2009.04.20 - 1.1.7
===================================
Bugfix maintenance release, cleaning up most of the remaining issues with 1.1.x series.
- 0006848: [administration] Bugs in manage_config_*_set.php (grangeway) - resolved.
- 0009986: [administration] APPLICATION ERROR #2800 using "Delete Project Specific Settings" (jreese) - resolved.
- 0010235: [api soap] mc_issue_attachment_add corrupts attachments (giallu) - resolved.
- 0009888: [bugtracker] Issue History Problem... build, os, os_version, and platform are not looking right and are not effected by language files. (jreese) - resolved.
- 0009999: [bugtracker] APPLICATION ERROR #2800 - While submit a new bug (jreese) - resolved.
- 0009606: [custom fields] Custom fields not enforced. (thraxisp) - resolved.
- 0009979: [custom fields] Function gpc_isset always return false for a custom date field (thraxisp) - resolved.
- 0010035: [custom fields] Custom multi-selection list fields don't allow deselection (thraxisp) - resolved.
- 0010154: [custom fields] Custom field enum values are getting the first and last characters truncated when displayed. (thraxisp) - resolved.
- 0010011: [customization] date_submitted is not set properly in bug object (thraxisp) - resolved.
- 0010200: [email] \n not replaced in registration e-mail (siebrand) - resolved.
- 0010231: [feature] Assigned bug status cannot be changed to new? (jreese) - resolved.
- 0010299: [html] Invalid HTML (jreese) - resolved.
- 0010270: [localization] escaped double quotes in localization files (siebrand) - resolved.
- 0010187: [security] Using dession destroy and unset for logout (jreese) - resolved.
- 0010192: [sub-projects] Repeated Target versions (jreese) - resolved.
- 0010038: [tagging] Problems attaching tags in Chrome (jreese) - resolved.
- 0010050: [time tracking] All leves have access to billing reports - Access level required to run reports does not function (giallu) - resolved.
2008.12.09 - 1.1.6
===================================
This release fixes once and for all the caching troubles from previous stable releases, some
access permissions bugs, and a few various other issues. This release also improves the existing
source control integration by allowing remote checkins.
- 0009893: [administration] Users can change status on ViewOnly Tasks (jreese) - resolved.
- 0009815: [bugtracker] gpc_get_string_array() sometimes returns non-arrays (thraxisp) - resolved.
- 0009869: [bugtracker] application error 2800 still in version 1.1.5 (jreese) - resolved.
- 0009888: [bugtracker] Issue History Problem... build, os, os_version, and platform are not looking right and are not effected by language files. (jreese) - resolved.
- 0009890: [bugtracker] Case of extension for inline image is not ignored (jreese) - resolved.
- 0009900: [customization] Allowing update issue status disables the function to administrator (thraxisp) - resolved.
- 0008847: [integration] Revamp SVN and CVS integration (jreese) - resolved.
- 0009651: [other] Version copy from parent project copies incorrect date (jreese) - resolved.
- 0009928: [other] Inconsistent uses of file extension configuration settings. (jreese) - resolved.
2008.11.21 - 1.1.5
===================================
This release solves more issues relating to the security fixes introduced by 1.1.3, as well as various other minor bugs.
- 0009713: [authentication] Users are unable to confirm registration (jreese) - resolved.
- 0009017: [bugtracker] SYSTEM WARNING implode() [function.implode]: Bad arguments. (jreese) - resolved.
- 0009738: [bugtracker] Browser caching should be enabled on bug_change_status_page.php (jreese) - resolved.
- 0009748: [bugtracker] Port 9737: bugnote_add.php contains undefined t_note_type (vboctor) - resolved.
- 0009754: [bugtracker] Failed to report issue (APPLICATION ERROR #2800) (jreese) - resolved.
- 0009714: [csv] Error message/warning, if HTTP_USER_AGENT is not set (jreese) - resolved.
- 0009808: [db mysql] Linking Sub-Projects to a project -> APPLICATION ERROR #200 (jreese) - resolved.
- 0009760: [other] Mantis checks $g_allow_browser_caching setting incorrectly (jreese) - resolved.
- 0009780: [tagging] Changing project in Tag Details view gives "APPLICATION ERROR #200" (jreese) - resolved.
