MantisBT 2.27.0 Released

Go ahead and download the release from our website.

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X or Mastodon and retweet to spread the word!

MantisBT 2.27.0

This release includes over 50 enhancements and bug fixes, and sees the end of support for older PHP versions as we increase our minimum requirement to 7.4. Here are a few highlights among the many changes.

Thanks to community member Grummbeer‘s contributions, there have been many improvements to Markdown processing. This includes syntax highlighting for code blocks (0034124), improved rendering and a fix for the infamous and long-standing double quotes " and lesser than sign < rendered as HTML entities bug (0024628).

Categories can now be disabled (0031017); graphs generation has been refactored for better performance (0034042) and enhanced display (0034608); improved error handling facilitates troubleshooting when something goes wrong.

There is more of course, so for full details please refer to the Change Log.

MantisBT 2.26.4 Released

Go ahead and download the release from our website.

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X or Mastodon and retweet to spread the word!

MantisBT 2.26.4

Maintenance and security release addressing an information disclosure vulnerability (CVE-2024-45792) and a regression introduced by 2.26.3 on Manage Projects Page, as well as several bug fixes.

All installations are advised to upgrade as soon as possible.

  •  0034640[security] CVE-2024-45792: Insecure Direct Object References vulnerability with user profiles (dregad)
  •  0034634[other] Non-existing issue number does not throw a 404 in the UI (dregad)
  •  0034768[sub-projects] ‘INTERNAL APPLICATION ERROR’ editing some projects from manage_proj_page.php (atrol)
  •  0026672[api soap] mc_issue_add fails with “Object of class SoapFault could not be converted to int” (dregad)
  •  0032557[bugtracker] Can not set full URL to $g_manual_url in config_inc.php (dregad)
  •  0034618[administration] Disabled projects are not listed on page manage_proj_page.php (dregad)
  •  0034682[bugtracker] Incorrect usage of lang_get_defaulted() for an URL (dregad)
  •  0034683[api rest] REST POST /issues allows creation of Issue when invalid Category is specified (dregad)
  •  0034684[api soap] SOAP API throwing deprecation warning on PHP 8.1 (dregad)

MantisBT 2.26.3 Released

Go ahead and download the release from our website.

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X or Mastodon and retweet to spread the word!

MantisBT 2.26.3

Maintenance release, fixing a couple regressions from 2.26.2 and a few other issues.

All installations are advised to upgrade as soon as possible.

  •  0034442[html] Wrong display of some column titles on “View Issues” page (dregad)
  •  0034461[relationships] Relationship Graphs show/hide flag is not persistent (dregad)
  •  0034462[relationships] Truncated HTML entities shown in Relationship Graph nodes’ Issue summary (dregad)
  •  0034460[filters] Sorting by “overdue” column does not work if “due_date” is not visible (dregad)
  •  0025407[api rest] Resetting version fields to empty is not possible (dregad)
  •  0034458[ui] Better icon for “overdue” column (dregad)
  •  0034586[api rest] REST API GET /filters/{ID} returns empty array when ID does not exist (dregad)
  •  0034492[code cleanup] Duplicated code in admin/check_api.php (dregad)
  •  0034480[db mysql] Using MySQL 8.4 gives warning in admin checks (dregad)
  •  0034493[api rest] REST API GET /issues endpoint returns HTML if given filter_id is not found (dregad)
  •  0034571[ldap] ldap_simulation_get_user() does not return null when given non-string username (dregad)
  •  0034566[administration] The “realname” field is cleared after a user is updated. (dregad)
  •  0034526[performance] Bad performance when editing a project having a lot of subprojects (community)
  •  0034589[code cleanup] CSP img-src has a duplicate ‘self’ value (dregad)

MantisBT 2.26.2 Released

Go ahead and download the release from our website.

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X or Mastodon and retweet to spread the word!

MantisBT 2.26.2

Security and maintenance release addressing several vulnerabilities (CVE-2024-34077, CVE-2024-34080 and CVE-2024-34081; refer to the corresponding Issues below for details).

It also resolves a few PHP 8.x compatibility issues, as well as a few other bugs.

All installations are strongly advised to upgrade as soon as possible.

