MantisBT 1.2.16 is a security update for the stable 1.2.x branch. All installations that are currently running any 1.2.x version are strongly advised to upgrade to this release.
Unfortunately we introduced a regression http://www.mantisbt.org/bugs/view.php?id=16940 .
Don't use this version if you use the news feature of MantisBT or apply the small change that is mentioned in the issue.
The following security issues were resolved:
SQL injection attacks through the SOAP API’s mc_attachment_get() function (CVE-2014-1608). Affects MantisBT 1.1.0a4 and later. Refer to issue http://www.mantisbt.org/bugs/view.php?id=16879 for detailed information.
Additional cases of unsanitized SQL query parameters usage were identified, potentially allowing SQL injection attacks (CVE-2014-1609). Refer to issue http://www.mantisbt.org/bugs/view.php?id=16880 for detailed information.
This release also includes many bug fixes and enhancements to the tracker and the SOAP api, as well as updated translations in many languages.
A full changelog can be found at:
http://www.mantisbt.org/bugs/changelog_ ... ion_id=183
The release can be downloaded from
http://sourceforge.net/projects/mantisb ... le/1.2.16/
Global announcements, rules, administrative notes, etc.
1 post • Page 1 of 1