- 0009803: [tagging] Tags field in filter should not be shown when user has no access to tags (jreese) - resolved.
2008.10.18 - 1.1.4
===================================
We had to withdraw 1.1.3 because of a serious flaw affecting the bug_report*
pages. This new release fixes that problem and a newly discovered security issue
.
- 0009704: [security] Remote Code Execution in manage_proj_page.php (giallu) - r
esolved.
- 0009691: [bugtracker] Failed to report issue.(Always APPLICATION ERROR #2800)
(jreese) - resolved.
- 0009690: [other] Wrong parameter count for session_set_cookie_params() (jreese
) - resolved.
- 0009693: [webpage] Generated HTML contains multiple hostnames when proxied (jr
eese) - resolved.
2008.10.09 - 1.1.3
===================================
In this release we fixed a couple of nasty bugs sneaked into 1.1.2, where sendin
g bugnotes email notifications would fail and browser caching was not functional
.
We also refined the implementation of form security tokens and closed a couple o
f security issues, an information disclosure (with no CVE) and a session hijacki
ng (CVE-2008-3102).
- 0009321: [security] Users can get title and status of issues that they don't h
ave access to. (vboctor) - resolved.
- 0009533: [security] Mantis should use secure sessions on https connections (jr
eese) - resolved.
- 0009286: [administration] stray "2" in manage_user_prune.php (vboctor) - resol
ved.
- 0009664: [authentication] Logout without unsetting session cookie (jreese) - r
esolved.
- 0009323: [bugtracker] Browser caching broken since 1.1.2 (jreese) - resolved.
- 0009470: [bugtracker] Tags filter not filling into text field when selecting f
rom list using Internet Explorer (jreese) - resolved.
- 0009493: [custom fields] Removing custom fields from project causes applicatio
n error 2800 (giallu) - resolved.
- 0009309: [email] Problems with e-mail notifications about bugnotes [PATCH] (gi
allu) - resolved.
- 0004678: [filters] Filter combos don't fill up on if switched to 'All Projects
' - closed.
- 0009430: [graphs] bug_graph_bystatus shows heading by_category (thraxisp) - re
solved.
- 0009431: [localization] no localization for usage of open, resolved, closed in
bug_graph_bystatus.php (thraxisp) - resolved.
- 0008882: [other] Gravatar causes annoying security popups on IE when using Man
tis over HTTPS/SSL (jreese) - resolved.
- 0009361: [other] php session fail created cause mantis app error. (jreese) - r
esolved.
- 0009560: [other] Wrong behaviour in Session API (session_save_path error messa
ge) (jreese) - resolved.
- 0009672: [other] Fixing form error by going back fails because of security tok
en (jreese) - resolved.
- 0009343: [scripting] form security token prevents changing relationship while
resolving bug (jreese) - resolved.
- 0008974: [security] XSS Vulnerability in filters (thraxisp) - closed.
- 0008975: [security] CSRF Vulnerabilities in user_create (jreese) - closed.
- 0008976: [security] Remote Code Execution in adm_config (giallu) - closed.
- 0009154: [security] arbitrary file inclusion through user preferences page (giallu) - closed.
- 0008123: [administration] Adding a user requires "$g_lost_password_feature = ON" (giallu) -
closed.
- 0008924: [bugtracker] Port 8245: Target Version value lost in update issue page (giallu) -
closed.
- 0008886: [change log] Change Log shows duplicate entries (jreese) - closed.
- 0008880: [db postgresql] Problem with date formatting in db_prepare_date function (giallu) -
closed.
- 0009176: [db postgresql] Port 0008699: Get Time Tracking Information return a SQL query error
(vboctor) - closed.
- 0009177: [filters] Port 0008916: Monitor by filter ignores show_monitor_list_threshold (vboctor)
- closed.
- 0008830: [installation] set_time_limit() doesn't work in PHP safe mode (daryn) - closed.
- 0008858: [integration] DokuWiki integration: EMail notification on wiki page changes not working
(vboctor) - closed.
- 0008774: [localization] Complete Hungarian retranslation (vboctor) - closed.
- 0009186: [localization] Port 0009046: French translation for $s_bug_assign_to_button (vboctor) -
closed.
