SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for mantisbt-2.26.0-lp154.1.1.noarch.rpm :

* Fri Nov 10 2023 Johannes Weberhofer - Feature and maintenance release. Dropping support for PHP 7.1 and older, the earliest supported PHP version is now 7.2.5. New configuration options were added to control access to Export and Print Report features (see #0022224). The default value for the latter was set to UPDATER for security reasons (see [#0025492]); to restore earlier behavior, administrators should set $g_print_reports_threshold = VIEWER;.
* administration - Add admin check to detect users without e-mail address when allow_empty_email = OFF #0032940 - \"Copy Categories From\" copies global categories #0030812 - Detect invalid HTML in language strings #0030447 - Disallow setting logging options in database #0032926 - Do not buffer output for CLI scripts #0028963 - Facilitate identification of user accounts sharing the same email #0032787 - Filter settings are not available on \"Workflow Thresholds\" page #0029269 - Improve handling of project assignment in manage_user_edit_page.php #0028122 - Inconsistent use of hyperlink instead of button to edit Custom Fields in Edit Project page #0028557 - Incorrect filtering of users on Manage Project / Accounts #0028606 - Language checks should warn about languages not defined in config [#0029026] - Not able to update existing user accounts if $g_email_ensure_unique == ON #0020647 - Outdated PostgreSQL version information in Admin Checks #0028528 - PHP errors triggered by Admin Checks cause silent failure #0033010 - Project Edit Page improvements #0030551 - Undefined constant ERROR_VERSION_NO_ACTION and missing matching error message #0028562 - Using MySQL 8.0 gives warning in admin checks #0028525 - Utility to copy attachments from File to Database #0004993
* api rest - Add REST API for setting config options that are settable via database #0032258 - Allow REST API to run on PHP 8.1 without squelching E_DEPRECATED notices #0032866 - Can not get userid from another user with REST API #0027128 - change username via rest api #0027130 - Deleting a user should revoke #0032246 - Get Project Issues returns html if user doesn\'t have access to project #0032249 - Get Project REST API returns html if user doesn\'t have access #0032248 - Missing PHPUnit tests for Projects REST API endpoints #0032864 - REST and SOAP APIs fail to report that Mantis is offline #0033023 - REST API: Add API to Get / Delete / Update versions #0030415 - REST API Create Project API requires administrator rather than create_project_threshold #0032237 - REST API Create Project doesn\'t trigger EVENT_MANAGE_PROJECT_CREATE plugin event #0032236 - REST API: Create Project User #0032466 - REST API: Delete Project User #0032467 - REST API errors when attempting to add or delete issue relationships #0032835 - REST API for creating API tokens for users #0032245 - REST API for deleting API token #0032247 - REST API: Project Add API to return information about added version #0032445 - REST API: Support Get User By ID #0032356 - REST API: Support impersonation of users #0032469 - REST API: Support select for fields to return when getting user info #0032357 - REST API unit test incorrectly failing with anonymous user #0032804 - REST API: Update Project User #0032468 - REST API: User Update API #0032465 - Status codes returned by REST API delete operations are not consistent #0032858 - Support retrieving users with specified access level to a project #0022791 - Support selecting which fields to retrieve for an issue #0032331 - To move a user to disabled #0024757 - Update Guzzle to 7.8.0 #0032807 - Update postman collection #0030908 - Update Slim Framework to 3.12.5 #0033018
* api soap - phpunit FilterTest fail if there are more than 50 issues in the tracker #0017121 - PHPUnit SOAP API tests trigger syntax error when extension is not loaded #0032814 - SOAP API Create Project API requires administrator rather than create_project_threshold #0032234 - SOAP API Create Project doesn\'t trigger EVENT_MANAGE_PROJECT_CREATE plugin event #0032235 - SOAP API mc_project_get_users doesn\'t enforce access check #0030907
* attachments - Show issue attachments along with issue header information #0028965
* authentication - Login redirection to plugin credentials page for non-existent user #0029517
* bugtracker - Access Restrictions to \"Print Reports\", \"CSV Export\", \"Excel Export\" in view all bugs page #0022224 - collapse_settings cookie is hardcoded #0029616 - Cookies \"SameSite\" attribute triggers warnings in Firefox console #0029611 - Incorrect use of mb_strimwidth() to truncate old/new values in history API #0032385 - Issues should have canonical meta tag #0031833 - \"Operation successful.\" message page slows down interaction #0005189 - PHP 8.2 support #0032027 - print_form_button() generates bad security token name for plugin action page #0028533
* change log - Changelog/Roadmap items are printed without any structure #0030192
* code cleanup - Avatar::get() returns Avatar instance, but phpdoc indicates it returns array #0032978 - Calling user_get_field() with non-existing user throws incorrect warning #0028119 - Create ProjectAddCommand #0032231 - Create ProjectDeleteCommand #0032232 - Create ProjectUpdateCommand #0032238 - Duplicated code in email API #0032382 - Implement UserUpdateCommand #0032464 - Invalid HTML in manage_user_edit_page.php #0028114 - Remove deprecated function db_prepare_string() #0032704 - Remove function check_php_version() #0032714 - Remove PHP < 5.4 compatibility code from user_get_all_accessible_projects() #0028830 - Remove unnecessary check on Version Id #0032831 - Remove version_cache_row()\'s 2nd parameter #0032832 - Removing unused CUSTOM_FIELD_TYPE_xxx constants #0030278 - Unneeded PHP version checks #0032901 - Use range() function instead of string increment #0032735
* db mssql - APPLICATION ERROR 0000401 / Error MSSQL 4145 when view all bugs for 1000 projects or more #0028902 - Impossible to insert child records with ADOdb 5.21.0 on mssql #0028068
* db mysql - Problem in the download process #0033031
* db postgresql - PHP notices leading to unusable system with ADOdb 5.21.0 on pgsql #0028069
* db schema - Update ADOdb to 5.22.5 #0032028
* documentation - Admin Guide lists incorrect/incomplete/obsolete required PHP extensions #0027793 - Developers Guide PHPUnit section is out of date #0032806 - Development Guide - Chapter 4. Plugin System - Errors in text #0021657 - Documentation: Hooking events declared by other plugins #0032504 - Duplicated REST API endpoint GET /issues in Postman documentation #0033003 - Mantis version visible in REST API request headers even when $g_show_version is OFF #0033017 - Using Docker to build Documentation #0031993
* email - Missing In-Reply-To header in new bugnote email notification #0032038 - monitor receives no mails if he is not project member #0029454 - Support for sending emails with CC and/or BCC #0029583 - Unable to set the In-Reply-To header to a domain different from the current one #0029585 - Update PHPMailer to 6.8.0 #0029025
* filters - Filtering on \"projection\" field is missing #0032726 - Saving a filter triggers deprecated warning on PHP 8.2 #0032734
* html - Closing
tag missing in sign up page #0024621 - Invalid \'literal\' tag used in MantisCoreFormatting language strings #0030283
* installation - admin/check.php script says upload_max_size but actually checks upload_max_filesize #0030428 - Drop support for PHP 5.x #0025956 - Increase minimum PHP requirement to 7.2.5 #0027840 - MSSQL blocking error during installation. #0029511
* javascript - list.js library causing CSP violation in manage_proj_edit_page.php [#0030490] - list.js navigation buttons scrolling to top of page #0030494
* ldap - Can\'t set a custom field for ldap email #0029230
* localization - Incorrectly configured saraiki language #0028861 - Incorrectly configured serbo-croatian #0028860 - Missing language codes in browser\'s auto map #0028668 - New Hindi Language Translation #0028648 - String optimizations for English language #0028905 - Translation in Espéranto #0008664
* markdown - Markdown markup should be done with CSS classes, not inline styles #0022190
* other - function gpc_set_cookie() ignores $p_httponly argument #0029027
* performance - Improve performance of user_pref_clear_invalid_project_default() #0028120 - Issue view page timeouts or inefficient for issues with large number of notes and attachments #0032244 - Only load dynamic CSS status_config.php when necessary #0030773
