Skip to content

Instantly share code, notes, and snippets.

Last active July 9, 2016 23:36
Show Gist options
  • Save vboctor/74c81371629c7a6c40c51d4cfcd484fc to your computer and use it in GitHub Desktop.
Save vboctor/74c81371629c7a6c40c51d4cfcd484fc to your computer and use it in GitHub Desktop.

MantisBT 1.3.0 (stable) Released

After several 1.3.x beta and release candidates, this release marks the first stable 1.3.x release. The 1.3.0 stable release has more than 500 fixes and improvements compared to 1.2.x releases (see changelogs for 1.3.0, 1.3.0-rc.1, 1.3.0-beta.3, 1.3.0-beta.2, 1.3.0-beta.1). It is recommended that all MantisBT administrators upgrade to this release.

Following are some of the highlights of 1.3.0 release:

  • @ mentions support - mention other users in issue summary, description and notes and they will get an email alerting them to the fact that they were mentioned with the appropriate context.
  • Support for avatar plugins - We still ship Gravatar out of the box, but it is now very easy to implement other avatar providers that can be based on file system or LDAP.
  • Support for user lifecycle plugin events - Added plugin events the handle and extend user lifecycle events (see extensibility section below)
  • Allow administrators to impersonate users - Administrators can now impersonate a user account to verify that it's access level is as expected or to troubleshoot issues that their users are having with Mantis.
  • Support for notes and tags as columns to configure for view issues, print issues, csv/excel export
  • Support for login using email address - Users can login using either usernames or email addresses.
  • Enforcing email uniqueness - User emails must be unique or empty for service accounts.
  • Enable configuration for email notifications for category owner - The same way it is possible to configure whether reporter of an issue should receive notifications, the same can now happen for category owners.
  • Re-implemented parsing of complex configuration types for Configuration Report - Re-implemented parsing logic in a robust way leveraging standard PHP methods designed to parse PHP expressions.
  • Tagging directly from report issue page - You no longer have to report an issue, then go and tag it, this can now be done in a single step.
  • Timeline feature - The My View (dashboard) page now has the most recent events for the selected project to give users a quick overview of what their team are up to.
  • API Tokens – Users can now generate tokens to use when connecting via SOAP API rather than having to use their username and password
  • Anti-spam - Ability to limit the number of issues or notes a user who signed up can submit.
  • Memo custom fields - This was a popular request, it is now supported.
  • jQuery and jQueryUI are now included in core - It is no longer needed to install a plugin to get jQuery. Plugins can just assume it is there.
  • PHP version compatibility up to PHP 5.6 and PHP 7.
  • Better generated HTML, relying on CSS instead of inline styles and reducing use of tables for layout
  • HTML5 doctype - Lots of improvements to generated markup.
  • Out-of-the-box support for Oracle (oci8)
  • Greatly enhanced support for PostgreSQL
  • Improved installation and admin utilities (system check, tools)
  • Mechanism to prevent concurrent updates to the same issue
  • Detailed filters hidden by default
  • Improved XmlImportExport core plugin
  • Bigger e-mail and realname fields
  • Improved documentation, migrated to Publican
  • Improved email notifications when an issue is unassigned or re-assigned
  • Support attaching files while adding a note + attaching multiple files with same name
  • Added new log level LOG_EMAIL_VERBOSE.
  • 500+ fixes and improvements


  • CVE-2016-5364: Reflected XSS inside manage_custom_field_edit_page.php - #20956
  • Cannot change password in second enter to verification page - #6009
  • bugnote actions in view bug page should send data as POST - #20141
  • CVE-2014-9759: SOAP API can be used to disclose confidential settings - #20277
  • CVE-2014-9572: Improper Access Control in install.php - #19273
  • CVE-2014-9571: XSS in install.php - #19274
  • CVE-2015-1042: URL redirection issue - #19275
  • CVE-2014-9573: SQL Injection in manage_user_page.php - #19277
  • PHP remote code execution in install.php - #12908
  • CVE-2014-9701: XSS vulnerability in permalink_page.php - #19504
  • Registrations by bots via captcha exploit - #10028
  • Support Content-Security-Policy (CSP) per W3C specification - #14679
  • install.php: do not send the value of crypto_master_salt over http - #17382
  • Redirect user to change password if logged in with default admin password - #16477
  • plugins directory must be secured/fixed - #14538
  • Provide additional random number generators - #17381
  • IIS: add web.config to deny access to config folder - #17380
  • allow_reporter_reopen lets reporter make any update, not just reopen - #11804
  • Add support for Strict-Transport-Security header - #12881
  • Improve random number generation with openssl_random_pseudo_bytes - #10730
  • Do not allow to send a reminder on a private issue to users under threshold - #11981
  • Remove input side XSS validation of user real names - #12368
  • When user reports an issue, the unpermitted project can be selected - #16024
  • Remove all inline JavaScript from MantisBT (use external scripts instead) - #11826


Added the following events (see manual for details):


Deprecated Features

  • Custom Functions in favor of Plugins
  • DB2 support - removed in 2.0.x
  • News feature - already deprecated
  • Time tracking - already deprecated
  • Project Docs - already deprecated
  • Sponsorships - already deprecated

Removed Features

  • Built-in source code integration support
  • FTP for attachments
  • Removed nusoap in favor of native php soap extension
  • Removed feature extended project browser (#12245)
Copy link

atrol commented Jun 8, 2016

Removed feature extended project browser

Copy link

dregad commented Jun 12, 2016


  • DB2 is deprecated, not removed.
  • additional security issue CVE-2016-5364

Remember this is for rc2 and we do 1.3.0 next week as agreed on Gitter

Copy link

dregad commented Jun 12, 2016

also, I've been running on PHP 7 on my dev box for about a month now, without any issues so I think we can mark that as a supported platform

Copy link

vboctor commented Jun 12, 2016

I've applied all comments and changed the release notes so it is not relative to 1.3.0-rc.1. You can also find the 1.3.0-rc.2 release notes at

Copy link

vboctor commented Jun 12, 2016

@dregad are all the security improvements fixes listed here not in 1.2.20 (which we are about to release). I think we should be incremental relative to that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment