MantisBT 1.2.14 released

Global announcements, rules, administrative notes, etc.

Moderators: Developer, Contributor

Post Reply
atrol
Site Admin
Posts: 8366
Joined: 26 Mar 2008, 21:37
Location: Germany

MantisBT 1.2.14 released

Post by atrol »

MantisBT 1.2.14 is a security update for the stable 1.2.x branch. All
installations that are currently running any 1.2.x version are strongly advised
to upgrade to this release.

Four cross site scripting (XSS) vulnerability issues were discovered and
resolved:

- A malicious person could trick a target user's browser into executing
arbitrary JavaScript code (CVE-2013-0197). This vulnerability iscritical,
due to the affected page (search.php) being usable anonymously on public-
facing installations (i.e. without the need for a user login).
Affects MantisBT 1.2.12 only (earlier versions are not impacted)
Refer to issue #15373 for detailed information.

- A user holding manager/administrator permissions could create a category or
project name containing JavaScript code; from that point on, visitors to
(a) the Summary page (summary.php) as well as (b) the Configuration Report
page (adm_config_report.php), are exposed to having the JavaScript execute
within their browser environment. The severity of this issue is mitigated by
the need to have a privileged account to modify category and project names.
Issue (a) affects MantisBT version 1.2.12 and above, while (b) is on 1.2.13
only; earlier releases are not impacted.
Refer to issues #15384 (a) and #15415 (b) for detailed information.

- An administrator could enter a configuration option containing javascript
code, which would then be executed when displaying the Configuration Report
page (adm_config_report.php). The severity of this issue is mitigated by the
need to have a privileged account. Affects all MantisBT 1.2.x versions.
Refer to issue #15416 for detailed information.

A workflow-related security issue was also fixed:

- A user with "Reporter" permissions can modify the workflow status of any
issue to "New" even if they do not have the necessary privileges to make
this change.
Refer to issue #15258 for detailed information.

In addition to the corrections for the above-mentioned security issues, this
release also includes several bug fixes and enhancements:

- improved Manage Configuration page (better performance, ability to filter
and edit config options)
- support for the built-in SOAP extension in addition to nusoap
- updated translations in many languages


MantisBT 1.2.13 had to be withdrawn shortly after release, as it introduced a bug
(#15411) causing the View Issues page to consume significantly more memory for
instances with large numbers of users (order 10k+), leading to system crashes,
as well as an XSS issue (#15415) in the Configuration Report page.

We recommend not to use 1.2.13, and deploy version 1.2.14 instead.

A full changelog for 1.2.14 and 1.2.13 can be found at:
http://www.mantisbt.org/bugs/changelog_ ... ion_id=181
http://www.mantisbt.org/bugs/changelog_ ... ion_id=180

The release can be downloaded from http://sourceforge.net/projects/mantisb ... le/1.2.14/
Please use Search before posting and read the Manual
Post Reply