* plug-ins - Event on access level modifications #0026998 - Hook for Custom field on bug_change_status_page #0031666 - Unknown named parameter $files #0033058
* relationships - Wrong html syntax #0029903
* security - Printing #0025492 - Use PHP random_bytes() instead of our custom crypto_generate_random_string function #0032900
* tagging - Wrong display of tag filter #0032811
* tools - Enable PHP 8.1 builds on Travis-CI #0029882 - Error when executing the complete PHPUnit test suite with AllTests.php [#0032815] - New build script to download updated font files #0028964 - Refactor and improve output of \'test_langs.php\' admin script #0027383 - TravisCI \' /usr/sbin/sendmail: not found\' error after successful test execution #0032828 - Ugrade to PHPUnit 8.5 and adapt test suite #0032810 - Use phpunit.xml to define Test Suites #0032816
* ui - Add hash to MantisBT CSS files to force browser cache update #0026148 - Bugnotes links tilde \' ~\' sign rendered as dash \'-\' in View page #0022109 - Buttons\' vertical size is slightly smaller than other form elements #0030550 - Long unbreakable text does not auto wrap in bug details page #0027114 - Manage Project Edit page should redirect to relevant section after updates #0030435 - Move Delete buttons into main form #0027274 - \"pinning\" an issue calls for not CSS code in view_all_inc.php #0031944 - progress bar on the title bar #0028182 - Regroup the 2 Subprojects sections on Manage Project Edit page #0030423 - Removing vertical lines in tabular presentation to reduce clutter #0028826 - Text Custom Field columns should be left-aligned #0030279 - Visually align the 1st column\'s width in manage_user_proj_delete.php #0028124
* upgrade - Improve handling of unserialize->json conversion during upgrade #0028918
* wiki - Support for WackoWiki #0022371
* Tue Apr 25 2023 Johannes Weberhofer - MantisBT 2.25.7
* bugtracker - Ampersand in $g_search_title prevents adding search engine #0032076 - Getting Undefined index: target_version when viewing bug #0032353 - IssueViewPageCommand.php line 135: \'Undefined array key \"version\" with php 8.1.16 #0032086
* email - new PHPMailer() is created for every outgoing email #0030127
* performance - access_project_array_filter can lead to many SQL requests #0032131
* plug-ins - EVENT_LOG can produce stack overflow when LOG_DATABASE is enabled #0032243- MantisBT 2.25.6 Security and maintenance release addressing an information disclosure issue (CVE-2023-22476), with thanks to d3vpoo1 for identifying and responsibly reporting it, as well as a vulnerability in bundled moment.js library (CVE-2022-31129). This release also resolves over 20 issues including several PHP 8.x compatibility fixes. All installations are strongly advised to upgrade as soon as possible.
* api rest - Update Slim Framework to 3.12.4 #0030841
* bugtracker - Browser extensions may trigger automatic bug monitoring #0030922 - config_flush_cache() doesn\'t clean the eval cache for individual options #0030793 - Date conversion fails when editing a project version using a non-US date format #0031836 - Product Version / Target Version - Date missing #0031889 - Remove \"sponsorship_total\" from columns default #0032037
* code cleanup - PHP 8.1 deprecated warnings #0031712
* documentation - Missing columns on $g_view_issues_page_columns documentation #0022238
* installation - Creation of dynamic properies is deprecated in PHP 8.2 #0031943
* ldap - Deprecated conversion of false to array in ldap_api.php with PHP 8.1 #0030790 - Editing user with use_ldap_email = ON empties email address #0024720 - Poor error handling when $g_login_method = LDAP and PHP extension missing #0030771
* markdown - URLs should only be converted to links when process_url is ON #0030918
* other - Upcoming incompatibility with PHP 8.2, \"Deprecate ${} string interpolation\" RFC #0030429
* plug-ins - XML import: Undefined property warning when importing bug notes #0031876
* reports - Graphviz logs syntax error in line xx near \';\' #0031827
* security - Allow adding relation type noopener/noreferrer to outgoing links #0030791 - CVE-2023-22476: Private issue summary disclosure #0031086 - Update moment.js to 2.29.4 #0030772
* signup - Captcha audio not working #0030814 - Captcha image not showing on PHP 8.1 #0030794
* tagging - Undefined constants TAG_NOT_ATTACHED + TAG_ALREADY_ATTACHED in tag_api.php #0031159
* ui - Status color boxes shown in black on bug_relationship_graph.php #0031829 - unreachable submit button #0030835
* upgrade - Scalar typehint is not supported in PHP 5.x #0030777
* Sun Nov 06 2022 Johannes Weberhofer - MantisBT 2.25.5 Security and maintenance release
* security - CVE-2022-33910: Unrestricted SVG File Upload leads to CSS Injection - CVE-2022-33910: Stored XSS via SVG file upload - Wrong bugnote_user_edit_threshold value used when checking permissions to edit bugnote - Upgrade guzzlehttp/guzzle from 6.5.5 to 6.5.8
* authorization - APPLICATION ERROR #13 (access denied) while creating new user when threshold configured as MANAGER in administration interface - Update issue icon on \"My View\" page is displayed even without having appropriate access rights - Update issue icon on \"View Issues\" page is displayed even without having appropriate access rights
* bugtracker - Errors trying to load moment.js library from CDN - $g_path incorrectly set in config_defaults_inc.php on PHP 5.6 - PHP 5.6 support broken
* filters - Create Permalink - special characters handling
* installation - Javascript error in browser console when upgrading - Installer\'s Oracle-specific warning regarding identifiers\' length is shown initially for MySQL
* db-mssql - APPLICATION ERROR 401 Database query failed. Error received from database was #-52: SQLState: IMSSP
* documentation - Impossibility of deleting attachment with form security validation turned on
* Wed Apr 20 2022 Johannes Weberhofer - MantisBT 2.25.3 Security and maintenance release
* security - CVE-2021-43257: CSV Injection with CSV Export Feature #0029130 - CVE-2022-26144: XSS in manage_plugin_page.php and manage_plugin_uninstall.php #0029688 - Update ADOdb to 5.20.21 #0029485 - Update guzzlehttp/psr7 to 1.8.5 #0029848 - Update moment.js to 2.29.2 #0029849
* api rest - Slim Application Error when RestFault generated #0028927
* api soap - SOAP call mc_project_get_id_from_name fails when there is no matching project in PHP 7.2 #0029034
* attachments - Adding an attachment with a long filename causes \"Data too long for column \'filename\'\" application error #0029144
* bugtracker - Constant FILTER_SANITIZE_STRING is deprecated #0029845 - \'format_issue_summary\' custom function not called from View Issue Details page #0029181 - Passing null to parameter of type XXX is deprecated #0029846
* custom fields - APPLICATION ERROR 1300 Custom field not found with case-sensitive database #0029413
* installation - Unable to install #0029462
* ui - Missing closing div tag causes incorrect page footer display #0029416
* Mon Jun 21 2021 Johannes Weberhofer - MantisBT 2.25.2
* CVE-2021-33557: XSS in manage_custom_field_edit_page.php
* PHP 8: \"Bad Request\" error on custom field filters
* Update PHPMailer to 6.5.0
* Thu May 20 2021 Johannes Weberhofer - MantisBT 2.25.1
* administration - Error removing project #0028106
* plug-ins - Bundled plugins 2.25.0: incorrect Mantis requirement #0028076
* security - Update PHPMailer to 6.4.1 (fixes CVE-2020-36326) #0028530
* ui - Incorrect spacing between icon and text on manage_user_edit_page.php [#0028112] - Labels for email notifications in User Prefs page appear in bold [#0028084] - Project Edit Page does not display check boxes #0028082 - Unsightly vertical offset of the \"Update Prefs\" and \"Reset Prefs\" buttons. #0028080
* Mon Mar 08 2021 Johannes Weberhofer - MantisBT 2.25.0 This feature and maintenance release contains over 100 fixes and enhancements; among many other things, it improves PHP 8 compatibility, LDAP authentication and invalid plugins management. It also includes a schema change, so do not forget to upgrade the database as documented in the Admin Guide. Please note that this will be the last release supporting PHP 5;
