MantisBT 1.2.0 was released on February 22nd 2010 (http://www.mantisbt.org/blog/?p=76). This release is a large change over 1.1.8 and includes security improvements and the resolution of various XSS vulnerabilities. MantisBT 1.2.0 works fine with PostgreSQL when using the bundled version of ADOdb. However I'm not sure if the Gentoo version of ADOdb works with MantisBT & PostgreSQL. MantisBT generally recommends using the bundled version of ADOdb as it contains patches not provided in the upstream release. Reproducible: Always Steps to Reproduce:
Thank you for report. (In reply to comment #0) > This release is a large change over 1.1.8 and includes security improvements > and the resolution of various XSS vulnerabilities. Do you have any reference on what XSS vulnerabilities were fixed? > MantisBT 1.2.0 works fine with PostgreSQL when using the bundled version of > ADOdb. However I'm not sure if the Gentoo version of ADOdb works with MantisBT > & PostgreSQL. MantisBT generally recommends using the bundled version of ADOdb > as it contains patches not provided in the upstream release. As I see in git bundled adodb fixes are relevant only for those who use mssql and until somebody really needs such configuration I'd better go with practice to avoid bundled libs as much as possible.
Thanks for the quick response. Regarding the XSS issues, please refer to this list (commits from the end of last year): http://git.mantisbt.org/?p=mantisbt.git&a=search&h=HEAD&st=commit&s=XSS I'm the author of many of those commits so if you have questions, I can probably answer them. If you look at the 1.1.x tree at http://git.mantisbt.org/?p=mantisbt.git;a=shortlog;h=refs/heads/master-1.1.x you'll see that I started backporting some of these fixes to the 1.1.x branch but gave up due to the time it was taking (with testing included). The 1.1.x and 1.2.x branches are vastly different (whole sections of the software are completely rewritten) which makes backporting from 1.2.x to 1.1.x a non-trivial task. MantisBT 1.2.0 has many other security enhancements including HttpOnly cookie flag usage, CSRF protection on all forms (where 1.1.x used CSRF in some cases but not all) and so forth. Relevant commits for some of the enhanced security features: http://git.mantisbt.org/?p=mantisbt.git&a=search&h=HEAD&st=commit&s=CSRF http://git.mantisbt.org/?p=mantisbt.git;a=commit;h=58a67eef218321bed2d1584b092cce1bc73d4cc9 Furthermore, support for the 1.1.x branch was dropped with the 1.1.8 release of MantisBT (exceptional security issues aside) as per http://www.mantisbt.org/blog/?p=53 What I'm trying to get at here is that MantisBT 1.1.x now has a very limited user base (which doesn't include any of the key developers I know of), has many outstanding security issues and is dramatically different to 1.2.x (making backporting of patches a very time consuming and risky task). On the matter of ADOdb (and other bundled libraries), it's on the developer TODO list to remove bundling wherever possible. This may result in dropping non-maintained libraries in favour of more modern libraries or forking old projects. Or perhaps it could just be the bundling of essential patches where upstream projects are being too slow with making a new release (as opposed to bundling entire pre-patched software libraries).
Version 1.2.1 is now out, various bug fixes, especially migration fixes Announcement: http://www.mantisbt.org/blog/?p=99 ChangeLog: http://www.mantisbt.org/bugs/changelog_page.php?version_id=109 May just want to jump to that one.
New version was just added to the tree. Thank you for report, David and especially help on the mailing list.
