CVS commit: pkgsrc/devel/mantis

["Ryo ONODERA" <ryoon%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   ryoon
Date:           Sun Jun 30 11:47:44 UTC 2013

Modified Files:
        pkgsrc/devel/mantis: Makefile PLIST distinfo

Log Message:
Update to 1.2.15

Changelog:

MantisBT 1.2.15 is a security update for the stable 1.2.x branch. All 
installations that are currently running any 1.2.x version are strongly advised 
to upgrade to this release.

- 0002971: [bugtracker] Reminders are not added to bug history (dregad) - 
closed.
- 0015470: [bugtracker] Reminders recipient list is truncated (dregad) - closed.
- 0010047: [documentation] Adding new statuses section is missing a step 
(dregad) - closed.
- 0010118: [documentation] lang_get_current() returns wrong language if 
$g_default_language overwritten (dregad) - closed.
- 0010372: [feature] Don't allow reminders to be sent if the user doesn't have 
an email address specificed (dregad) - closed.
- 0013054: [installation] Installer displays a blank page if core.php 
encounters a critical error (dregad) - closed.
- 0015357: [bugtracker] uninitialized library path (dregad) - closed.
- 0015471: [bugtracker] bug_reminder.php does not handle unsent reminders 
(dregad) - closed.
 - 0015472: [bugtracker] email_bug_reminder() API's return array is always full 
list of recipients (dregad) - closed.
- 0015481: [custom fields] Custom fields values are not sorted in the main 
filter (dregad) - closed.
- 0015528: [printing] Custom fields user has no access to should not be 
displayed on print pages (dregad) - closed.
- 0015538: [bugtracker] Issues list is not displayed when $g_limit_reporters is 
ON (dregad) - closed.
- 0015540: [documentation] Wrong example code for custom status translation 
(atrol) - closed.
- 0015558: [bugtracker] url_get() does not fall back to other methods when no 
data is retrieved (dregad) - closed.
- 0015573: [security] CVE-2013-1883: One query can be issued via current Mantis 
interface to take down site (dregad) - closed.
- 0015575: [documentation] Turning on $g_show_queries_list causes Mantis to 
crash with an error (dregad) - closed.
- 0015659: [localization] Appears @70@ and @80@ in the list of resolutions in 
the "view Issues" page when mantis is in catalan. (dregad) - closed.
- 0015691: [administration] Config report: retrieval of saved project filter 
from cookie does not work (dregad) - closed.
- 0015453: [security] CVE-2013-1930: Close button is shown on webpage despite 
'close' is not a valid status by workflow (dregad) - closed.
- 0015511: [security] CVE-2013-1931: XSS vulnerability when deleting a version 
(atrol) - closed.
- 0015698: [bugtracker] 'extract() expects parameter 1 to be array, boolean 
given' in '/srv/www/bugs/account_prof_edit_page.php' line 48 (dregad) - closed.
- 0015704: [documentation] Wrong description of writing custom_functions 
(atrol) - closed.
- 0015744: [bugtracker] Reminder bugnote with list of recipients not added if 
no text provided (dregad) - closed.
- 0015451: [api soap] Incorrect invocations of SoapObjectsFactory::newSoapFault 
(rombert) - closed.
- 0015517: [api soap] mc_project_get_versions() result can't be parsed by C# 
(dregad) - closed.
- 0015522: [api soap] mc_project_get_issues does not report due_date (dregad) - 
closed.

MantisBT 1.2.14 is a security update for the stable 1.2.x branch. All 
installations that are currently running any 1.2.x version are strongly advised 
to upgrade to this release.

Please refer to the release notes for details.

- 0015416: [security] CVE-2013-1934: XSS issue in adm_config_report.php when 
displaying complex value (dregad) - closed.
- 0015415: [security] CVE-2013-1932: XSS vulnerability on Configuration Report 
page (dregad) - closed.
- 0015411: [performance] Huge memory consumption for print_user_option_list() 
(dregad) - closed.