* administration - \"Add Version\" without entering a version number outputs \"Operation successful\" though no version has actually been added #0027994 - Attachment settings not available on \"Workflow Thresholds\" page [#0026892] - Issue revision settings not available on \"Workflow Thresholds\" page [#0027817] - Manage user page table footer is displayed even when empty #0027387 - Misleading e-mail notification following password reset by admin [#0026884] - PHP warning in config_get_global #0026798 - Some config options can be set in database, but should be configurable just in config_inc.php #0027884 - SQL syntax error on manage_user_page #0027117 - Sticky setting not available on \"Workflow Thresholds\" page #0027463 - When deleting a project, there should be information of how many (if any) issues are affected #0027768
* api rest - /config REST API endpoint reports users as not found when they exist [#0026891] - Errors in API documentation #0026481 - Incorrect documentation for tags #0027969 - REST API update issue triggers errors if payload is empty #0027973 - Upgrade guzzlehttp/guzzle from 6.5.2 to 6.5.5 #0026919
* api soap - mc_issue_update() throws system warning when Project not specified in IssueData #0027981
* attachments - Improve pop-up description for file icons #0027827
* authentication - Username regex is too strict by default #0026811
* authorization - reporter allowed to close #0026920
* bugtracker - Admin check always has \"WARN\" for magic_quotes checks (PHP 7.4) [#0026964] - Allow printing of standard confirmation alerts without buttons [#0027242] - bugnote_clear_cache() does not work properly #0027217 - clickable summaries in view issues page #0008066 - It is not possible to clear the Default Profile #0027257 - Profile-related operations lack confirmations #0027259 - Refactor Profiles management pages to display a list of records [#0027256] - Standardize on IEEE 1541 units (KiB, MiB) for file sizes #0027700 - Update securimage to 3.6.8 #0027155
* change log - No hyperlinks in Changelog and Roadmap release notes #0027839
* code cleanup - Code cleanup around User/Global Profiles #0027258 - Convert Project and User Pref APIs to use DbQuery class #0027145 - Data integrity: ensure users\' default_project preference is a valid project #0027144 - Error handlers use deprecated context parameter #0027703 - Implement ConfigsGetCommand and use from REST API #0026889 - Implement LocalizedStringsGetCommand and use from REST API #0026890 - Move release scripts to main repository #0026903 - New API function to get User Id by cookie string #0028002 - PHP notice in manage_user_edit_page.php when given invalid user id [#0027573] - Refactor printing of project selection menus #0026888 - Remove obsolete \'posted\' form param when reporting new issue #0027575 - Remove Project Info page #0027802 - Remove unused and regroup duplicated language strings #0027298 - Remove unused bug_monitor_list_view_inc.php file #0026962 - Standardize access of option database_version #0026821 - System notice in lang_error_handler #0027701 - Unneeded code for option display_project_padding #0027833 - Use user_is_login_request_allowed() instead of duplicating the logic [#0026930]
* custom fields - Custom date field with default value left blank even when field is required #0027914 - Custom fields with comma can\'t be used in Manage Config Columns page [#0026665] - Incorrect error message when reporting issue with a custom field failing validation #0027576 - Remove need to use {} for dynamic dates in custom fields default value #0027956 - Validate date custom fields default value format #0027950
* db mssql - Update ADOdb to 5.20.20 #0026837
* db postgresql - PHP 8.0 PostgreSQL builds fail due to deprecated pg_fieldsize() function #0027830
* db schema - Email field in mantis_email_table is shorter than user email in mantis_user_table #0027982
* documentation - Admin Guide has various broken links, obsolete info, etc. #0026617 - Fix discrepancies in documentation for $g_display_errors #0027300 - Host the Example Plugin from the Developers Guide in a repository in mantisbt-plugins organization #0027993 - Improve Custom Fields documentation #0027983 - Out of the box Mantis does not display either a Dependancy or Relationship Graph #0027584 - Remove helper_alternate_class() calls from Developers Guide and document alternative #0027992 - REST API documentation #0025998
* email - Enable S/MIME signed e-mail notifications #0025764
* filters - Preserving filters does not work correctly on sub-sub-projects [#0027129] - search field at project-selection is not working anymore #0027375
* html - Standardize the way fontawesome icons are printed #0027828
* installation - Required PHP json extension not documented and checked #0026974
* installation] Sourceforge [admin/test_langs.php - File missing from installation packages ( mantisbt-2.24.3.zip & mantisbt-2.24.3.tar.gz) #0027362
* installation - Using an empty timezone causes PHP notice on PHP 8 #0027796
* javascript - MantisGraph: stop using chart.js bundled build #0027123
* ldap - Add STARTTLS Support to LDAP #0015361 - Changed default $g_ldap_protocol_version from 0 to 3. #0027848 - LDAP configuration options can be set in database #0026822 - LDAP server must be specified as an URI #0027849
* localization - Confusing message when selecting a project to enter an issue #0011463 - Improve handling of missing language strings #0027241
* other - Upgrade release build scripts to Python3 #0027384
* performance - Non visible image previews are transferred from server to client [#0027150]
* plug-ins - 3rd-party plugins cannot use chart.js library bundled with MantisGraph #0027122 - Admin checks should detect invalid / incorrectly installed plugins [#0026143] - Create cronjob script and plugin event #0027882 - Force-installed plugins are not registered in order of priority [#0027302] - Improve handling of invalid / incorrectly installed plugins #0026142 - MantisGraph: update Chart.js library to v2.9.3 #0027124 - Plugin_force_uninstall is not declared #0012961 - Tag attach group action doesn\'t trigger EVENT_TAG_ATTACHED #0027881 - Validate plugin folder name and name match during setup #0017487
* preferences - issue report TOO_MANY_REDIRECTS #0026988 - Non existing field name os_version used where os_build should be used [#0026840]
* printing - Viewer does not get Selection column in View Issues or Print Reports lists #0026839
* security - Printing unsanitized user input in account_prof_edit_page.php #0027853 - Update PHPMailer to 6.3.0 #0027118
* sql - Error in bug_api.php when UPDATEing a bug #0027113
* sub-projects - Project Menu Bar does not indent subprojects properly #0026887
* time tracking - User list in time tracking summary is not sorted #0027005
* tools - TravisCI: add PHP 8.0 to tests, and switch to bionic build environment #0027829
* ui - Confusing redirection when editing profiles #0027260 - Horizontal rules (
tag) are nearly invisible #0027978 - Inconsistent form input labels\' font size when HTML label element is used #0027958 - Left-align the Send Reminder textarea #0027972 - Manage users edit page: inconsistent spacing between sections #0027574 - \"Move\" functionality offered for users that have just access to a single project #0026861 - Questionable UI / button on \"Edit Project Category\" page #0027808 - Upgrade to fontawesome version 4.7.0 #0026823 - Username field in Monitor box triggers password managers #0026963 - Wrong page position after bugnote add/edit #0027160
* Mon Jan 18 2021 Johannes Weberhofer - MantisBT 2.24.4: Security and maintenance release, addressing 6 CVEs: an XSS issue, an SQL injection in the SOAP API and several information disclosure issues including a critical one allowing full access to private issues\' contents. All installations are strongly advised to upgrade as soon as possible. This release also includes a few PHP 8.0 compatibility fixes, including a major one causing an access denied error for all users when updating issues.
* Attacker can leak private information via different functionality - CVE-2020-29604: Full disclosure of private issue contents, including bugnotes and attachments - CVE-2020-29605: Disclosure of private issue summary - CVE-2020-29603: Disclosure of private project name
* Private category can be access/used by a non member of a private project (IDOR)
* CVE-2020-35571: XSS in helper_ensure_confirmed() calls
* User Account - Takeover
* Fixed in version can be changed to a version that doesn\'t exist
* When updating an issue, a Viewer user can be set as Reporter
* CVE-2020-35849: Revisions allow viewing private bugnotes id and summary
* CVE-2020-28413: SQL injection in the parameter \"access\" on the mc_project_get_users function throught the API SOAP.