- 0009178: [other] Fix memleak in string api (vboctor) - closed.
- 0009208: [other] Several actions on bug update page lead into System Warning and App. Error
(daryn) - closed.
- 0008931: [relationships] Circle Relations cause roadmap to malfunction (jreese) - closed.
- 0008853: [roadmap] Issue appears more than once in the Roadmap for a release. (jreese) - closed.
- 0007764: [scripting] APPLICATION WARNING #100: Configuration option 'category_enum_string' not
found (vboctor) - closed.
- 0009183: [time tracking] Port 0008357: "Total time for issue" is shown even for users under
threshold (vboctor) - closed.
- 0009184: [time tracking] Port 0008849: Emails ignore time tracking view threshold (vboctor) -
closed.
- 0009185: [time tracking] Port 0008621: The expand icon is inverted for the Time tracking section
(vboctor) - closed.
This is a maintenance release for the 1.1.x branch. It includes a fix for PHP 4 support (#8681 stripos), several fixes for SOAP API, a security fix, and other minor bug fixes.
Mantis 1.1.0 Released
After 4 alpha releases, 3 release candidates and over 400 features and bug fixes, Mantis 1.1.0 gold is finally released. The highlights of the Mantis 1.1.0 release include:
1. Inclusion of MantisConnect (SOAP API) out of the box
2. Wiki integration (dokuwiki, mediawiki, xwiki),
3. Email queuing,
4. Gravatar integration,
5. DB2 support,
6. Tagging,
7. Filtering perma links,
8. Time tracking,
9. Twitter integration,
10. UTF8 support,
11. Generic configuration page,
12. Show last visited issues,
13. XHTML compliance,
14. Authenticated RSS
the owner of all installed files is a non-root user. This change
affects most packages that require special users or groups by making
them use the specified unprivileged user and group instead.
(1) Add two new variables PKG_GROUPS_VARS and PKG_USERS_VARS to
unprivileged.mk. These two variables are lists of other bmake
variables that define package-specific users and groups. Packages
that have user-settable variables for users and groups, e.g. apache
and APACHE_{USER,GROUP}, courier-mta and COURIER_{USER,GROUP},
etc., should list these variables in PKG_USERS_VARS and PKG_GROUPS_VARS
so that unprivileged.mk can know to set them to ${UNPRIVILEGED_USER}
and ${UNPRIVILEGED_GROUP}.
(2) Modify packages to use PKG_GROUPS_VARS and PKG_USERS_VARS.
2006.10.28 - 1.0.6
- 0007466: [security] Port: 6719: Manager of a project can assign the Administrator role to a user. (vboctor)
- 0007543: [security] Port 5163: Default value for $g_bug_reminder_threshold should be higher than "reporter" (vboctor)
- 0007467: [administration] Port 6637: Disabled projects don't appear under parent project (vboctor)
- 0007527: [localization] Port 7526: japanese_utf8 is more suitable than japanese_sjis ($g_language_auto_map) (vboctor)
- 0007470: [localization] [all lang] Port latest localization files from Mantis 1.1 to Mantis 1.0.x (vboctor)
- 0007530: [localization] Port:: New Languages: bulgarian, catalan, czech_utf8, french_utf8, italian_utf8, polish_utf8, russian_utf8, slovene_utf8 (vboctor)
- 0007412: [other] Update Mantis to refer to new website (vboctor)
2006.07.23 - 1.0.5
- 0007301: [upgrade] Login page inaccessible after upgrade to 1.0.4 (thraxisp)
2006.07.22 - 1.0.4
- 0007051: [bugtracker] Fix for #6869 / #7034 removes quoted "?" from arguments (thraxisp)
- 0007298: [bugtracker] Port: bugnote_delete.php redirection fails (vboctor)
- 0007299: [bugtracker] Port: Save login feature does not work (vboctor)
- 0007300: [bugtracker] Port: Remember login always redirects to main_page.php (vboctor)
- 0007143: [other] Port: checkin.php needs array_unique() (vboctor)
all PEAR packages to php?-pear-* and all Apache packages to ap13-* or
ap2-* respectively. Add new variables to simplify the Makefile
handling. Add CONFLICTS on the old names. Reset revisions of bumped
packages. ap-php will now depend on the default Apache and PHP version.
