---
- branch: MAIN
  date: Wed Sep 24 01:06:26 UTC 2014
  files:
  - new: '1.6'
    old: '1.5'
    path: pkgsrc/devel/mantis/MESSAGE
    pathrev: pkgsrc/devel/mantis/MESSAGE@1.6
    type: modified
  - new: '1.43'
    old: '1.42'
    path: pkgsrc/devel/mantis/Makefile
    pathrev: pkgsrc/devel/mantis/Makefile@1.43
    type: modified
  - new: '1.18'
    old: '1.17'
    path: pkgsrc/devel/mantis/PLIST
    pathrev: pkgsrc/devel/mantis/PLIST@1.18
    type: modified
  - new: '1.17'
    old: '1.16'
    path: pkgsrc/devel/mantis/distinfo
    pathrev: pkgsrc/devel/mantis/distinfo@1.17
    type: modified
  - new: '1.1'
    old: '0'
    path: pkgsrc/devel/mantis/options.mk
    pathrev: pkgsrc/devel/mantis/options.mk@1.1
    type: added
  id: 20140924T010626Z.2ec79365cab4e9b4551177d694f0596d265f021d
  log: |
    Update to 1.2.17. pkgsrc changes: Add bash:run to USE_TOOLS and
    REPLACE_BASH in installed file. Replace PHP interpreter in installed *.php
    files. Move options framework into options.mk. Use INSTALLATION_DIRS
    instead of INSTALL_DATA_DIR. From doc/RELEASE:

    1.2.17 Security Release (2014-03-04)
    -------------------------------------------------

    MantisBT 1.2.17 is a security update for the stable 1.2.x branch. All
    installations that are currently running any 1.2.x version are strongly advised
    to upgrade to this release. Download it from [3].

    An SQL injection vulnerability (CVE-2014-2238) in adm_config_report.php was
    patched. Refer to issue #17055 for detailed information.

    This release also includes a few bug fixes for the tracker, including News API
    correction for the regression issue #16940 introduced in 1.2.16, as well as
    updated translations in many languages.

    A full changelog for the 1.2.x series can be found on the official site. [1]

    1.2.16 Security Release (2014-02-07)
    -------------------------------------------------

    MantisBT 1.2.16 is a security update for the stable 1.2.x branch. All
    installations that are currently running any 1.2.x version are strongly advised
    to upgrade to this release. Download it from [3].

    The following security issues were resolved:

     - Cross-site scripting (XSS) issue in account_sponsor_page.php, allowing a
       malicious user with project manager access to execute arbitrary JavaScript
       code (CVE-2013-4460). Affects MantisBT 1.1.0 and later.
       Refer to issue #16513 for detailed information.

     - SQL injection attacks through the SOAP API's mc_attachment_get() function
       (CVE-2014-1608). Affects MantisBT 1.1.0a4 and later.
       Refer to issue #16879 for detailed information.

     - Additional cases of unsanitized SQL query parameters usage were identified,
       potentially allowing SQL injection attacks (CVE-2014-1609).
       Refer to issue #16880 for detailed information.

    This release also includes many bug fixes and enhancements to the tracker
    and the SOAP api, as well as updated translations in many languages.

    A full changelog for the 1.2.x series can be found on the official site. [1]

    [1] The changelog is split between multiple releases:

    1.2.17     http://www.mantisbt.org/bugs/changelog_page.php?version_id=189
    1.2.16     http://www.mantisbt.org/bugs/changelog_page.php?version_id=183
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/devel/mantis'
  unixtime: '1411520786'
  user: rodent