{"id":719,"date":"2022-06-24T08:22:02","date_gmt":"2022-06-24T08:22:02","guid":{"rendered":"https:\/\/mantisbt.org\/blog\/?p=719"},"modified":"2022-06-24T08:23:16","modified_gmt":"2022-06-24T08:23:16","slug":"mantisbt-2-25-5-released","status":"publish","type":"post","link":"https:\/\/mantisbt.org\/blog\/archives\/mantisbt\/719","title":{"rendered":"MantisBT 2.25.5 released"},"content":{"rendered":"\n<p>In order to stay up to date with the latest MantisBT news, please star our <a href=\"https:\/\/github.com\/mantisbt\/mantisbt\" target=\"_blank\" rel=\"noreferrer noopener\">GitHub repository<\/a>, join our <a href=\"https:\/\/app.gitter.im\/#\/room\/#mantisbt_mantisbt:gitter.im\" target=\"_blank\" rel=\"noreferrer noopener\">Gitter channel<\/a>, or <a href=\"https:\/\/twitter.com\/mantisbt\" target=\"_blank\" rel=\"noreferrer noopener\">follow us on X<\/a> or <a href=\"https:\/\/phpc.social\/@mantisbt\">Mastodon<\/a> and retweet to spread the word!<\/p>\n\n\n\n<p>Go ahead and&nbsp;<a href=\"https:\/\/mantisbt.org\/download.php\">download<\/a>&nbsp;the release from our website.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">MantisBT 2.25.5<\/h2>\n\n\n\n<p>Security and maintenance release fixing vulnerabilities with SVG files attachments (CVE-2022-33910), which are now disabled by default; instances with a custom <em>$g_disallowed_files<\/em> should add <code>svg<\/code> to the list. Support for PHP 5.6 has been restored, fixing the regression introduced in 2.25.4.<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/mantisbt.org\/bugs\/view.php?id=29135\">0029135<\/a>: <strong>[security]<\/strong> CVE-2022-33910: Unrestricted SVG File Upload leads to CSS Injection (<a href=\"https:\/\/mantisbt.org\/bugs\/view_user_page.php?id=17784\">dregad<\/a>)<\/li><li><a href=\"https:\/\/mantisbt.org\/bugs\/view.php?id=30541\">0030541<\/a>: <strong>[documentation]<\/strong> Impossibility of deleting attachment with form security validation turned on (<a href=\"https:\/\/mantisbt.org\/bugs\/view_user_page.php?id=17784\">dregad<\/a>)<\/li><li><a href=\"https:\/\/mantisbt.org\/bugs\/view.php?id=30193\">0030193<\/a>: <strong>[bugtracker]<\/strong> PHP 5.6 support broken (<a href=\"https:\/\/mantisbt.org\/bugs\/view_user_page.php?id=17784\">dregad<\/a>)<\/li><li><a href=\"https:\/\/mantisbt.org\/bugs\/view.php?id=30204\">0030204<\/a>: <strong>[filters]<\/strong> Create Permalink &#8211; special characters handling (<a href=\"https:\/\/mantisbt.org\/bugs\/view_user_page.php?id=17784\">dregad<\/a>)<\/li><li><a href=\"https:\/\/mantisbt.org\/bugs\/view.php?id=30533\">0030533<\/a>: <strong>[security]<\/strong> Wrong bugnote_user_edit_threshold value used when checking permissions to edit bugnote (<a href=\"https:\/\/mantisbt.org\/bugs\/view_user_page.php?id=36846\">community<\/a>)<\/li><li><a href=\"https:\/\/mantisbt.org\/bugs\/view.php?id=30384\">0030384<\/a>: <strong>[security]<\/strong> CVE-2022-33910: Stored XSS via SVG file upload (<a href=\"https:\/\/mantisbt.org\/bugs\/view_user_page.php?id=17784\">dregad<\/a>)<\/li><li><a href=\"https:\/\/mantisbt.org\/bugs\/view.php?id=30416\">0030416<\/a>: <strong>[security]<\/strong> Upgrade guzzlehttp\/guzzle from 6.5.5 to 6.5.8 (<a href=\"https:\/\/mantisbt.org\/bugs\/view_user_page.php?id=17784\">dregad<\/a>)<\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"<p>MantisBT 2.25.5 Security and maintenance release fixing vulnerabilities with SVG files attachments (CVE-2022-33910), which are now disabled by default; instances with a custom $g_disallowed_files should add svg to the list. Support for PHP 5.6 has been restored, fixing the regression introduced in 2.25.4. 0029135: [security] CVE-2022-33910: Unrestricted SVG File Upload leads to CSS Injection (dregad) &hellip; <a href=\"https:\/\/mantisbt.org\/blog\/archives\/mantisbt\/719\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;MantisBT 2.25.5 released&#8221;<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,11],"class_list":["post-719","post","type-post","status-publish","format-standard","hentry","category-mantisbt","tag-release","tag-security"],"_links":{"self":[{"href":"https:\/\/mantisbt.org\/blog\/wp-json\/wp\/v2\/posts\/719","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mantisbt.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mantisbt.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mantisbt.org\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/mantisbt.org\/blog\/wp-json\/wp\/v2\/comments?post=719"}],"version-history":[{"count":1,"href":"https:\/\/mantisbt.org\/blog\/wp-json\/wp\/v2\/posts\/719\/revisions"}],"predecessor-version":[{"id":720,"href":"https:\/\/mantisbt.org\/blog\/wp-json\/wp\/v2\/posts\/719\/revisions\/720"}],"wp:attachment":[{"href":"https:\/\/mantisbt.org\/blog\/wp-json\/wp\/v2\/media?parent=719"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mantisbt.org\/blog\/wp-json\/wp\/v2\/categories?post=719"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mantisbt.org\/blog\/wp-json\/wp\/v2\/tags?post=719"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}