  •  0033906[bugtracker] Failed opening core.php in timeline_inc.php on PHP 8.2 / IIS (dregad)
  •  0034008[documentation] MantisGraph: document usage of EVENT_MANTISGRAPH_SUBMENU (dregad)
  •  0034006[code cleanup] MantisGraph: fix deprecated warnings in javascript (dregad)
  •  0034393[html] Incorrect handling of HTML hexadecimal character references &#xNNN; (dregad)
  •  0034439[code cleanup] Deprecated warning when updating Issue with null checkbox Custom Field (dregad)
  •  0034441[excel] Excel error when opening exported issues with custom field with special characters (dregad)
  •  0034435[bugtracker] Issue note links don’t reflect if issue is resolved (vboctor)
  •  0034434[security] CVE-2024-34080: Don’t hyperlink references to notes whose issues are not accessible to user (vboctor)
  •  0034433[security] CVE-2024-34077: Account Takeover in Password Reset and Account Registration Feature (dregad)
  •  0034432[security] CVE-2024-34081: Unsanitised custom field names printed (dregad)
  •  0034417[security] Update corejs-typeahead.js library to 1.3.4 (dregad)
  •  0034410[api rest] REST API error reports incorrect field “version” when updating fixed in / target version with invalid value (dregad)
  •  0034399[other] Internal server error on view_user_page (atrol)
  •  0012956[bugtracker] Target Version does not respect GET or POST value when reporting issue (dregad)
  •  0034404[bugtracker] Proceed button is shown twice when redirecting with pending errors (dregad)
  •  0034359[api rest] REST API: “String not found” warning when adding note with invalid view_state (dregad)
  •  0034348[api rest] Adding issue note with REST API returns HTTP 500 when given view_state is invalid (dregad)
  •  0034018[filters] Filter “assigned to” and “monitor by” shows <br /> between the users when selecting multiple (advanced filtering) (dregad)
  •  0034106[code cleanup] Deprecated creation of dynamic properties in BugData class (dregad)

MantisBT 2.26.1 Released

Go ahead and download the release from our website.

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X or Mastodon and retweet to spread the word!

MantisBT 2.26.1

Security and maintenance release addressing a host header injection vulnerability (CVE-2024-23830).

It also resolves several regression issues introduced in 2.26.0 release, and includes fixes for PHP 8.x compatibility as well as other issues.

All installations are advised to upgrade as soon as possible.

  •  0033171[db schema] Update ADOdb to 5.22.7 (dregad)
  •  0033481[ui] Missing space between “*” and label for required fields on bug report page (dregad)
  •  0033426[authentication] User not authenticated when following link from notification email (dregad)
  •  0033422[api rest] Updating an issue with bugnote having empty text causes PHP errors (dregad)
  •  0033418[documentation] Document PHP ctype extension as required (dregad)
  •  0033402[api rest] Updating an Issue through the API sets all comments last edit timestamp (community)
  •  0033374[other] Erratic behavior of RestProjectVersionTest::testProjectUpdateVersion PHPUnit test case (dregad)
  •  0033372[db mssql] SQL error opening Manage Users page with MSSQL (dregad)
  •  0033248[custom fields] APPLICATION ERROR 2800 Invalid form security token when trying to delete custom field (dregad)
  •  0033358[custom fields] Custom fields are showing when resolving issues form despite not checking the option (atrol)
  •  0033375[tools] Enable PHP 8.3 on Travis CI builds (dregad)
  •  0033404[authorization] Unable to grant user access to private issue by adding them as a monitoring user (atrol)
  •  0033480[bugtracker] Blank page when redirecting with print_successful_redirect() (dregad)
  •  0019381[security] CVE-2024-23830: Host header attack vulnerability (dregad)
  •  0033519[installation] MySQL Native Driver (mysqlnd) is required (dregad)
  •  0033588[administration] Creating an Configuration Option with complex array fails when number is negative (dregad)
  •  0033631[code cleanup] Uncaught exception in installer (dregad)
  •  0033634[rss] Error in creating RSS when there are no issues to publish (dregad)
  •  0033651[ui] Overflowing text issue on sidebar menu (dregad)
  •  0033756[installation] Errors on browser console when installing (dregad)
  •  0033773[installation] Install: reset buttons for table prefix/suffix not working at stage 2 (dregad)