MantisBT Release Notes
======================

1.2.19 Security Release (2015-01-25)
-------------------------------------------------

MantisBT 1.2.19 is a security update for the stable 1.2.x branch. All
installations that are currently running any 1.2.x version are strongly
advised to upgrade to this release. Download it from [3].

This release resolves 5 security issues:

- #17938/CVE-2014-9571: XSS in install.php
- #17939/CVE-2014-9572: Improper Access Control in install.php
- #17940/CVE-2014-9573: SQL Injection in manage_user_page.php
- #17984/CVE-2014-9624: CAPTCHA bypass
- #17997/CVE-2015-1042: URL redirection issue

We would like to thank High Tech Bridge Research Lab, Alejo Popovici an
Florent Daignière from Matta Consulting for reporting these issues, and their
cooperation in resolving them.

This release also addresses 2 regression issues introduced in 1.2.18:

- #17993 prevents new users from signing up on systems using CAPTCHA.
- #17967 which causes a PHP error when reporting issues on systems with
  checkbox custom fields.

Please refer to the changelog [1] on the MantisBT web site for complete details
on each of these issues.


1.2.18 Security Release (2014-12-06)
-------------------------------------------------

MantisBT 1.2.18 is an important security update for the stable 1.2.x branch.
All installations that are currently running any 1.2.x version are strongly
advised to upgrade to this release. Download it from [3].

This release resolves a total of 43 issues, including fixes for 23 security-
related bugs and vulnerabilities:

- 7 Cross-Site Scripting (XSS) issues: #17297/CVE-2014-9272,
  #17583/CVE-2014-9270, #17870/CVE-2014-8987, #17874/CVE-2014-9271,
  #17876/CVE-2014-9281, #17889/CVE-2014-8986, #17890/CVE-2014-9269

- 2 Code injection issues: #17725/CVE-2014-7146, #17875/CVE-2014-9280

- 2 SQL injection (XSS) issues: #17812/CVE-2014-8554, #17841/CVE-2014-9089

- 5 Information disclosure issues: #9885, #17744, #17877/CVE-2014-9279,
  #17742/CVE-2014-8988, #17243/CVE-2014-8553

- 7 Other security issues: #10966, #17338, #17640/CVE-2014-6387,
  #17648/CVE-2014-6316, #17780/CVE-2014-8598, #17811/CVE-2014-9117, #17878

Please refer to the changelog [1] on the MantisBT web site for complete details
on each of these issues.

We would like to thank the following individuals and organizations for their
valued contribution in discovering and fixing these issues, in no particular
order: Mati Aharoni from Offensive Security and their bug bounty program,
Matthias Karlsson, Matthew Daley, Egidio Romano, Florian Fuchs, Shahee Mirza,
Oleg K, Alejo Popovici, Edwin Gozeling, Paul Richards, Roland Becker,
Victor Boctor and Damien Regad.


1.2.17 Security Release (2014-03-04)
-------------------------------------------------

MantisBT 1.2.17 is a security update for the stable 1.2.x branch. All
installations that are currently running any 1.2.x version are strongly advised
to upgrade to this release. Download it from [3].

An SQL injection vulnerability (CVE-2014-2238) in adm_config_report.php was
patched. Refer to issue #17055 for detailed information.

This release also includes a few bug fixes for the tracker, including News API
correction for the regression issue #16940 introduced in 1.2.16, as well as
updated translations in many languages.

A full changelog for the 1.2.x series can be found on the official site. [1]


1.2.16 Security Release (2014-02-07)
-------------------------------------------------

MantisBT 1.2.16 is a security update for the stable 1.2.x branch. All
installations that are currently running any 1.2.x version are strongly advised
to upgrade to this release. Download it from [3].

The following security issues were resolved:

 - Cross-site scripting (XSS) issue in account_sponsor_page.php, allowing a
   malicious user with project manager access to execute arbitrary JavaScript
   code (CVE-2013-4460). Affects MantisBT 1.1.0 and later.
   Refer to issue #16513 for detailed information.

