Permalink
Browse files

Revised release notes for 1.2.14

Based on atrol's feedback, added info about #15415.
  • Loading branch information...
dregad committed Jan 29, 2013
1 parent 9147d9d commit ee3695f807656188e8a79af7bf09da5375353cf5
Showing with 10 additions and 7 deletions.
  1. +10 −7 doc/RELEASE
View
@@ -8,7 +8,7 @@ MantisBT 1.2.14 is a security update for the stable 1.2.x branch. All
installations that are currently running any 1.2.x version are strongly advised
to upgrade to this release.
-Three cross site scripting (XSS) vulnerability issues were discovered and
+Four cross site scripting (XSS) vulnerability issues were discovered and
resolved:
- A malicious person could trick a target user's browser into executing
@@ -19,12 +19,14 @@ resolved:
Refer to issue #15373 for detailed information.
- A user holding manager/administrator permissions could create a category or
- project name containing JavaScript code; from that point on,visitors to the
- Summary page (summary.php) are exposed to having the JavaScript execute
+ project name containing JavaScript code; from that point on, visitors to
+ (a) the Summary page (summary.php) as well as (b) the Configuration Report
+ page (adm_config_report.php), are exposed to having the JavaScript execute
within their browser environment. The severity of this issue is mitigated by
the need to have a privileged account to modify category and project names.
- Affects MantisBT 1.2.12 only (earlier versions are not impacted).
- Refer to issue #15384 for detailed information.
+ Issue (a) affects MantisBT version 1.2.12 and above, while (b) is on 1.2.13
+ only; earlier releases are not impacted.
+ Refer to issues #15384 (a) and #15415 (b) for detailed information.
- An administrator could enter a configuration option containing javascript
code, which would then be executed when displaying the Configuration Report
@@ -54,8 +56,9 @@ A full changelog for the 1.2.x series can be found on the official site. [1]
-------------------------------------------------
This version had to be withdrawn shortly after release, as it introduced a bug
-causing the View Issues page to consume significantly more memory for instances
-with large numbers of users (order 10k+), leading to system crashes.
+(#15411) causing the View Issues page to consume significantly more memory for
+instances with large numbers of users (order 10k+), leading to system crashes,
+as well as an XSS issue (#15415) in the Configuration Report page.
We recommend not to use 1.2.13, and deploy version 1.2.14 instead.

0 comments on commit ee3695f

Please sign in to comment.