MantisBT 2.25.5 released

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X and retweet to spread the word!

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X and retweet to spread the word!

Go ahead and download the release from our website.

MantisBT 2.25.5

Security and maintenance release fixing vulnerabilities with SVG files attachments (CVE-2022-33910), which are now disabled by default; instances with a custom $g_disallowed_files should add svg to the list. Support for PHP 5.6 has been restored, fixing the regression introduced in 2.25.4.

  • 0029135: [security] CVE-2022-33910: Unrestricted SVG File Upload leads to CSS Injection (dregad)
  • 0030541: [documentation] Impossibility of deleting attachment with form security validation turned on (dregad)
  • 0030193: [bugtracker] PHP 5.6 support broken (dregad)
  • 0030204: [filters] Create Permalink – special characters handling (dregad)
  • 0030533: [security] Wrong bugnote_user_edit_threshold value used when checking permissions to edit bugnote (community)
  • 0030384: [security] CVE-2022-33910: Stored XSS via SVG file upload (dregad)
  • 0030416: [security] Upgrade guzzlehttp/guzzle from 6.5.5 to 6.5.8 (dregad)

MantisBT 2.25.4 released

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X and retweet to spread the word!

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X and retweet to spread the word!

Go ahead and download the release from our website.

MantisBT 2.25.4

Maintenance release fixing a couple of regressions introduced in 2.25.3, loading a JavaScript library from CDN and initializing the path on PHP 5.6.

  • 0024393: [db mssql] APPLICATION ERROR 401 Database query failed. Error received from database was #-52: SQLState: IMSSP (dregad)
  • 0029751: [authorization] APPLICATION ERROR #13 (access denied) while creating new user when theshold configured at MANAGER in administration interface (atrol)
  • 0029857: [bugtracker] Errors trying to load moment.js library from CDN (dregad)
  • 0029853: [bugtracker] $g_path incorrectly set in config_defaults_inc.php on PHP 5.6 (dregad)
  • 0029991: [installation] Javascript error in browser console when upgrading (dregad)
  • 0030077: [installation] Installer’s Oracle-specific warning regarding identifiers’ length is shown initially for MySQL (dregad)
  • 0030178: [authorization] Update issue icon on “My View” page is displayed even without having appropriate access rights (atrol)
  • 0030182: [authorization] Update issue icon on “View Issues” page is displayed even without having appropriate access rights (atrol)

MantisBT 2.25.3 Released

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X and retweet to spread the word!

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X and retweet to spread the word!

Go ahead and download the release from our website.

MantisBT 2.25.3

This security and maintenance release fixes vulnerabilities in CSV Export (CVE-2021-43257) and Plugins management pages (CVE-2022-26144), as well as in bundled libraries guzzlehttp/psr7 (CVE-2022-24775) and moment.js (CVE-2022-24785). It also addresses several PHP 8.1 compatibility issues.

There are 2 known issues with this release, which have been fixed in 2.25.4: accessing scripts in sub-directories with PHP 5.6 and a technical problem with CDNJS that prevents loading of the moment.js library when using CDN (as a workaround, set $g_cdn_enabled = OFF; in config_inc.php).

Continue reading “MantisBT 2.25.3 Released”

MantisBT 2.25.2 Released

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X and retweet to spread the word!

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X and retweet to spread the word!

Go ahead and download the release from our website.

MantisBT 2.25.2

This security and maintenance release fixes vulnerabilities in Custom Fields management page (CVE-2021-33557) and in the PHPMailer library, as well as a PHP 8 compatibility issue.

  • 0028803: [custom fields] PHP 8: “Bad Request” error on custom field filters (dregad)
  • 0028821: [security] Update PHPMailer to 6.5.0 (dregad)
  • 0028552: [security] CVE-2021-33557: XSS in manage_custom_field_edit_page.php (dregad)

MantisBT 2.25.1 Released

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X and retweet to spread the word!

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X and retweet to spread the word!

Go ahead and download the release from our website.

MantisBT 2.25.1

This security and maintenance release fixes a couple of vulnerabilities in PHPMailer and Chart.js libraries, as well as a few other minor issues. All installations are strongly advised to upgrade as soon as possible.

  • 0028084: [ui] Labels for email notifications in User Prefs page appear in bold (dregad)
  • 0028082: [ui] Project Edit Page does not display check boxes (dregad)
  • 0028076: [plug-ins] Bundled plugins 2.25.0: incorrect Mantis requirement (dregad)
  • 0028080: [ui] Unsightly vertical offset of the “Update Prefs” and “Reset Prefs” buttons. (dregad)
  • 0028106: [administration] Error removing project (dregad)
  • 0028112: [ui] Incorrect spacing between icon and text on manage_user_edit_page.php (dregad)
  • 0028529: [plug-ins] CVE-2020-7746: Vulnerability in the Chart.js library used by Graph Plugin (dregad)
  • 0028530: [security] Update PHPMailer to 6.4.1 (fixes CVE-2020-36326) (dregad)