* inconsistent UI for view bugnote revision
* Printing unsanitized user input in install.php
* print_manage_user_sort_link Function Parameter Required after Optional
* Declaring a required parameter after an optional one is deprecated in PHP 8
* Javascript error in View Issues page
* Adapt Error handler to PHP 8
* Impossible to edit issues with PHP8
* Sat Sep 26 2020 Andreas Stieger - MantisBT 2.24.3:
* CVE-2020-25781: Access to private bug note attachments
* Admin can get issues assigned to users not allowed to handle them
* CVE-2020-25288: HTML Injection on bug_update_page.php
* Send reminder to viewer
* Admin can set viewer as a tag creator
* Priority can override to any positive integer
* Remove code duplication in File API
* When processing categories, it is not necessary to know the project id
* CVE-2020-25830: HTML Injection in bug_actiongroup_page.php
* Tue Aug 11 2020 Andreas Stieger - MantisBT 2.24.2:
* CVE-2020-16266: HTML injection (maybe XSS) via custom field on view_all_bug_page.php
* update PHPMailer from 6.1.4 to 6.1.6- MantisBT 2.24.1:
* security - APIs expose private attachments to users who has access to issue but not private notes - file_get_visible_attachments shows private files that should be invisible to the user
* various bug fixes and improvements
* Thu Apr 23 2020 Johannes Weberhofer - MantisBT 2.24.0
* administration - how can I allow user to view only the issue that assigned to them #0010831
* api rest - Passing invalid id to rest api custom field update causes program crash #0026541 - Passing out of range custom field id causes multiple PHP warnings / incorrect response #0026542 - Passing unsanitized data to type hinted function causes program crash #0026540 - Support user password reset via REST API #0026632 - Update GuzzleHttp from 6.4.1 to 6.5.2 #0026441
* authentication - login username is not trimmed #0025097
* bugtracker - Allow multiple, customizable due date levels #0026438 - Change of due date background color #0016869 - Implement limit_reporters as a threshold #0023570 - Inheritance of sub project not read correctly from database #0026765 - Make category on bug_report_page a required field when $g_allow_no_category = OFF; #0026686 - Mass update does not allow setting an empty category #0026690 - Reporter can\'t see an issue they have been made a monitor of #0015466 - Required fields when reporting an issue, should also be when updating it #0026687
* code cleanup - Code Cleanup #0026567 - Remove $g_log_destination \'firebug\' option, as the project is dead since 2017 #0026572
* customization - Retire bug_change_status_page_fields config option #0026778
* db mssql - Update ADOdb to 5.20.16 #0026598
* documentation - Admin Guide: remove doc for long-deprecated $g_ldap_port config #0026589
* email - Update phpmailer/phpmailer from 6.1.3 to 6.1.4 #0026475
* feature - Limit reporter\'s access to their own issues #0009534
* filters - BugFilterQuery - issue? - trying to add join & where conditions #0024600 - Wrong filtering by none-relationship #0026621
* installation - Add informational comments to SQL script generated by installer #0026661 - Allow admin to reset table pre/suffix to their default values #0026664 - Apostrophe in custom_field_string table causes upgrade from < 1.2.0 to fail #0026636 - Final statement to set database version not logged in SQL script #0026662 - improve installer messages when generating SQL script #0026663 - Use appropriate statement to update DB schema when generating SQL [#0026568]
* localization - lang_get_defaulted does not search for fallback language #0021201
* plug-ins - Improve MantisColumn sort capability to allow sorting by more complex expressions #0026612 - New Event: EVENT_MENU_ISSUE_RELATIONSHIP #0011365 - No equivalent to lang_get_defaulted() in plugin_api() #0026747
* relationships - Dependency Graph crash on circular parent child relationships #0011381 - Relationship Graph - inconsistency between button label and title #0026165 - Relationship Graph page is missing legend #0026164 - Relationship Graph page UI lacks MantisBT 2.x layout #0026163
* reports - Display issue Summary inside relation graph nodes #0017594 - Wrong number of displayed rows on summary page #0026555
* roadmap - User can\'t see in roadmap a private issue that they reported #0025115
* rss - Access of non existent image in RSS feeds #0021133
* time tracking - Cell coloring for due date indicates \"overdue\" when not overdue yet. #0009155
* ui - Generate token with empty name and APPLICATION ERROR #11 #0026623 - Incorrect CSS rules get applied if a word in custom field name matches an existing CSS class #0026473 - Issue list throws warning on every issue without bug notes. #0026439 - on mantisbt.org Roadmap progress bar \'data-percent\' class could stand out better #0022142 - Provide a way to \'show content\' for all complex items on Manage Configuration Report page #0026712
* Wed Jan 08 2020 Johannes Weberhofer - Move admin files to /usr/share/php[57] to have them available for system updates- A POST script has been added which copies the admin files, executes them and removes the files after a successfull update- Cleaned up the spec
* Fri Dec 13 2019 Johannes Weberhofer - MantisBT 2.23.0:
* administration - Custom fields selector in manage project page are not ordered by name [#0026368] - Use empty value as default project in \"manage project\" subproject section #0026367
* api rest - Error requesting issues using saved filter #0026195 - Implement IssueViewPageCommand to separate logic from rendering of issue view page #0025902 - Update GuzzleHttp from 6.3.3 to 6.4.1 #0026374 - Update Slim Framework to 3.12.3 #0026086
* attachments - Add files information to EVENT_BUGNOTE_ADD event #0025960 - Attaching files to a note creates a second note with only the attachments #0024113 - Attachments should be linkable to notes in db #0021733 - Comments on attachments #0009363 - Create a place holder note when submitting attachments without text [#0026082] - Deleting a note, should delete associated attachments #0024577 - \"private bugnotes\" as default setting prevents uploading further attachments #0022817 - Support attachments associated with private notes #0009802 - Support inline playing of audio attachments #0026095 - Support inline playing of video attachments #0026102 - Switching note to private/public, should impact associated attachments #0026081 - Warning for users when making public notes with attachments private [#0025935]
* auditing - Link attachments issue history events to attachments to determine visibility #0026083
* bugtracker - Closing issues via group action with empty note creates a bugnote record #0026150 - PHP notice in bug view page when viewing issue without category [#0026094] - Tags are not copied from master issue when cloning #0026326
* custom fields - Filter value \"none\" is not available for multiselection list custom fields #0026030 - Manage custom fields page does not show fields in order #0025975 - Use custom field regular expression in the html input #0025972 - Use max length property of custom field in inputs #0026141
* db postgresql - check_pgsql_bool_columns: check wrongly suggests that the redirect_delay should be in boolean format #0026109
* documentation - Invalid URL for GraphViz home page #0026092 - preview_
*_extensions config options not documented #0026096 - Update ERD diagram to reflect new field in bug_file table #0026098 - Wrong data types in ERD #0021799
* email - Bump phpmailer/phpmailer from 6.0.7 to 6.1.3 #0026265 - \"Email on monitoring\" not configurable in manage_config_email_page [#0026002]
* feature - Allow setting reminder bugnotes\' view status #0010107
* filters - Filter for a date custom field fails when no values for this field exists #0026062 - No way to filter \"negative\" for checkbox custom fields #0021712
* javascript - Update corejs-typeahead.js library to 1.3.0 #0026382
* performance - Issue view api uses many custom field database queries #0026166 - Issue view history api repeated calls to bug_get_attachments database query #0026167
* plug-ins - Content Security Policy directive \'frame-ancestors\' contains an invalid source when http_csp_add is called for it #0026093
* reports - Move MantisGraph pages to their own tab #0026139
* security - Update ADOdb to 5.20.15 #0026388 - Vulnerability from library Moment.js 2.15.2 #0026358
* tagging - Add $g_tag_create_threshold to Workflow Thresholds in the GUI #0026119 - Tag attachments list includes tags already attached to the bug [#0026353]