 - SQL injection attacks through the SOAP API's mc_attachment_get() function
   (CVE-2014-1608). Affects MantisBT 1.1.0a4 and later.
   Refer to issue #16879 for detailed information.

 - Additional cases of unsanitized SQL query parameters usage were identified,
   potentially allowing SQL injection attacks (CVE-2014-1609).
   Refer to issue #16880 for detailed information.

This release also includes many bug fixes and enhancements to the tracker
and the SOAP api, as well as updated translations in many languages.

A full changelog for the 1.2.x series can be found on the official site. [1]


1.2.15 Security Release (2013-04-12)
-------------------------------------------------

MantisBT 1.2.15 is a security update for the stable 1.2.x branch. All
installations that are currently running any 1.2.x version are strongly advised
to upgrade to this release.

The following security issues were resolved:

 - Any malicious user could use the view issues page (search.php) to execute a
   filter that could bring down the site by overloading the database server
   (CVE-2013-1883). Affects MantisBT 1.2.12 and later.
   Refer to issue #15573 for detailed information.

 - A cross site scripting (XSS) vulnerability allowed execution of arbitrary
   JavaScript code when deleting a version. Affects MantisBT 1.2.14 and later.
   Refer to issue #15511 for detailed information.

 - In some cases, the 'Close' button would be available to unauthorized users,
   allowing them to close issues at will, bypassing the workflow settings.
   Affects MantisBT 1.2.12 and later.
   Refer to issue #15453 for detailed information.

This release also includes several bug fixes and enhancements to the tracker
and the SOAP api, as well as updated translations in many languages.

A full changelog for the 1.2.x series can be found on the official site. [1]


1.2.14 Security Release (2013-01-29)
-------------------------------------------------

MantisBT 1.2.14 is a security update for the stable 1.2.x branch. All
installations that are currently running any 1.2.x version are strongly advised
to upgrade to this release.

Four cross site scripting (XSS) vulnerability issues were discovered and
resolved:

 - A malicious person could trick a target user's browser into executing
   arbitrary JavaScript code (CVE-2013-0197). This vulnerability is critical,
   due to the affected page (search.php) being usable anonymously on public-
   facing installations (i.e. without the need for a user login).
   Affects MantisBT 1.2.12 only (earlier versions are not impacted)
   Refer to issue #15373 for detailed information.

 - A user holding manager/administrator permissions could create a category or
   project name containing JavaScript code; from that point on, visitors to
   (a) the Summary page (summary.php) as well as (b) the Configuration Report
   page (adm_config_report.php), are exposed to having the JavaScript execute
   within their browser environment. The severity of this issue is mitigated by
   the need to have a privileged account to modify category and project names.
   Issue (a) affects MantisBT version 1.2.12 and above, while (b) is on 1.2.13
   only; earlier releases are not impacted.
   Refer to issues #15384 (a) and #15415 (b) for detailed information.

 - An administrator could enter a configuration option containing javascript
   code, which would then be executed when displaying the Configuration Report
   page (adm_config_report.php). The severity of this issue is mitigated by the
   need to have a privileged account. Affects all MantisBT 1.2.x versions.
   Refer to issue #15416 for detailed information.

A workflow-related security issue was also fixed:

 - A user with "Reporter" permissions can modify the workflow status of any
   issue to "New" even if they do not have the necessary privileges to make
   this change.
   Refer to issue #15258 for detailed information.

In addition to the corrections for the above-mentioned security issues, this
release also includes several bug fixes and enhancements:

 - improved Manage Configuration page (better performance, ability to filter
   and edit config options)
 - support for the built-in SOAP extension in addition to nusoap
 - updated translations in many languages

A full changelog for the 1.2.x series can be found on the official site. [1]


1.2.13 Security Release (2013-01-22)
-------------------------------------------------

This version had to be withdrawn shortly after release, as it introduced a bug
(#15411) causing the View Issues page to consume significantly more memory for
instances with large numbers of users (order 10k+), leading to system crashes,
as well as an XSS issue (#15415) in the Configuration Report page.