All programs using it have an implicit option of the Apache version
as well.
OK from jlam@ and adrianp@.
> - 7037: [security] Port: Login with disabled account possible (vboctor)
> - 7034: [bugtracker] Port: bug in string_sanitize_url() (vboctor)
> - 7028: [db mssql] Port: "Prune Accounts" function doesn't work with MS SQL (vboctor)
> - 7029: [db mssql] Port: MS SQL Error on View Filters Page (vboctor)
> - 7030: [db mssql] Port: installtion fails - administrator have no rights on db (vboctor)
> - 7032: [db mssql] Port: Error on opening Change Log (vboctor)
> - 7039: [db mssql] Notice: Only variables should be assigned by reference in coreadodbadodb.inc.php on line 2931 (vboctor)
> - 7035: [feature] Port: Global Profiles list not sorted (vboctor)
> - 7038: [filters] Port: SYSTEM WARNING: Argument 1 to array_multisort() is expected to be an array or a sort flag (vboctor)
> - 7031: [installation] Port: is_writable never success in install.php (vboctor)
> - 7041: [installation] Port: newbie admins may be redirected to blank page (vboctor)
> - 7033: [printing] Port: wrong strpos function call (vboctor)
> - 7027: [upgrade] Port: fixed_in_version is renamed to Fixed_in_version during database migration (vboctor)
0006509: [security] Port: Additional XSS Vulnerabilities in Filter (thraxisp)
0006557: [security] XSS Vulnerability in manage_user (TKADV2005-11-002) (thraxisp)
0006563: [security] Port XSS Vulnerability in project documents (TKADV2005-11-02) (thraxisp)
0006569: [security] XSS Vulnerability in saved queries (TKADV2005-11-002) (thraxisp)
0006594: [bugtracker] config_flush_cache does not work correctly (thraxisp)
0006585: [documentation] don't see the documentation (thraxisp)
0006501: [filters] Categories can't be selected for filter-setting (thraxisp)
From the ChangeLog:
- 0006421: [security] Private bugs show up in public RSS feed (vboctor)
- 0006458: [security] Port #6457: SQL Injection in manage user page (TKADV2005-11-002) (vboctor)
- 0006461: [security] Port #6460: HTTP Header CRLF Injection (TKADV2005-11-002) (vboctor)
- 0006485: [security] XSS Vulnerability in filters (TKADV2005-11-002) (thraxisp)
- 0006489: [security] Port Injection Vulnerabilities in Filters (TKADV2005-11-002) (thraxisp)
- 0006492: [security] Port #6453: Make note private has no effect when resolving bug (thraxisp)
- 0006432: [bugtracker] error processing does not work! (jlatour)
- 0006379: [filters] Filter returns private issues when it should not (thraxisp)
- 0006254: [localization] strings_korean_utf8.txt has UTF-8 byte-order marker (ryandesign)
- 0006268: [localization] strings_chinese_simplified_utf8.txt has UTF-8 byte-order marker (ryandesign)
- 0006304: [localization] [PATCH] Major overhaul of strings_dutch.txt (jlatour)
- 0006358: [localization] Updated Dutch localization (Wanderer)
- 0006474: [localization] Calls to htmlspecialchars should take into account the current charset (jlatour)
From the Changelog:
- 0006273: [security] File Inclusion Vulnerability (vboctor)
- 0006275: [security] SQL injection (vboctor)
- 0006234: [filters] Filter sometimes returns no results (thraxisp)
- 0006295: [filters] Old filters and view_state problems. (thraxisp)
- 0006288: [filters] Patch against CVS HEAD for Saved filter problem with view_state (thraxisp)
- 0006296: [filters] Filter sql includes unnecessary links to custom_field_string_table for date custom fields (thraxisp)
- 0006297: [filters] sorting on custom field, bring MySQL to deadlock loop (thraxisp)
language and requires the MySQL database and a webserver. Mantis has been
installed on Windows, MacOS, OS/2, and a variety of Unix operating systems.
Almost any web browser should be able to function as a client. It is released
under the terms of the GNU General Public License (GPL).
Mantis is free to use and modify. It is free to redistribute as long as you
abide by the distribution terms of the GPL.