* time tracking - Application Error 401 when clicking Time Tracking at the bottom of a bug notes page #0026132 - Bugnotes time spent info is always shown even if time tracking is disabled #0026134
* ui - Attachments displayed with empty user #0026128 - Attachments without note text are not displayed #0026294 - Both \"monitor\" and \"end monitoring\" buttons are displayed #0026123 - Clone button is not displayed correctly #0026295 - Inline actions user experience is inconsistent between different features #0025905 - \"Users monitoring this issue\" section not shown if nobody is monitoring the issue #0026125
* Tue Dec 10 2019 Andreas Stieger - MantisBT 2.22.2:
* fix bug: Field \"EXCEL columns\" has space or tabulation
* Sun Sep 29 2019 Andreas Stieger - MantisBT 2.22.1:
* CVE-2019-15715: Command Execution / Injection Vulnerability
* CVE-2019-8331: bundled Bootstrap updated to 3.4.1
* Enable integrity hashes for CSS ressources from CDNs
* Show content for Complex Configuration option did not work when mod_rewrite is disabled
* Fri Aug 30 2019 Johannes Weberhofer - MantisBT 2.22.0
* administration - Impossible to set add/remove monitors thresholds from manage page #0025826 - Simplify displaying of complex values in adm_config_report page #0025910
* api rest - Adding issue via REST API should fail if requested tags can\'t be attached #0026076 - Invalid JSON response when creating issue with tag by name via REST API #0025997 - IssueAddCommand should create tag specified by name if they do not exist #0026077 - Missing tag name in error message when creating issue via REST API [#0025996] - REST API support for multiple authorization headers #0025362
* api soap - SOAP API return value does not match definition in WSDL #0025470
* attachments - Add support for pasting images as attachments #0021797
* bugtracker - Ability to add monitors to a bug when the bug is first reported #0006128 - error_string() does not allow HTML tags inside of error messages #0025749 - IssueAddCommand does not create history entries identical to the code it replaced #0025962 - PHP Notices in User API #0025850 - Replace mailto: by link to user profile page in view.php #0025686 - Status color squares become black #0024189 - Users can\'t add monitors if access < show_monitor_list_threshold and >= monitor_add_others_bug_threshold #0025815
* code cleanup - Glue after String Array is being Deprecated #0026063 - MantisGraph: define Chart.js-related constants in the plugin #0025952 - New prepare_mailto_url() API function #0025849 - Remove get_email_link() API function #0025848 - Remove unused $p_can_report_only parameter in layout_navbar_projects_list() #0025894
* documentation - Admin guide: remove reference to unmaintained Firefox add-on #0025904 - Improve documentation for monitors-related configs #0025827
* html - Invalid HTML in manage_config_workflow_page.php #0025784 - Leading newlines disappear when editing data in textarea elements #0025839
* installation - Reflect PHP requirements in Composer config #0025774
* javascript - Improve client-side sortable tables script #0025911
* other - bug_report_page is forced to be cached #0025969
* plug-ins - Add EVENT_MENU_MAIN_FILTER to allow complete customisation of main menu #0024590 - EVENT_BUGNOTE_DATA event not documented in developer manual #0025914 - Gravatar Plugin Description #0026066 - Improve plugin schema upgrade error message #0025162 - MantisGraph: update Chart.js library to v2.8.0 #0025951 - Missing an API function to check if a plugin event has been declared #0025953
* printing - Remove hyperlinks on usernames in Word export #0025851
* security - Email for a new private bugnote was send to a non authorized reporter #0022898 - CVE-2019-15539: Stored XSS on Project Documentation
* tagging - Creating an invalid tag should fail with an error #0026074 - Report issue doesn\'t support multiple new tags #0024441 - Tag-related error messages should reference the tag\'s name #0026075
* time tracking - Time tracking box rendering is broken #0023725
* tools - PHPUnit tests as run by Travis CI builds do not execute all defined suites #0025961
* ui - Gravatar plugin should always use https #0025963
* Thu Jun 27 2019 Johannes Weberhofer - MantisBT 2.21.1
* administration - Button label truncated on manage_config_workflow_page #0025783 - LOGFILE_NOT_WRITABLE error triggered if file does not exist #0025734 - Wrong access_level settings when updating rights in the project admin page #0025722
* attachments - File upload timeout #0025763
* other - Summary \"By Date (days)\" gets wrong number #0025742
* reports - Summary statistics db error message #0025781
* Wed May 22 2019 Johannes Weberhofer - MantisBT 2.21
* administration - E_USER_DEPRECATED errors are no longer displayed inline #0025629 - If log file is not writable, log_event() fails silently #0019642 - PHP Notice or incorrect file+line number when displaying DEPRECATED error #0025631
* api rest - Inconsistent naming of username field in REST API #0025688 - Update Slim Framework to 3.12.1 #0025703
* bugtracker - Redirect to the new issue\'s page after reporting it #0025695
* customization - Modification to status colors css #0023550
* documentation - Encoding of custom files not documented #0022143 - Upgrade guide does not mention plugins #0022972
* filters - sub-project assignments missing from project-specific My View page [#0023333]
* installation - Missing file (api/rest/web.config) in installer #0025614
* ldap - LDAP documentation - Remove invalid \'hostname:port\' example #0025664
* performance - Improve performance of Summary Page queries #0025693 - Update color when new Status is selected in Bug Update Page #0025651
* plug-ins - View Issue page menu links from EVENT MENU_ISSUE event are wrapped with \"[\", \"-\" characters #0023694
* timeline - My View page without timeline does not respect the $g_my_view_boxes_fixed_position setting #0022096
* ui - Focus on project search #0023037 - My View Page layout misses some boxes #0022104 - Plugin tab in Summary section not highlighted when selected #0023418 - Projects menu search box should be hidden when having a small number of projects #0025594 - Show Invite button for users with manage users access level, not just administrators #0025682 - Show status with a color square instead of background color on Bug Update Page #0025650 - Uneven distribution of boxes on My View page when Timeline is OFF [#0025679]
* Mon Mar 18 2019 Johannes Weberhofer - MantisBT 2.20
* administration - Cant modify configuration for All projects if only one project exists [#0020054] - \"Check Installation\" is missing from Admin menu #0025130 - inconvenience while handling user\'s accounts #0005151 - Manage project, copy from/to forms are easy to click accidentally and don\'t ask for confirmation #0025368
* api rest - Allow adding/updating/deleting subprojects via REST API #0025400 - /api/rest/issues endpoint supposedly returns all issues, but doesn\'t [#0025102] - Get project doesn\'t return all versions #0025381 - Simple and Advanced filters are not consistent for handling sub-project issues #0025515 - Undefined variable t_show_detailed_errors in API REST #0025429 - Update Slim Framework to 3.12.0 #0025437
* attachments - Dropzone max-filesize option is not correct #0025463 - Dropzone preview does not work #0025465 - Enforce max-filesize in dropzone to alert and drop big files before form submission #0025464 - Redesign Dropzone file previews #0025572
* authentication - Token error when login with a newly created user #0025110
* code cleanup - default_email_on_status, misleading comments in config_defaults [#0020069] - Take care of released/obsolete flag when accessing version_cache_array_rows() cache #0022100 - Wrong caching in version API #0024821
* db mssql - Wrong/duplicate bugnote_text_id in mantis_bugnote_table #0025442
* documentation - $g_notify_new_user_created_threshold_min is ignored on new account creation #0025403 - Manual does not describe variable \"g_from_name\" #0017304 - Minor documentation fixes #0025408
* email - Bump phpmailer/phpmailer from 6.0.6 to 6.0.7 #0025436 - check all/ uncheck all checkbox for email notifcation #0025434
* excel - Float custom field saved as String in XML-Excel export #0025174
* feature - Add filtered summary #0004624 - Usability suggestion at Report Issue screen #0023045
