{"id":236,"date":"2013-01-23T06:49:11","date_gmt":"2013-01-23T06:49:11","guid":{"rendered":"http:\/\/www.mantisbt.org\/blog\/?p=236"},"modified":"2015-01-16T09:41:14","modified_gmt":"2015-01-16T14:41:14","slug":"mantisbt-1-2-13-released","status":"publish","type":"post","link":"https:\/\/mantisbt.org\/blog\/archives\/mantisbt\/236","title":{"rendered":"MantisBT 1.2.13 Released"},"content":{"rendered":"<p><strong><em>This release was pulled out shortly after go live, since we discovered it introduced a bug causing the View Issues page to consume significantly more memory for instances with large numbers of users (order 10k+).\u00a0 MantisBT 1.2.14 fixes this issue and was released on January 30th, 2013.<\/em><\/strong><!--more--><\/p>\n<p>MantisBT 1.2.13 is a security update for the stable 1.2.x branch. All\u00a0installations that are currently running any 1.2.x version are strongly advised\u00a0to upgrade to this release.<\/p>\n<p>Two cross site scripting (XSS) vulnerability issues affecting MantisBT 1.2.12\u00a0only (earlier versions are not impacted) were discovered:<\/p>\n<ul>\n<li><span style=\"font-size: 16px;\"><strong>CVE-2013-0197<\/strong>: a malicious person could trick the browser of a target user\u00a0<\/span><span style=\"font-size: 16px;\">into executing arbitrary JavaScript code. This vulnerability is particularly\u00a0wide-reaching due to the affected page (search.php) being usable anonymously\u00a0on public-facing installations (i.e. no user login required). \u00a0Refer to issue <a href=\"http:\/\/www.mantisbt.org\/bugs\/view.php?id=15373\" target=\"_blank\">#15373<\/a> for detailed information.<\/span><\/li>\n<li><span style=\"font-size: 16px;\"><strong>CVE-2013-XXXX<\/strong>: A user holding manager\/administrator permissions could create\u00a0<\/span><span style=\"font-size: 16px;\">a category or project name containing JavaScript code; from that point on,\u00a0 visitors to the Summary page (summary.php) are exposed to having the\u00a0JavaScript execute within their browser environment. The severity of this\u00a0issue is mitigated by the need to have a privileged account to modify\u00a0category and project names. \u00a0Refer to issue <a href=\"http:\/\/www.mantisbt.org\/bugs\/view.php?id=15384\" target=\"_blank\">#15384<\/a> for detailed information.<\/span><\/li>\n<\/ul>\n<p>A workflow-related security issue was also fixed:<\/p>\n<ul>\n<li><span style=\"font-size: 16px;\"><strong>CVE-2013-XXXX<\/strong>: a user with &#8220;Reporter&#8221; permissions can modify the workflow\u00a0status of any issue to &#8220;New&#8221; even if they do not have the necessary\u00a0privileges to make this change. \u00a0Refer to issue <a href=\"http:\/\/www.mantisbt.org\/bugs\/view.php?id=15258\" target=\"_blank\">#15258<\/a> for detailed information.<\/span><\/li>\n<\/ul>\n<p>In addition to the corrections for the above-mentioned security issues, this\u00a0release also includes several bug fixes and enhancements:<\/p>\n<ul>\n<li><span style=\"font-size: 16px;\">Improved Manage Configuration page (better performance, ability to filter\u00a0<\/span><span style=\"font-size: 16px;\">and edit config options)<\/span><\/li>\n<li><span style=\"font-size: 16px;\">Support for the built-in SOAP extension in addition to nusoap<\/span><\/li>\n<\/ul>\n<p><span style=\"font-size: 16px;\">A full changelog for 1.2.13 can be found at\u00a0<\/span><a style=\"font-size: 16px;\" title=\"ChangeLog for MantisBT v1.2.13\" href=\"http:\/\/www.mantisbt.org\/bugs\/changelog_page.php?version_id=180\" target=\"_blank\">here<\/a><span style=\"font-size: 16px;\">.<\/span><\/p>\n<p>Checkout\u00a0<a title=\"Hosted MantisBT\" href=\"http:\/\/www.mantisbt.org\/hosting.php\" target=\"_blank\">Hosted MantisBT<\/a>\u00a0to be up and running in minutes. \u00a0For optimized access to MantisBT from iPhone, Android and Windows Phone checkout\u00a0<a title=\"MantisTouch\" href=\"http:\/\/www.mantistouch.org\" target=\"_blank\">MantisTouch<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This release was pulled out shortly after go live, since we discovered it introduced a bug causing the View Issues page to consume significantly more memory for instances with large numbers of users (order 10k+).\u00a0 MantisBT 1.2.14 fixes this issue and was released on January 30th, 2013.<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-236","post","type-post","status-publish","format-standard","hentry","category-mantisbt"],"_links":{"self":[{"href":"https:\/\/mantisbt.org\/blog\/wp-json\/wp\/v2\/posts\/236","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mantisbt.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mantisbt.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mantisbt.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/mantisbt.org\/blog\/wp-json\/wp\/v2\/comments?post=236"}],"version-history":[{"count":11,"href":"https:\/\/mantisbt.org\/blog\/wp-json\/wp\/v2\/posts\/236\/revisions"}],"predecessor-version":[{"id":341,"href":"https:\/\/mantisbt.org\/blog\/wp-json\/wp\/v2\/posts\/236\/revisions\/341"}],"wp:attachment":[{"href":"https:\/\/mantisbt.org\/blog\/wp-json\/wp\/v2\/media?parent=236"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mantisbt.org\/blog\/wp-json\/wp\/v2\/categories?post=236"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mantisbt.org\/blog\/wp-json\/wp\/v2\/tags?post=236"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}