From: Victor B. <vb...@gm...> - 2013-04-14 01:30:41
|
Blog Post: http://www.mantisbt.org/blog/?p=249 MantisBT 1.2.15 is a security update for the stable 1.2.x branch. All installations that are currently running any 1.2.x version are strongly advised to upgrade to this release. The following security issues were resolved: - Any malicious user could use the view issues page (search.php) to execute a filter that could bring down the site by overloading the database server (CVE-2013-1883). Affects MantisBT 1.2.12 and later. Refer to issue #15573 <http://www.mantisbt.org/bugs/view.php?id=15573> for detailed information. - A cross site scripting (XSS) vulnerability allowed execution of arbitrary JavaScript code when deleting a version. Affects MantisBT 1.2.14 and later. Refer to issue #15511<http://www.mantisbt.org/bugs/view.php?id=15511> for detailed information. - In some cases, the ‘Close’ button would be available to unauthorized users, allowing them to close issues at will, bypassing the workflow settings. Affects MantisBT 1.2.12 and later. Refer to issue #15453<http://www.mantisbt.org/bugs/view.php?id=15453> for detailed information. This release also includes several bug fixes and enhancements to the tracker and the SOAP api, as well as updated translations in many languages. A full changelog for 1.2.15 can be found at here<http://www.mantisbt.org/bugs/changelog_page.php?version_id=182>. Go ahead and download <http://www.mantisbt.org/download.php> it now. Checkout Hosted MantisBT <http://www.mantisbt.org/hosting.php> to be up and running in minutes. For optimized access to MantisBT from iPhone, Android and Windows Phone checkout MantisTouch <http://www.mantistouch.org/>. Thanks, -MantisBT Team |