* filters - Cannot filter by versions of parent project when child project selected #0012261 - Improve presentation of temporary filters #0024775 - Permalink - Filter lose information after click on view issues [#0024549] - Switching simple/advanced for a temporary filter loses the filter [#0024776]
* html - Filter widget does not hide botton bar when collapsed #0025109
* performance - Massive queries to user table in edit project #0023904 - project versions are not cached efficiently #0023245
* plug-ins - MantisGraph: improve display of By Category Bar chart #0025524 - MantisGraph: improve handling of colors in Pie charts #0025523 - MantisGraph: limit number of slices in By Category pie chart #0025522
* relationships - Error when adding a relationship if bug id contains whitespace as prefix or suffix #0025532 - When adding multiple relationships, ignore source issue and empty issue ids #0025533
* reports - Filter by dates in Summary Graphs #0014656 - Filtered Summary #0021931 - MantisGraph, implement filtered summary for graphs #0025164 - MantisGraph. Reporter graph does not fit width of page #0025168 - MantisGraph summary links don\'t hghlight current graph page #0025163 - Missing pie chart in \"By Category Graphs\" #0022099 - Script error in graphs #0025210 - Summary doesn\'t honour issue access #0025165 - SYSTEM NOTICE on graph pages #0025466 - Update Chart.js to 2.7.3 #0025488 - View Issues - Select a Filter - Graph are not linked on this choice [#0009757]
* rss - RSS feeds broken when using PHP >= 7.0 #0025213
* security - Fix Bootstrap security issues (CVE-2018-14040, CVE-2018-14041, CVE-2018-14042) #0024672 - web.config file is missing in api/rest #0024347
* sql - Page adm_config_report has queries missing db_param_push() #0025456
* tools - Travis CI builds fail for PHP 7.3 #0025390
* ui - Enable selection of a range in checkboxes lists. #0025217 - Incorrect spacing between submenu and main div for some MantisGraph screens #0025386 - MantisGraph: redundant subtitle on Issue Trends page #0025387 - Page adm_config_report does not cache users and generate many database queries #0025454 - Page adm_config_report, users in filter list are not correctly ordered #0025455 - Project selection is shown even if the user has no accesible projects [#0025133] - Provide sortable functionality to simple tables #0025378 - \'show_queries_count\' is a global setting, but \'show_memory_usage\', \'show_timer\' are not #0025446 - Summary page submenu not aligned when screen narrower than buttons [#0025385]
* Fri Jan 11 2019 jweberhoferAATTweberhofer.at- MantisBT 2.19 https://www.mantisbt.org/bugs/changelog_page.php?project=mantisbt&version=2.19.0
* Updates: ADOdb, Guzzle, Slim Framework, PHPMailer, Disposable Email Checker
* Fixed installation issue (memory_limit test fails when memory_limit is set to -1, PHP 7.3 issue)
* Fixed authentication issues
* Improved form handling for password managers
* Fixed some UI issues
* Code cleanup- Updated file lists, removed additional files not used in distribution
* Thu Nov 29 2018 jweberhoferAATTweberhofer.at- MantisBT 2.18
* Code Cleanup
* Plugin Columns - Export CSV or Excel - PHP 7.2.7 - crash error 500
* Changes to project_view_state and view_state to create only private projects
* Missing fallback for \"Open Sans\" font
* Error Creating Issue with new TAG
* Performance enhancements of string processing- MantisBT 2.17.2
* CVE-2018-17783: XSS in manage_filter_edit_page.php
* CVE-2018-17782: XSS in manage_filter_page.php
* Mon Oct 01 2018 jweberhoferAATTweberhofer.at- MantisBT 2.17.1 CVE-2018-16514: Reflected XSS in view_filters_page.php via core/filter_form_api.php- MantisBT 2.17.0 https://www.mantisbt.org/bugs/changelog_page.php?project=mantisbt&version=2.17.0 This is a selection of improvements among many others:
* better visibility of relationships
* search for users in the administration
* REST and SOAP API improvements
* Fri Sep 14 2018 astiegerAATTsuse.com- MantisBT 2.16.1:
* CVE-2018-14895: XSS in bug_actiongroup.php
* Mon Aug 06 2018 jweberhoferAATTweberhofer.at- MantisBT 2.16.0 https://www.mantisbt.org/bugs/changelog_page.php?project=mantisbt&version=2.16.0
* ui - Local copy of Open Sans font does not include Latin-ext characters - Fonts are not rendered correctly in Windows clients - Font = Times News Roman after Upgrade from v2.7.0
* upgrade - Improve handling of unserialize errors when upgrading - Error in upgrade process 1.2.17 --> 1.3.0
* performance - Unneeded information in Change Log and Roadmap - Performance enhancement of config_get_global function
* timeline - Missing display of events in Timeline if All Projects is selected
* code cleanup
* Thu Jun 28 2018 jweberhoferAATTweberhofer.at- MantisBT 2.15.0 https://www.mantisbt.org/bugs/changelog_page.php?version_id=321
* filters - Cannot save private filter if not allowed to save shared filter - show_user_realname_threshold is not considered when sorting by reporter or handler
* bugtracker: Incorrect issue status setting when changing status
* wiki: URL encoding precludes reasonable wiki root_namespace values
* tagging: Exception Missing Class
* security: Update-Blocker:User-ID instead of Realname 0024139 as due to security policy requirements which prohibit IDs in mails and masks
* ui - Selecting users is not easy if show_realname is set to ON - $g_show_realname for making usernames private
* other: System warning if $g_log_destination = \'page\' when using PHP 7.2
* api soap: Error while querying for issue header with PHP 7.2
* api rest: Support create project versions via REST API
* performance: Unneeded <meta> tag in <head> section- Removed unused adodb scripts- Don\'t package several test-cases from sub-packages as well as vendor/phpunit. As the mantisbt test-cases are not in the upstream package we don\'t run any checks.
* Tue May 15 2018 jweberhoferAATTweberhofer.at- MantisBT 2.14.0 https://www.mantisbt.org/bugs/changelog_page.php?version_id=316
* IssueAddCommand Prevents API Folder Removal
* Update ADOdb to 5.20.12
* E_DEPRECATED error on php7.2: each() function
* Update Slim Framework from 3.8.1 to 3.9.2
* Update GuzzleHttp from 6.3.0 to 6.3.2
* Wrong documentation of datetime_picker_format in Admin Guide
* Wrong documentation of my_view_boxes in Admin Guide
* Support getting a single project via REST API
* Plugin priority changed without being changed by user interaction- MantisBT 2.13.2 https://www.mantisbt.org/bugs/changelog_page.php?version_id=319
* CVE-2018-9839: Private issues accessible to unauthorized users using the \"Clone\" functionality
* Markdown quoting rendered with broken HTML
* email: Inconsistent realname display
* REST API: - Get all filter or specific filter returns incorrect information - REST API returns too much info for default category handler - Don\'t show category default handler for users that can\'t manage the project
* api soap: API method mc_filter_get does not work
* mb_internal_encoding no longer being set because of removal utf8 library
* SYSTEM WARNING \'count(): Parameter must be an array or an object that implements Countable\' in \'IssueNoteAddCommand.php
* Thu Apr 05 2018 jweberhoferAATTweberhofer.at- MantisBT 2.13.1 https://www.mantisbt.org/bugs/changelog_page.php?version_id=317
* Fixed broken rendering of AATT mentions, # issue and ~ note links- MantisBT 2.13.0 https://www.mantisbt.org/bugs/changelog_page.php?version_id=315
* Filter improvements
* Support adding attachments when reporting issues
* Several REST and SOAP API improvements
* Can\'t login if admin directory has restricted access
* Filtering with \"note by\" shows results from private notes for unprivileged users
* Entering Emojis in comments with a user mention crashes with an error (mysql)- MantisBT 2.12.1 https://www.mantisbt.org/bugs/changelog_page.php?version_id=314
* Account page required change password on any field modification
* Username (Realnames) format not showing on timeline (my_view_page)
* Wrong color of username in timeline
* History entries display realname instead of username- MantisBT 2.12.0 https://www.mantisbt.org/bugs/changelog_page.php?version_id=312
* Improvements to menioning users with AATTuser
* Language updates
* User realname uniqueness check doesn\'t work
* Wed Feb 14 2018 jweberhoferAATTweberhofer.at- MantisBT 2.11.1
* https://www.mantisbt.org/bugs/changelog_page.php?project=mantisbt&version=2.11.1
* Bugfix: REST API doesn\'t work from UI for some users
* Bugfix: Warning message on login page after new installation
