End of PHP 5 support

Since MantisBT 2.0.0, we officially support PHP 5.5.9 and later, aligned with Ubuntu 14.04 LTS “Trusty Tahr” release.

PHP 5.5 has reached end-of-life on July 21st, 2016 and PHP 5.6 support ended on December 31st, 2018 so the time has finally come for us to turn the page and leave 5.x behind, as maintaining compatibility is becoming increasingly difficult with more and more libraries and tools dropping support for it.

Consequently, the upcoming MantisBT 2.25.0 release will be the last one supporting PHP 5.

Starting with MantisBT 2.26.0, the minimum PHP version will be 7.0. This follows our strategy to align our requirements with Ubuntu LTS releases; as of this writing, the oldest one is 16.04 Xenial Xerus, which comes bundled with PHP 7.0.

Note that while PHP 7.0 is also end-of-life since January 10th, 2019, the Ubuntu team is committed to maintaining it for the lifetime of the 16.04 LTS release. Nevertheless, the MantisBT team recommends to run a fully supported PHP version, i.e. 7.3 or later.

Finally, please be advised that we will increase the minimum PHP version again in just a few months, as 16.04 LTS support ends in April 2021. The following LTS release, 18.04 Bionic Beaver, comes bundled with PHP 7.2.

MantisBT 2.24.4 Released

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, follow us on Twitter and retweet to spread the word!

MantisBT 2.24.4

Security and maintenance release, addressing 6 CVEs: an XSS issue, an SQL injection in the SOAP API and several information disclosure issues including a critical one allowing full access to private issues’ contents. All installations are strongly advised to upgrade as soon as possible.

This release also includes a few PHP 8.0 compatibility fixes, including a major one causing an access denied error for all users when updating issues.

  • 0020690: [bugtracker] inconsistent UI for view bugnote revision (dregad)
  • 0026794: [security] User Account – Takeover (dregad)
  • 0027363: [security] Fixed in version can be changed to a version that doesn’t exist (dregad)
  • 0027350: [security] When updating an issue, a Viewer user can be set as Reporter (dregad)
  • 0027357: [security] Attacker can leak private information via different functionality (dregad)
  • 0027728: [security] CVE-2020-29604: Full disclosure of private issue contents, including bugnotes and attachments (dregad)
  • 0027727: [security] CVE-2020-29605: Disclosure of private issue summary (dregad)
  • 0027726: [security] CVE-2020-29603: Disclosure of private project name (dregad)
  • 0027361: [security] Private category can be access/used by a non member of a private project (IDOR) (dregad)
  • 0027370: [security] CVE-2020-35849: Revisions allow viewing private bugnotes id and summary (dregad)
  • 0027495: [security] CVE-2020-28413: SQL injection in the parameter “access” on the mc_project_get_users function throught the API SOAP. (dregad) 0027704: [javascript] Javascript error in View Issues page (dregad)
  • 0027779: [security] CVE-2020-35571: XSS in helper_ensure_confirmed() calls (dregad)
  • 0027464: [printing] print_manage_user_sort_link Function Parameter Required after Optional (atrol)
  • 0027465: [code cleanup] Declaring a required parameter after an optional one is deprecated in PHP 8 (atrol)
  • 0027799: [bugtracker] Adapt Error handler to PHP 8 (dregad)
  • 0027806: [bugtracker] Impossible to edit issues with PHP8 (dregad)
  • 0027444: [security] Printing unsanitized user input in install.php (atrol)

Many thanks to randomdhiraj, ethicalhcop and d3vpoo1, for identifying and responsibly reporting these security issues.

Go ahead and download the release from our website.

MantisBT 2.24.3 Released

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, follow us on Twitter and retweet to spread the word!

MantisBT 2.24.3

Security release for 2.24.x series. All installations are strongly advised to upgrade as soon as possible.

  • 0027039: [security] CVE-2020-25781: Access to private bug note attachments (dregad)
  • 0027268: [security] Admin can get issues assigned to users not allowed to handle them (dregad)
  • 0027275: [security] CVE-2020-25288: HTML Injection on bug_update_page.php (dregad)
  • 0027276: [security] Send reminder to viewer (dregad)
  • 0027283: [security] Admin can set viewer as a tag creator (dregad)
  • 0027284: [plug-ins] Priority can override to any positive integer (dregad)
  • 0027299: [code cleanup] Remove code duplication in File API (dregad)
  • 0027303: [code cleanup] When processing categories, it is not necessary to know the project id (dregad)
  • 0027304: [security] CVE-2020-25830: HTML Injection in bug_actiongroup_page.php (dregad)

Many thanks to d3vpoo1 who identified most of the security issues fixed in this release.

Go ahead and download the release from our website.

MantisBT 2.24.2 Released

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, follow us on Twitter and retweet to spread the word!

MantisBT 2.24.2

Security release for 2.24.x series. All installations are strongly advised to upgrade as soon as possible.

  • 0027003: [security] Update PHPMailer from 6.1.4 to 6.1.6 (dregad)
  • 0027056: [security] CVE-2020-16266: HTML injection (maybe XSS) via custom field on view_all_bug_page.php (dregad)

Go ahead and download the release from our website.

MantisBT 2.22.1 and 1.3.20 released

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, follow us on Twitter and retweet to spread the word!

MantisBT 2.22.1

Security release for 2.22.x series. All installations are strongly advised to upgrade as soon as possible.

  • 0026091: [security] CVE-2019-15715: [Admin Required – Post Authentication] Command Execution / Injection Vulnerability (atrol)
  • 0026110: [administration] [Show content] for Complex Configuration option doesn’t work when mod_rewrite is disabled (dregad)
  • 0026160: [security] Update bundled Bootstrap to 3.4.1 (CVE-2019-8331) (dregad)
  • 0026168: [security] Enable integrity hashes for CSS ressources from CDNs (dregad)

MantisBT 1.3.20

Security release for 1.3.x series. All installations are strongly advised to upgrade as soon as possible.

  • 0026162: [security] CVE-2019-15715: Command Execution / Injection Vulnerability (dregad)

Go ahead and download the release from our website.