We recommend not to use 1.2.13, and deploy version 1.2.14 instead.


1.2.12 Maintenance Release (2012-11-10)
-------------------------------------------------

MantisBT 1.2.12 resolves over 70 issues mainly in the following categories:
security, MS SQL and PostgreSQL databases support, Change Log page, custom
fields, installation, attachments, SOAP API, XML import/export plugin,
e-mail (including update of the PHPMailer library to version 5.2.1) and others.

In addition, it also brings several enhancements:
 - filter page now allows 'OR' logic and to query by notes' authors
 - improved e-mail logging (see #14630)
 - new 'EVENT_UPDATE_BUG_STATUS_FORM' plugin event
 - updated Admin Guide
 - translations in many languages

All installations that are currently running any 1.2.x or older version are
advised to upgrade to this release.

A full changelog for the 1.2.x series can be found on the official site. [1]


1.2.11 Maintenance Release (2012-06-08)
-------------------------------------------------

MantisBT 1.2.11 is a security update for the stable 1.2.x branch. All
installations that are currently running any 1.2.x or older version are
advised to upgrade to this release.

This release also contains numerous minor bug fixes to MantisBT,
SOAP API fixes, enhancements to the admin guide and improved translations in many
languages.

A full changelog for the 1.2.x series can be found on the official site. [1]


1.2.10 Maintenance Release (2012-04-01)
-------------------------------------------------

MantisBT 1.2.10 is a maintenance release. All installations that are currently
running any 1.2.x version are advised to upgrade to this release.

A full changelog for the 1.2.x series can be found on the official site. [1]


1.2.9 Maintenance Release (2012-03-03)
-------------------------------------------------

MantisBT 1.2.9 release delivers 92 fixes and improvements including security
fixes, new MantisBT logo, MantisTouch integration, MS SQL fixes, SOAP API
improvements, and others.  We recommend that all instances be upgraded to this
release.

A full changelog for the 1.2.x series can be found on the official site. [1]


1.2.8 Security Release (2011-09-05)
-------------------------------------------------

MantisBT 1.2.8 is a security update for the stable 1.2.x branch. All
installations that are currently running any 1.2.x version are advised to
upgrade to this release.

Paulino Calderon from Websec, High-Tech Bridge Security Research Lab and Paul
Richards discovered 3 vulnerabilities:
 - 1x local file inclusion (LFI)/directory traversal
 - 2x cross site scriptin (XSS)

These vulnerabilities could have very severe consequences for users of
MantisBT, particularly as a result of the local file inclusion vulnerability.
If an attacker can upload their own PHP script to the server as an attachment,
they may be able to execute this script using the LFI vulnerability.

Refer to issues #13191 and #13281 for detailed information.

A full changelog for the 1.2.x series can be found on the official site. [1]


1.2.7 Security Release (2011-08-19)
-------------------------------------------------

MantisBT 1.2.7 is a security update for the stable 1.2.x branch. All
installations that are currently running any 1.2.x version are advised to
upgrade to this release.

Net.Edit0r from BlACK Hat Group posted a vulnerability report for an XSS issue
in search.php. All MantisBT users (including anonymous users that are not
logged in to public bug trackers) could be impacted by this vulnerability.
Refer to issue #13245 for full details.

This release also contains numerous minor bug fixes to MantisBT and improved
translations in many languages.

A full changelog for the 1.2.x series can be found on the official site. [1]


1.2.6 Maintenance Release (2011-07-26)
-------------------------------------------------

MantisBT 1.2.6 is a maintenance update for the stable 1.2.x branch. It is
recommended that all MantisBT users (including those still using 1.1.x or
earlier versions) upgrade to this latest release.

This release brings bug fixes and improvements across a range of MantisBT
features, especially the SOAP API, authentication, time tracking, and
billing areas. Documentation and translation updates are also included.

