Restore module checksums that were lost in last update.
Changes with nginx 1.6.2 16 Sep 2014
*) Security: it was possible to reuse SSL sessions in unrelated contexts
if a shared SSL session cache or the same TLS session ticket key was
used for multiple "server" blocks (CVE-2014-3616).
Thanks to Antoine Delignat-Lavaud.
*) Bugfix: requests might hang if resolver was used and a DNS server
returned a malformed response; the bug had appeared in 1.5.8.
*) Bugfix: requests might hang if resolver was used and a timeout
occurred during a DNS request.
REPLACE_BASH in installed file. Replace PHP interpreter in installed *.php
files. Move options framework into options.mk. Use INSTALLATION_DIRS
instead of INSTALL_DATA_DIR. From doc/RELEASE:
1.2.17 Security Release (2014-03-04)
-------------------------------------------------
MantisBT 1.2.17 is a security update for the stable 1.2.x branch. All
installations that are currently running any 1.2.x version are strongly advised
to upgrade to this release. Download it from [3].
An SQL injection vulnerability (CVE-2014-2238) in adm_config_report.php was
patched. Refer to issue #17055 for detailed information.
This release also includes a few bug fixes for the tracker, including News API
correction for the regression issue #16940 introduced in 1.2.16, as well as
updated translations in many languages.
A full changelog for the 1.2.x series can be found on the official site. [1]
1.2.16 Security Release (2014-02-07)
-------------------------------------------------
MantisBT 1.2.16 is a security update for the stable 1.2.x branch. All
installations that are currently running any 1.2.x version are strongly advised
to upgrade to this release. Download it from [3].
The following security issues were resolved:
- Cross-site scripting (XSS) issue in account_sponsor_page.php, allowing a
malicious user with project manager access to execute arbitrary JavaScript
code (CVE-2013-4460). Affects MantisBT 1.1.0 and later.
Refer to issue #16513 for detailed information.
- SQL injection attacks through the SOAP API's mc_attachment_get() function
(CVE-2014-1608). Affects MantisBT 1.1.0a4 and later.
Refer to issue #16879 for detailed information.
- Additional cases of unsanitized SQL query parameters usage were identified,
potentially allowing SQL injection attacks (CVE-2014-1609).
Refer to issue #16880 for detailed information.
This release also includes many bug fixes and enhancements to the tracker
and the SOAP api, as well as updated translations in many languages.
A full changelog for the 1.2.x series can be found on the official site. [1]
[1] The changelog is split between multiple releases:
1.2.17 http://www.mantisbt.org/bugs/changelog_page.php?version_id=189
1.2.16 http://www.mantisbt.org/bugs/changelog_page.php?version_id=183
