field (dregad)
  •  0033358[custom fields] Custom fields are showing when resolving issues form despite not checking the option (atrol)
  •  0033375[tools] Enable PHP 8.3 on Travis CI builds (dregad)
  •  0033404[authorization] Unable to grant user access to private issue by adding them as a monitoring user (atrol)
  •  0033480[bugtracker] Blank page when redirecting with print_successful_redirect() (dregad)
  •  0019381[security] CVE-2024-23830: Host header attack vulnerability (dregad)
  •  0033519[installation] MySQL Native Driver (mysqlnd) is required (dregad)
  •  0033588[administration] Creating an Configuration Option with complex array fails when number is negative (dregad)
  •  0033631[code cleanup] Uncaught exception in installer (dregad)
  •  0033634[rss] Error in creating RSS when there are no issues to publish (dregad)
  •  0033651[ui] Overflowing text issue on sidebar menu (dregad)
  •  0033756[installation] Errors on browser console when installing (dregad)
  •  0033773[installation] Install: reset buttons for table prefix/suffix not working at stage 2 (dregad)

MantisBT 2.26.0 Released

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X and retweet to spread the word!

Go ahead and download the release from our website.

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X and retweet to spread the word!

MantisBT 2.26.0

This long-overdue feature and maintenance release contains nearly 150 fixes and enhancements !

Among many other things, it finally brings support for PHP 8.2, and generally improves PHP 8 compatibility. The earliest supported PHP version is now 7.2.5.

There are also numerous improvements to the REST API.

New configuration options were added to control access to Export and Print Report features (see 0022224). The default value for the latter was set to UPDATER for security reasons (see 0025492); to restore earlier behavior, administrators should set $g_print_reports_threshold = VIEWER;.

It would be somewhat pointless to copy the whole list of fixed issues here; please refer to the Change Log for complete details.

MantisBT 2.25.8 released

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X and retweet to spread the word!

All installations are strongly advised to upgrade as soon as possible.

MantisBT 2.25.8

Security and maintenance release addressing an information disclosure issue (CVE-2023-44394) and a security issue in bundled GuzzleHttp library (CVE-2023-29197). This release also resolves several PHP 8.x compatibility and REST API issues.

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X and retweet to spread the word!

Go ahead and download the release from our website.

  •  0028618[bugtracker] Category empty but required does not prevent form submission on Firefox Windows and Safari (dregad)
  •  0029438[api rest] Unsupported operand types when an incident with time tracking notes is updated via REST API (dregad)
  •  0032390[plug-ins] Impossible to install a plugin without any dependencies (dregad)
  •  0032432[security] Update guzzlehttp/psr7 to 1.9.1 (dregad)
  •  0032612[bugtracker] DEPRECATED: ‘Creation of dynamic property BugData::$bug_text_id (dregad)
  •  0032451[bugtracker] Email uniqueness is not enforced on case-sensitive databases (dregad)
  •  0032459[bugtracker] Graphics x Apple Safari 16 (atrol)
  •  0032703[bugtracker] Local documentation is not accessible (403) (dregad)
  •  0032788[ui] Incorrect styling of table headers (dregad)
  •  0032809[bugtracker] PHP 8.1 deprecation notice in user_search_cache() (dregad)
  •  0032860[api rest] REST API allows resolving an issue with unresolved children (dregad)
  •  0032865[html] Wrong HTML tags on “Manage Filters” page (atrol)
  •  0032889[plug-ins] EVENT_MENU_DOCS is never triggered (dregad)
  •  0026365[api rest] Missing Authorization header in REST API causing requests to fail (dregad)
  •  0032981[security] CVE-2023-44394: Information Leakage on DokuWiki Integration (dregad)

MantisBT 2.25.7 released

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X and retweet to spread the word!

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X and retweet to spread the word!

Go ahead and download the release from our website.

MantisBT 2.25.7

Hotfix release, correcting a regression on PHP 8.1 introduced in 2.25.6, and addressing a few other issues.

All installations are strongly advised to upgrade as soon as possible.

  •  0030127[email] new PHPMailer() is created for every outgoing email (dregad)
  •  0032076[bugtracker] Ampersand in $g_search_title prevents adding search engine (dregad)
  •  0032086[bugtracker] IssueViewPageCommand.php line 135: ‘Undefined array key “version” with php 8.1.16 (dregad)
  •  0032243[plug-ins] EVENT_LOG can produce stack overflow when LOG_DATABASE is enabled (dregad)
  •  0032131[performance] access_project_array_filter can lead to many SQL requests (dregad)
  •  0032353[bugtracker] Getting Undefined index: target_version when viewing bug (atrol)

MantisBT 2.25.6 released

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X and retweet to spread the word!

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X and retweet to spread the word!

Go ahead and download the release from our website.

MantisBT 2.25.6

Security and maintenance release addressing an information disclosure issue (CVE-2023-22476), with thanks to d3vpoo1 for identifying and responsibly reporting it, as well as a vulnerability in bundled moment.js library (CVE-2022-31129). This release also resolves over 20 issues including several PHP 8.x compatibility fixes.

All installations are strongly advised to upgrade as soon as possible.

  •  0031086[security] CVE-2023-22476: Private issue summary disclosure (dregad)
  •  0024720[ldap] Editing user with use_ldap_email = ON empties email address (dregad)
  •  0031827[reports] Graphviz logs syntax error in line xx near ‘;’ (atrol)
  •  0031712[code cleanup] PHP 8.1 deprecated warnings (dregad)
  •  0031159[tagging] Undefined constants TAG_NOT_ATTACHED + TAG_ALREADY_ATTACHED in tag_api.php (dregad)
  •  0030922[bugtracker] Browser extensions may trigger automatic bug monitoring (community)
  •  0030918[markdown] URLs should only be converted to links when process_url is ON (dregad)
  •  0030835[ui] unreachable submit button (Update Information) on issue update when using tab key (dregad)
  •  0030841[api rest] Update Slim Framework to 3.12.4 (dregad)
  •  0030794[signup] Captcha image not showing on PHP 8.1 (dregad)
  •  0030777[upgrade] Scalar typehint is not supported in PHP 5.x (dregad)
  •  0030793[bugtracker] config_flush_cache() doesn’t clean the eval cache for individual options (dregad)
  •  0030772[security] Update moment.js to 2.29.4 (dregad)
  •  0030791[security] Allow adding relation type noopener/noreferrer to outgoing links (dregad)
  •  0030771[ldap] Poor error handling when $g_login_method = LDAP and PHP extension missing (dregad)
  •  0030814[signup] Captcha audio not working (dregad)
  •  0030429[other] Upcoming incompatibility with PHP 8.2, “Deprecate ${} string interpolation” RFC (dregad)
  •  0031876[plug-ins] XML import: Undefined property warning when importing bug notes (dregad)
  •  0030790[ldap] Deprecated conversion of false to array in ldap_api.php with PHP 8.1 (dregad)
  •  0032037[bugtracker] Remove “sponsorship_total” from columns default (dregad)
  •  0031943[installation] Creation of dynamic properies is deprecated in PHP 8.2 (dregad)
  •  0022238[documentation] Missing columns on $g_view_issues_page_columns documentation (dregad)
  •  0031829[ui] Status color boxes shown in black on bug_relationship_graph.php (dregad)
  •  0031836[bugtracker] Date conversion fails when editing a project version using a non-US date format (dregad)
  •  0031889[bugtracker] Product Version / Target Version – Date missing (dregad)