A full changelog for the 1.2.x series can be found on the official site. [1]


1.2.5 Maintenance Release (2011-04-05)
-------------------------------------------------

MantisBT 1.2.5 is a maintenance update for the stable 1.2.x branch. It is
recommended that all MantisBT users (including those still using 1.1.x or
earlier versions) upgrade to this latest release.

This release brings improved translations in many languages as well as
numerous bug fixes across a range of MantisBT features.

A full changelog for the 1.2.x series can be found on the official site. [1]


1.2.4 Security Release (2010-12-15)
-------------------------------------------------

MantisBT 1.2.4 is a security update for the stable 1.2.x branch. All
installations that are currently running any 1.2.x version are advised to
upgrade to this release.

Gjoko Krstic of Zero Science Lab reported multiple vulnerabilities in the
admin/upgrade_unattended.php script. Issue #12607 provides more detail on the
vulnerabilities discovered. We thank Gjoko for his detailed assistance with
testing, patching and answering questions. Please note that the /admin/
directory should be removed from all MantisBT installations after the
installation or upgrade has been completed. This is particularly true for
MantisBT installations accessible over the Internet.

Also included with 1.2.4 are some bug fixes relating to fonts in the
MantisGraph plugin, SOAP API, CSV export, custom field values, relationship
graphs, fields on the manage user page, built-in time tracking and the
allow_reporter_close feature. This release includes updated translations for
many languages and improved installation documentation in doc/INSTALL.

A full changelog for the 1.2.x series can be found on the official site. [1]


1.2.3 Security Release (2010-09-14)
-------------------------------------------------

MantisBT 1.2.3 is a security update for the stable 1.2.x branch. All
installations that are currently running any 1.2.x version are advised to
upgrade to this release.

Issue #12312 covers an XSS vulnerability in the upstream NuSOAP library.
The fix has been applied to the library included in MantisBT releases, and a
patch has been submitted upstream for future releases of NuSOAP. See
http://www.mantisbt.org/bugs/view.php?id=12312 for further details.

Also included with 1.2.3 are another round of XSS fixes to MantisBT, improved
excel export, translation updates, and bug fixes to the SOAP API, installation,
plugin system, and email notifications.

A full changelog for the 1.2.x series can be found on the official site. [1]


1.2.2 Security Release (2010-07-29)
-------------------------------------------------

MantisBT 1.2.2 is a security update for the stable 1.2.x branch. All
installations that are currently running any 1.2.x version are advised to
upgrade to this release.

Issue #11952 covers a security fix to the display of inline attachments, where
"Arbitrary inline attachment rendering could lead to cross-domain scripting or
other browser attacks".  See http://www.mantisbt.org/bugs/view.php?id=11952
for further details and information.

Also included with 1.2.2 are a range of translation updates, regression fixes,
and bug fixes, including multiple SOAP API-related bugs and regressions.

A full changelog for the 1.2.x series can be found on the official site. [1]


1.2.1 Maintenance Release (2010-04-23)
-------------------------------------------------

MantisBT 1.2.1 is a maintenance update for the stable 1.2.x branch. All
installations that are currently running any 1.1.x or 1.2.0 version are
advised to upgrade to this release.

Included with 1.2.1 are a range of bug fixes, translation updates, and general
improvements over the initial 1.2.0 release.  Highlights include an improved
installation, a fixed upgrade path from 1.1.x, fixes to the URL and path
detection, and updates to the plugin event system.

A full changelog for the 1.2.x series can be found on the official site. [1]


1.2.0 Stable Release (2010-02-22)
-------------------------------------------------

This release marks the first official release in the 1.2.x series of MantisBT.
1.2.0 is a major feature release for MantisBT, and includes many bugfixes and
enhancements over the 1.1.x stable branch.  All users of 1.1.x are highly
encouraged to upgrade as soon as possible.