MantisBT 1.2.13 had to be withdrawn shortly after release, as it introduced a 
bug
(#15411) causing the View Issues page to consume significantly more memory for
instances with large numbers of users (order 10k+), leading to system crashes,
as well as an XSS issue (#15415) in the Configuration Report page.

We recommend not to use 1.2.13, and deploy version 1.2.14 instead.

- 0014871: [api soap] Add support for the built-in soap extension in addition 
to nusoap (rombert) - closed.
- 0003693: [bugtracker] Make the username in Manage Projects a clickable link 
to edit that user (dregad) - closed.
- 0007586: [customization] generic configuration editor cannot 'EDIT' an option 
(dregad) - closed.
- 0010130: [filters] Filter "Assigned to" does not display usernames when 
project "All Projects" is selected (dregad) - closed.
- 0011854: [documentation] Parameter $g_default_timezone" is not mentioned in 
administration_guide (dregad) - closed.
- 0013298: [preferences] commas and multi-dimensional arrays in adm_config_set 
(dregad) - closed.
- 0013680: [performance] Configuration page takes a very long time to load 
(dregad) - closed.
- 0014009: [administration] admin/check.php fatal error on PHP 5.1.x (undefined 
function timezone_identifiers_list()) (dregad) - closed.
- 0014559: [administration] Adding filter for "Configuration report" (dregad) - 
closed.
- 0015199: [other] Update json api error format (rombert) - closed.
- 0015201: [db postgresql] Summary page fail (dregad) - closed.
- 0015384: [security] CVE-2013-1810 XSS vulnerability on summary page (dhx) - 
closed.
- 0015247: [administration] Protected account change still sends email (dregad) 
- closed.
- 0015248: [email] The order of sending emails is inverted when using cron 
(dregad) - closed.
- 0015255: [bugtracker] Date filter fields are disabled when $g_use_javascript 
= OFF (dregad) - closed.
- 0015257: [filters] Inconsistent use of numeric vs text month in date filter 
selection fields (dregad) - closed.
- 0015258: [security] CVE-2013-1811 Reporter can change issue status to 'new' 
(dregad) - closed.
- 0015260: [bugtracker] access_get_status_threshold() returns incorrect value 
for NEW (dregad) - closed.
- 0015264: [custom fields] custom_field_get_id_from_name() broken since 1.2.12 
(dregad) - closed.
- 0015265: [custom fields] custom_field_get_id_from_name() doesn't cache result 
of obsolete custom field names (dregad) - closed.
- 0015280: [code cleanup] Form in manage_columns_inc.php has misleading name 
and unnecessary multipart encoding (dregad) - closed.
- 0015320: [filters] Date filters broken since 1.2.12 (rombert) - closed.
- 0015360: [bugtracker] Add Missing config 'reminder_receive_threshold' in 
workflow threshold page (dregad) - closed.
- 0015370: [bugtracker] When a bug is resolved on report, default the handler 
to the current user (rombert) - closed.
- 0015373: [security] CVE-2013-0197 XSS vulnerability with match_type filter 
(dhx) - closed.
- 0015382: [email] Additional improvements to email logging (dregad) - closed.
- 0015388: [filters] Update the match_type parameter to be XSS-safe by itself 
(dregad) - closed.
- 0015389: [filters] Display of match_type filter property for unknown types 
(dregad) - closed.
- 0015356: [api soap] improve error handling in mc_issue_api.php (rombert) - 
closed.
- 0014157: [api soap] Array to string conversion error on soap request with PHP 
5.4 (rombert) - closed.
- 0014672: [api soap] Slow performance of SOAP calls due to nusuoap (rombert) - 
closed.
- 0015222: [api soap] mc_project_delete_category fails to delete category 
(rombert) - closed.


To generate a diff of this commit:
cvs rdiff -u -r1.41 -r1.42 pkgsrc/devel/mantis/Makefile
cvs rdiff -u -r1.16 -r1.17 pkgsrc/devel/mantis/PLIST
cvs rdiff -u -r1.15 -r1.16 pkgsrc/devel/mantis/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.