* Fri Feb 09 2018 jweberhoferAATTweberhofer.at- Removed vendor/adodb/adodb-php/server.php file which isn\'t required but leads into CVE-2018-6382 and bsc#1078308- Require fileinfo extension- MantisBT 2.11.0
* https://www.mantisbt.org/bugs/changelog_page.php?project=mantisbt&version=2.11.0
* Administration: - Allow unprotecting protected users - Other fixes
* REST API: - Added handling of tags, users, relationships, monitoring, attachements, time-tracking
* Reports: - Several improvements
* Installation fixes
* Further improvements and code-cleanups
* Thu Feb 08 2018 astiegerAATTsuse.com- MantisBT 2.10.1, a bugfix and security release:
* unable to create a bug with customfields via SOAP
* Wrong constructor name in class FilterConverter
* Resolving as duplicate does not add reporter and handler to monitoring list of duplicate issue
* CVE-2018-6403: XSS in adm_config_report.php \'value\' parameter
* Tue Jan 30 2018 jweberhoferAATTweberhofer.at- Update to 2.10.0
* https://www.mantisbt.org/bugs/changelog_page.php?project=mantisbt&version=2.10.0
* REST API: Filter improvements
* Fixes in time-tracking
* Further fixes and refactorings
* Tue Dec 19 2017 jweberhoferAATTweberhofer.at- Update to 2.9.0
* https://www.mantisbt.org/bugs/changelog_page.php?project=mantisbt&version=2.9.0
* fixes and refactorings
* REST API ipmrovements
* Fri Nov 03 2017 jweberhoferAATTweberhofer.at- update to 2.8.0
* https://www.mantisbt.org/bugs/changelog_page.php?project=mantisbt&version=2.8.0
* fixes
* REST API: updates, on by default
* DKIM support for E-Mail signing- REST API requires php-soap- MatisBT requires php 5.5.0+
* Sat Oct 14 2017 astiegerAATTsuse.com- update to 2.7.0:
* ui rendering fixes
* performance improvements
* fixes related to custom fields and filters
* Tue Sep 19 2017 jweberhoferAATTweberhofer.at- MantisBT 2.6.0 REST API
* projects doesn\'t return child projects (vboctor)
* Notes returned by /issues REST API have incorrect timestamps (vboctor)
* Support adding/deleting notes via REST API (vboctor)
* Support issue id as part of the path for REST API (vboctor) Attachments
* Can\'t open image attachments in browser windows (dregad) Bugtracker
* AJAX calls with invalid endpoints fail with syntax error (dregad)
* bug_actiongroup_page, on copy, & move, poject combo lists projects wich the user has no rights (cproensa)
* Update GuzzleHttp from 6.2.3 to 6.3.0 (vboctor)
* Sutomization
* Custom fields badly filtered when multi-projects (cproensa)
* Field is appearing in email notification but not used in UI. (joel) E-Mail Update disposable-email-checker to v3.0.1 using Composer (vboctor)
* Update PHPMailer v5.2.23 to v5.2.24 (vboctor)
* Removing \"Report an issue\" permission removes user from Monitoring filter dropdown (atrol)
* Due date field not displayed correctly when editing ticket (community)
* Unused code and unused CSS delivered for obsoleted functionality (atrol)
* Unused CSS delivered (atrol) Markdown
* Update Parsedown 1.6.2 to 1.6.3 (vboctor) Performance
* Project cache is not efficient with navbar project selection. (cproensa)
* Unused and inefficient code in function layout_print_sidebar (atrol) Time Tracking
* Enabling Time Tracking distorts View Issue Details page layout. (cproensa)
* Issue history box is narrower than other boxes above it on View Issue page (cproensa)
* Time Tracking \"auto count\" is giving the wrong elapsed time (dregad)
* Time tracking report excludes issues with no category assigned (cproensa)
* Unable to access time tracking reports (atrol) UI
* \'Manage Configuration\' tab usually does not highlight (dregad)
* \"notify user\" check should be moved outside the form (cproensa)
* Calendar doesn\'t show the correct date the first time it opens (dregad)
* Display of hardcoded string on view_user_page if e-mail address is empty (atrol)
* Graph display is too faint and blurred (atrol)
* print_manage_menu() does not highlight active plugin pages (dregad)
* Questionable display of \"Access Denied\" on view_user_page (atrol)
* Questionable order and functionality of top buttons on \"View Issue\" page (atrol)
* The required fields are not explicitly visible when updating, resolving or closing an issue (community)
* When specifiying top_buttons display, the button on update screen has no styling. (atrol)
* Mon Sep 04 2017 astiegerAATTsuse.com- MantisBT 2.5.2:
* Login page no longer warns about \'admin\' directory being present
* Checks on login page are never executed if \"admin\" dir does not exist
* Improve doc and notifications when admin dir is present (CVE-2017-12419)
* drop patches: CVE-2017-12061.patch CVE-2017-12062.patch- make mantis a versioned provides capability
* Tue Aug 01 2017 astiegerAATTsuse.com- Fix two XSS vulnerabilities:
* CVE-2017-12061: XSS in /admin/install.php script (bsc#1051697) add CVE-2017-12061.patch
* CVE-2017-12062: XSS in manage_user_page.php (bsc#1051698) add CVE-2017-12062.patch
* Tue Aug 01 2017 astiegerAATTsuse.com- MantisBT 2.5.1:
* REST API improvements, SOAP API fixes
* Mon May 22 2017 astiegerAATTsuse.com- MantisBT 2.4.1:
* Support Generic Authentication through Plug-ins
* various fixes and improvements
* Mon Apr 17 2017 astiegerAATTsuse.com- MantisBT 2.2.4:
* CVE-2017-7615: Account verification page allows resetting any user\'s password (bsc#1034333)- includes changes from 2.2.3:
* Sorting all bugs list using a column header after applying a filter resets the filter
* Permalink does not work with \"Note By\"
* Filter error due to \"view status\" having an array value
* Regression in custom field sorting
* CVE-2017-7309: XSS in adm_config_report.php (bsc#1031807)
* CVE-2017-7241: XSS in move_attachments_page.php (bsc#1031807)
* Markdown starts heading in the middle of a line
* Markdown still converting \'& amp;\' to & and \'& lt;\' to <- includes changes from 2.2.2:
* CVE-2017-6973: XSS in adm_config_report.php (bsc#1031807)
* Mon Mar 20 2017 astiegerAATTsuse.com- MantisBT 2.2.1:
* various improvements and bug fixes
* fix XSS in Source Integration Plugin (CVE-2017-6958)
* fix XSS in bug change status page (CVE-2017-6797)
* fix XSS in view filters pages (CVE-2017-6799)
* Thu Jan 19 2017 branislav.havelAATTsuse.com- MantisBT 2.0.0- package moved to mantisbt
* System utilities page for moving attachments should support move all attachments
* Replace jscalendar by a newer widget
* Incorrect text for the remove file button in the file upload dropzone
* Section 2.2.2.1 Admin Guide: Misaligned row in Table
* Missing leading zeroes in due date display
* datetime picker does not work if \'cdn_enabled\' is ON
* Due Date calendar icon wraps below the field
* Thu Jan 05 2017 astiegerAATTsuse.com- MantisBS 1.3.5:
* security fix: Potentially serious RCE vulnerability in bundled PHPMailer before 5.2.18 (CVE-2016-10033)
* performance improvements, bugfixes, UI fixes and improvements- MantisBS 1.3.4:
* security fix: Handlers(Assignees) are visible when editing an issue even if they are not visible when viewing it
* performance improvements, bugfixes, UI fixes and improvements
* Mon Oct 31 2016 astiegerAATTsuse.com- MantisBT 1.3.3, a bugfix release:
* various fixes for bugs in the UI, behavior and code
* documentation updates
* Sun Oct 30 2016 astiegerAATTsuse.com- MantisBt 1.3.2, a bugfix update:
* documentation updates
* Various bug fixes and compatible feature updates
* Fix Invalid Strict-Transport-Security header when server would already send it anyway
* Thu Sep 01 2016 astiegerAATTsuse.com- MantisBt 1.3.1, a security and bugfix update
* CVE-2016-7111: Content Security Policy is weakened by Gravatar plugin
* CVE-2016-6837: XSS vulnerability in view_all_bug_page.php
* various bug fixes
* Tue Jul 12 2016 astiegerAATTsuse.com- MantisBT 1.3.0, a security and feature update- New features:
* AATT mentions support
* Support for avatar plugins - shipping Gravatar out of the
* Support for user lifecycle plugin events
* Allow administrators to impersonate users
* Support for notes and tags as columns to configure for view issues, print issues, csv/excel export
* Support for login using email address
* Enforcing email uniqueness
* Enable configuration for email notifications for category owner
* Re-implemented parsing of complex configuration types for Configuration Report
* Tagging directly from report issue page
* Timeline feature
* Users can now generate API tokens
* Anti-spam feature to limit the number of issues from new users
* Memo custom fields
* jQuery and jQueryUI are now included in core
* PHP version compatibility up to PHP 5.6 and PHP 7.
* Better generated HTML, relying on CSS instead of inline styles and reducing use of tables for layout
* HTML5 doctype – Lots of improvements to generated markup.
* Out-of-the-box support for Oracle (oci8)
* Greatly enhanced support for PostgreSQL
* Improved installation and admin utilities (system check, tools)
* Mechanism to prevent concurrent updates to the same issue
* Detailed filters hidden by default
* Improved XmlImportExport core plugin
* Bigger e-mail and realname fields
* Improved documentation, migrated to Publican
* Improved email notifications when an issue is unassigned or re-assigned
* Support attaching files while adding a note + attaching multiple files with same name
* Added new log level LOG_EMAIL_VERBOSE.
* Extensibility, add more events- Security fixes:
* CVE-2016-5364: Reflected XSS inside manage_custom_field_edit_page.php [boo#984334]
* Cannot change password in second enter to verification page
* bugnote actions in view bug page should send data as POST
* CVE-2014-9759: SOAP API can be used to disclose confidential settings
* CVE-2014-9572: Improper Access Control in install.php
* CVE-2014-9571: XSS in install.php
* CVE-2015-1042: URL redirection issue
* CVE-2014-9573: SQL Injection in manage_user_page.php
* PHP remote code execution in install.php
* CVE-2014-9701: XSS vulnerability in permalink_page.php
* Registrations by bots via captcha exploit
* Support Content-Security-Policy (CSP) per W3C specification
* install.php: do not send the value of crypto_master_salt over http
* Redirect user to change password if logged in with default admin password
* plugins directory must be secured/fixed
* Provide additional random number generators
* allow_reporter_reopen lets reporter make any update, not just reopen
* Add support for Strict-Transport-Security header
* Improve random number generation with openssl_random_pseudo_bytes
* Do not allow to send a reminder on a private issue to users under threshold
* Remove input side XSS validation of user real names
* When user reports an issue, the unpermitted project can be selected
* Remove all inline JavaScript from MantisBT (use external scripts instead)- Deprecated Features:
* Custom Functions in favor of Plugins
* DB2 support – removed in 2.0.x
* News feature – already deprecated
* Time tracking – already deprecated
* Project Docs – already deprecated
* Sponsorships – already deprecated- Removed Features:
* Built-in source code integration support
* FTP for attachments
* Removed nusoap in favor of native php soap extension
* Removed feature extended project browser
* Mon Feb 23 2015 astiegerAATTsuse.com- MantisBT 1.2.19: This release resolves 5 security issues and fixes 2 regressions introduced in 1.2.18.
* [security] CVE-2014-9573: SQL Injection in manage_user_page.php
* [security] CVE-2014-9624: CAPTCHA bypass is way easier than it should be
* [security] CVE-2015-1042: URL redirection issue
* [security] CVE-2014-9571: XSS in install.php
* [security] CVE-2014-9572: Improper Access Control in install.php
* [bugtracker] Reporting an issue gives: \'Invalid argument supplied for foreach()\' in \'/opt/mantisbt-1.2.18/core/gpc_api.php\' line 259
* [email] Order of notes in email notifications seem to be based on user who triggered the action
* [bugtracker] Fix handling of due dates
* [administration] Installer UI tweaks
* [bugtracker] Sort bug notes by date, not by ID
* [authentication] User creation with captcha broken by fix for issue 0017811- includes changes from MantisBT 1.2.18: This release resolves 23 security-related bugs and vulnerabilities:
* 7 Cross-Site Scripting (XSS) issues
* 2 Code injection issues
* 2 SQL injection (XSS) issues
* 5 Information disclosure issues - 7 Other security issues
* [security] CVE-2014-8986: adm_config_report.php filtering does not check config option is valid
* [security] CVE-2014-9117: CAPTCHA bypass
* [security] CVE-2014-9089: SQL injection in view_all_set.php
* [security] Multiple vulnerabilities in MantisBT
* [security] CVE-2014-9279: Db Credentials leak via unattended upgrade script
* [security] CVE-2014-9281: Reflected XSS in admin panel / copy_field.php
* [security] CVE-2014-9271: Persistent XSS in file uploads/attachments
* [security] CVE-2014-9280: PHP Object Injection in filter API
* [security] CVE-2014-9272: XSS in string_insert_hrefs allows script execution
* [security] CVE-2014-6316: URL redirection issue
* [security] Emails on relations is send to people who cannot see the related issue
* [security] CVE-2014-8553: SOAP API: leak of user personal information
* [security] Login_page.php: Ensure username is valid
* [security] CVE-2014-6387: Null byte poisoning in LDAP authentication
* [security] CVE-2014-8988: Attachments can be downloaded without permission
* [security] Prevent unauthorized users setting handler when reporting issue
* [other] Incorrect $specific_where
* [documentation] Code allows display of Resolution and Status in bug report page, but doc says it\'s not allowed
* [code cleanup] Use of deprecated PREG_REPLACE_EVAL (\'e\') pattern modifier
* [attachments] Warning in bug report when attachments are disabled
* [attachments] Debug output displayed when adding files
* [bugtracker] proj_doc_update.php on document update crashes if new file is not uploaded
* [bugtracker] Missing error param when updating project doc
* [filters] Column summary of the free text search is not prefixed by table (filter_api)
* [bugtracker] Default profile doesn\'t work
* [security] No Errors shown at all if error_reporting=0 configured at server
* [bugtracker] Invalid category check is not made
* [news] News section shouldn\'t show in permissions report when feature is disabled
* [api soap] Handler can be set without having appropriate access rights
* [db mssql] Graph « Cumulative by date » is not displayed in Summary > Advanced Summary
* [migration] Import plugins should be able to set last_updated field to a date in the past
* [bugtracker] Issue history show date submitted and last updated as integers rather than dates
* [bugtracker] New BugData object due_date should be blank
* [plug-ins] XML import plugin only replaces links in \'description\'
* [security] CVE-2014-7146 : PHP Code Injection Vulnerability in XmlImportExport plugin
* [security] Attachments displayed in history despite user not authorised to view them
* [api soap] mc_issue_update() email notification doesn\'t include added notes
* [security] CVE-2014-8598: XML plugin should restrict ability to import data
* [api soap] CVE-2014-8554: SQL injection in SOAP API
* [security] CVE-2014-9269: XSS in extended project browser
* [security] CVE-2014-8987: XSS in adm_config_report.php
* [security] CVE-2014-9270: Stored XSS in Mantis
* [email] Disposable library triggers PHP STRICT warnings
* [news] Not possible to set \'announcement\' flag when editing News- Fix XSS in adm_config_report.php - mantisbt-1.2.19-CVE-2015-2046.patch CVE-2015-2046 [boo#919035]
  
ICM