There are many new features added to 1.2.0, including:

 - Converted the MantisBT Manual to Docbook format, and added a new Developer's
   Guide manual, both of which are compiled and included in every release

 - Implemented a plugin system with many plugins already released [2]

 - Global categories available to all projects, as well as project categories
   inheriting from parent projects to child projects;  both are optional

 - Tracked change history for textarea fields (Description, etc) and bug notes

 - Customizable sets of columns for View Issues page and export formats

 - Combined simple and advanced views into a single, configurable view that
   allows selecting exactly what fields to show or hide

 - Improved roadmap and changelog pages, including version release dates, and
   permalinks to individual versions

 - Marking versions as obsolete to hide them from the roadmap and changelog

 - More configuration options for rebranding MantisBT installations

 - Improved support for PostgreSQL databases

 - Improved support for UTF-8 localizations and content

 - Implemented custom search providers for Firefox and Internet Explorer

 - Implemented localized timestamps using according to user-preferred timezones


There have also been many improvements to the codebase beyond adding features:

 - Migrated to parameterised database queries throughout the codebase for both
   performance and security improvements

 - Added PHPDoc compatible documentation to all internal API's

 - Removed many hardcoded references to access levels and other enumerations,
   for improved customizability.

 - Migrated away from DATETIME fields to integer timestamps for timezone usage

 - All 3rd party code is now contained within the library/ path, including
   documentation on library versions and any patches applied

 - Initial support for MySQL 6 and PHP 5.3


[1] The changelog is split between multiple releases:

	1.2.19     http://www.mantisbt.org/bugs/changelog_page.php?version_id=238
	1.2.18     http://www.mantisbt.org/bugs/changelog_page.php?version_id=191
	1.2.17     http://www.mantisbt.org/bugs/changelog_page.php?version_id=189
	1.2.16     http://www.mantisbt.org/bugs/changelog_page.php?version_id=183
	1.2.15     http://www.mantisbt.org/bugs/changelog_page.php?version_id=182
	1.2.14     http://www.mantisbt.org/bugs/changelog_page.php?version_id=181
	1.2.13     http://www.mantisbt.org/bugs/changelog_page.php?version_id=180
	1.2.12     http://www.mantisbt.org/bugs/changelog_page.php?version_id=150
	1.2.11     http://www.mantisbt.org/bugs/changelog_page.php?version_id=148
	1.2.10     http://www.mantisbt.org/bugs/changelog_page.php?version_id=146
	1.2.9      http://www.mantisbt.org/bugs/changelog_page.php?version_id=140
	1.2.8      http://www.mantisbt.org/bugs/changelog_page.php?version_id=139
	1.2.7      http://www.mantisbt.org/bugs/changelog_page.php?version_id=138
	1.2.6      http://www.mantisbt.org/bugs/changelog_page.php?version_id=114
	1.2.5      http://www.mantisbt.org/bugs/changelog_page.php?version_id=113
	1.2.4      http://www.mantisbt.org/bugs/changelog_page.php?version_id=112
	1.2.3      http://www.mantisbt.org/bugs/changelog_page.php?version_id=111
	1.2.2      http://www.mantisbt.org/bugs/changelog_page.php?version_id=110
	1.2.1      http://www.mantisbt.org/bugs/changelog_page.php?version_id=109
	1.2.0      http://www.mantisbt.org/bugs/changelog_page.php?version_id=108
	1.2.0rc2   http://www.mantisbt.org/bugs/changelog_page.php?version_id=106
	1.2.0rc1   http://www.mantisbt.org/bugs/changelog_page.php?version_id=98
	1.2.0a3    http://www.mantisbt.org/bugs/changelog_page.php?version_id=104
	1.2.0a2    http://www.mantisbt.org/bugs/changelog_page.php?version_id=96
	1.2.0a1    http://www.mantisbt.org/bugs/changelog_page.php?version_id=89

[2] GitHub is now the preferred code collaboration site for MantisBT,
	including the official MantisBT repository and a MantisBT-plugins
	organisation which is used to host repositories of community plugins.

	https://github.com/mantisbt
	https://github.com/mantisbt-plugins

[3] MantisBT can be downloaded from http://www.mantisbt.org/download.php