vboctor/blog_1_3_0_stable.md Secret

## blog_1_3_0_stable.md

      
    Raw
  

              blog_1_3_0_stable.md
            
          
    MantisBT 1.3.0 (stable) Released

After several 1.3.x beta and release candidates, this release marks the first stable 1.3.x release.
The 1.3.0 stable release has more than 500 fixes and improvements compared to 1.2.x releases (see changelogs for 1.3.0, 1.3.0-rc.1, 1.3.0-beta.3, 1.3.0-beta.2, 1.3.0-beta.1).  It is recommended
that all MantisBT administrators upgrade to this release.
Following are some of the highlights of 1.3.0 release:

@ mentions support - mention other users in issue summary, description and notes and they will get an email alerting them to the fact that they were mentioned with the appropriate context.
Support for avatar plugins - We still ship Gravatar out of the box, but it is now very easy to implement other avatar providers that can be based on file system or LDAP.
Support for user lifecycle plugin events - Added plugin events the handle and extend user lifecycle events (see extensibility section below)
Allow administrators to impersonate users - Administrators can now impersonate a user account to verify that it's access level is as expected or to troubleshoot issues that their users are having with Mantis.
Support for notes and tags as columns to configure for view issues, print issues, csv/excel export
Support for login using email address - Users can login using either usernames or email addresses.
Enforcing email uniqueness - User emails must be unique or empty for service accounts.
Enable configuration for email notifications for category owner - The same way it is possible to configure whether reporter of an issue should receive notifications, the same can now happen for category owners.
Re-implemented parsing of complex configuration types for Configuration Report - Re-implemented parsing logic in a robust way leveraging standard PHP methods designed to parse PHP expressions.
Tagging directly from report issue page - You no longer have to report an issue, then go and tag it, this can now be done in a single step.
Timeline feature - The My View (dashboard) page now has the most recent events for the selected project to give users a quick overview of what their team are up to.
API Tokens – Users can now generate tokens to use when connecting via SOAP API rather than having to use their username and password
Anti-spam - Ability to limit the number of issues or notes a user who signed up can submit.
Memo custom fields - This was a popular request, it is now supported.
jQuery and jQueryUI are now included in core - It is no longer needed to install a plugin to get jQuery.  Plugins can just assume it is there.
PHP version compatibility up to PHP 5.6 and PHP 7.
Better generated HTML, relying on CSS instead of inline styles and reducing use of tables for layout
HTML5 doctype - Lots of improvements to generated markup.
Out-of-the-box support for Oracle (oci8)
Greatly enhanced support for PostgreSQL
Improved installation and admin utilities (system check, tools)
Mechanism to prevent concurrent updates to the same issue
Detailed filters hidden by default
Improved XmlImportExport core plugin
Bigger e-mail and realname fields
Improved documentation, migrated to Publican
Improved email notifications when an issue is unassigned or re-assigned
Support attaching files while adding a note + attaching multiple files with same name
Added new log level LOG_EMAIL_VERBOSE.
500+ fixes and improvements

Security


CVE-2016-5364: Reflected XSS inside manage_custom_field_edit_page.php - #20956
Cannot change password in second enter to verification page - #6009
bugnote actions in view bug page should send data as POST - #20141
CVE-2014-9759: SOAP API can be used to disclose confidential settings - #20277
CVE-2014-9572: Improper Access Control in install.php - #19273
CVE-2014-9571: XSS in install.php - #19274
CVE-2015-1042: URL redirection issue - #19275
CVE-2014-9573: SQL Injection in manage_user_page.php - #19277
PHP remote code execution in install.php - #12908
CVE-2014-9701: XSS vulnerability in permalink_page.php - #19504
Registrations by bots via captcha exploit - #10028
Support Content-Security-Policy (CSP) per W3C specification - #14679
install.php: do not send the value of crypto_master_salt over http - #17382
Redirect user to change password if logged in with default admin password - #16477
plugins directory must be secured/fixed - #14538
Provide additional random number generators - #17381
IIS: add web.config to deny access to config folder - #17380
allow_reporter_reopen lets reporter make any update, not just reopen - #11804
Add support for Strict-Transport-Security header - #12881
Improve random number generation with openssl_random_pseudo_bytes - #10730
Do not allow to send a reminder on a private issue to users under threshold - #11981
Remove input side XSS validation of user real names - #12368
When user reports an issue, the unpermitted project can be selected - #16024
Remove all inline JavaScript from MantisBT (use external scripts instead) - #11826

Extensibility

Added the following events (see manual for details):

EVENT_MANAGE_PROJECT_DELETE
EVENT_MANAGE_USER_CREATE_FORM
EVENT_MANAGE_USER_CREATE
EVENT_MANAGE_USER_UPDATE_FORM
EVENT_MANAGE_USER_UPDATE
EVENT_MANAGE_USER_DELETE
EVENT_MANAGE_USER_PAGE
EVENT_MANAGE_VERSION_DELETE
EVENT_VIEW_BUG_ATTACHMENT
EVENT_UPDATE_BUG_DATA
EVENT_USER_AVATAR

Deprecated Features


Custom Functions in favor of Plugins
DB2 support - removed in 2.0.x
News feature - already deprecated
Time tracking - already deprecated
Project Docs - already deprecated
Sponsorships - already deprecated

Removed Features


Built-in source code integration support
FTP for attachments
Removed nusoap in favor of native php soap extension
Removed feature extended project browser (#12245)