We have just pushed out 3 maintenance and security releases. All users are encouraged to upgrade to MantisBT 2.4.1. Go ahead and download the release.
The 3 releases below are still db schema compatible.
- 0022428: [markdown] CSV and Excel exports with markdown on (vboctor)
- 0022906: [security] CVE-2017-7620: Open redirection vulnerability in /login_page.php (dregad)
- 0022909: [security] CVE-2017-7620: CSRF – Arbitrary Permalink Injection (dregad)
- 0022867: [markdown] Markdown formatting is broken for notes column on View Issues page (vboctor)
- 0022907: [security] CVE-2017-7620: Open redirection vulnerability in /login_page.php (dregad)
- 0022908: [security] CVE-2017-7620: CSRF – Arbitrary Permalink Injection (dregad)
- 0020168: [db schema] Use of ‘mantis’ as plugin table prefix prevents plugin’s installation (dregad)
- 0022702: [security] CVE-2017-7620: CSRF – Arbitrary Permalink Injection (dregad)
- 0022816: [security] CVE-2017-7620: Open redirection vulnerability in /login_page.php (dregad)
This is a feature release that includes all fixes from MantisBT 2.3.2 plus the features and fixes listed below. The big new feature in this release is the new Authentication Plugin model that enables plugins to provide custom authentication models (see Sample Auth Plugin) where different users can have different authentication mechanism. For example, SAML for team members and MantisBT native for customers.
- 04235: [authentication] Support Generic Authentication through Plug-ins (vboctor)
- 21558: [ui] log destination for page produces messed output (syncguru)
- 22665: [documentation] Wrong documentation of option bug_resolution_fixed_threshold (atrol)
- 22689: [bugtracker] HTTP_X_FORWARDED_PROTO is not honored when loading Gravatar (vboctor)
- 22744: [signup] Signup is not working on mantisbt.org/bugs (vboctor)
- 22740: [performance] Allowed memory size of 268435456 bytes exhausted (vboctor)
- 22140: [administration] Getting error dialog when reporting issues and file upload is disabled (cproensa)
- 22635: [time tracking] Empty notes with time tracking show as empty notes for users that can’t view time tracking (vboctor)
- 22673: [attachments] Dropzone uploads files when submitting other forms (cproensa)
- 22762: [api rest] Bug in error handling when user doesn’t have access level to handle issue (vboctor)
A maintenance and security fixes release.
- 22742: [security] CVE-2017-7897: XSS in timeline_inc.php (affects my_view_page.php and view_user_page.php) (dregad)
- 22743: [timeline] Timeline “More Events” button also acts as “Next” button (dregad)
- 22746: [authentication] Lost password redirects to login page if email address is empty and anonymous access is disabled (vboctor)