Log Message:
Update to 1.2.15

Changelog:

MantisBT 1.2.15 is a security update for the stable 1.2.x branch. All \ 
installations that are currently running any 1.2.x version are strongly advised \ 
to upgrade to this release.

- 0002971: [bugtracker] Reminders are not added to bug history (dregad) - closed.
- 0015470: [bugtracker] Reminders recipient list is truncated (dregad) - closed.
- 0010047: [documentation] Adding new statuses section is missing a step \ 
(dregad) - closed.
- 0010118: [documentation] lang_get_current() returns wrong language if \ 
$g_default_language overwritten (dregad) - closed.
- 0010372: [feature] Don't allow reminders to be sent if the user doesn't have \ 
an email address specificed (dregad) - closed.
- 0013054: [installation] Installer displays a blank page if core.php encounters \ 
a critical error (dregad) - closed.
- 0015357: [bugtracker] uninitialized library path (dregad) - closed.
- 0015471: [bugtracker] bug_reminder.php does not handle unsent reminders \ 
(dregad) - closed.
 - 0015472: [bugtracker] email_bug_reminder() API's return array is always full \ 
list of recipients (dregad) - closed.
- 0015481: [custom fields] Custom fields values are not sorted in the main \ 
filter (dregad) - closed.
- 0015528: [printing] Custom fields user has no access to should not be \ 
displayed on print pages (dregad) - closed.
- 0015538: [bugtracker] Issues list is not displayed when $g_limit_reporters is \ 
ON (dregad) - closed.
- 0015540: [documentation] Wrong example code for custom status translation \ 
(atrol) - closed.
- 0015558: [bugtracker] url_get() does not fall back to other methods when no \ 
data is retrieved (dregad) - closed.
- 0015573: [security] CVE-2013-1883: One query can be issued via current Mantis \ 
interface to take down site (dregad) - closed.
- 0015575: [documentation] Turning on $g_show_queries_list causes Mantis to \ 
crash with an error (dregad) - closed.
- 0015659: [localization] Appears @70@ and @80@ in the list of resolutions in \ 
the "view Issues" page when mantis is in catalan. (dregad) - closed.
- 0015691: [administration] Config report: retrieval of saved project filter \ 
from cookie does not work (dregad) - closed.
- 0015453: [security] CVE-2013-1930: Close button is shown on webpage despite \ 
'close' is not a valid status by workflow (dregad) - closed.
- 0015511: [security] CVE-2013-1931: XSS vulnerability when deleting a version \ 
(atrol) - closed.
- 0015698: [bugtracker] 'extract() expects parameter 1 to be array, boolean \ 
given' in '/srv/www/bugs/account_prof_edit_page.php' line 48 (dregad) - closed.
- 0015704: [documentation] Wrong description of writing custom_functions (atrol) \ 
- closed.
- 0015744: [bugtracker] Reminder bugnote with list of recipients not added if no \ 
text provided (dregad) - closed.
- 0015451: [api soap] Incorrect invocations of SoapObjectsFactory::newSoapFault \ 
(rombert) - closed.
- 0015517: [api soap] mc_project_get_versions() result can't be parsed by C# \ 
(dregad) - closed.
- 0015522: [api soap] mc_project_get_issues does not report due_date (dregad) - \ 
closed.

MantisBT 1.2.14 is a security update for the stable 1.2.x branch. All \ 
installations that are currently running any 1.2.x version are strongly advised \ 
to upgrade to this release.

Please refer to the release notes for details.

- 0015416: [security] CVE-2013-1934: XSS issue in adm_config_report.php when \ 
displaying complex value (dregad) - closed.
- 0015415: [security] CVE-2013-1932: XSS vulnerability on Configuration Report \ 
page (dregad) - closed.
- 0015411: [performance] Huge memory consumption for print_user_option_list() \ 
(dregad) - closed.

MantisBT 1.2.13 had to be withdrawn shortly after release, as it introduced a bug
(#15411) causing the View Issues page to consume significantly more memory for
instances with large numbers of users (order 10k+), leading to system crashes,
as well as an XSS issue (#15415) in the Configuration Report page.

We recommend not to use 1.2.13, and deploy version 1.2.14 instead.

- 0014871: [api soap] Add support for the built-in soap extension in addition to \ 
nusoap (rombert) - closed.
- 0003693: [bugtracker] Make the username in Manage Projects a clickable link to \ 
edit that user (dregad) - closed.
- 0007586: [customization] generic configuration editor cannot 'EDIT' an option \ 
(dregad) - closed.
- 0010130: [filters] Filter "Assigned to" does not display usernames \ 
when project "All Projects" is selected (dregad) - closed.
- 0011854: [documentation] Parameter $g_default_timezone" is not mentioned \ 
in administration_guide (dregad) - closed.
- 0013298: [preferences] commas and multi-dimensional arrays in adm_config_set \ 
(dregad) - closed.
- 0013680: [performance] Configuration page takes a very long time to load \ 
(dregad) - closed.
- 0014009: [administration] admin/check.php fatal error on PHP 5.1.x (undefined \ 
function timezone_identifiers_list()) (dregad) - closed.
- 0014559: [administration] Adding filter for "Configuration report" \ 
(dregad) - closed.
- 0015199: [other] Update json api error format (rombert) - closed.
- 0015201: [db postgresql] Summary page fail (dregad) - closed.
- 0015384: [security] CVE-2013-1810 XSS vulnerability on summary page (dhx) - closed.
- 0015247: [administration] Protected account change still sends email (dregad) \ 
- closed.
- 0015248: [email] The order of sending emails is inverted when using cron \ 
(dregad) - closed.
- 0015255: [bugtracker] Date filter fields are disabled when $g_use_javascript = \ 
OFF (dregad) - closed.
- 0015257: [filters] Inconsistent use of numeric vs text month in date filter \ 
selection fields (dregad) - closed.
- 0015258: [security] CVE-2013-1811 Reporter can change issue status to 'new' \ 
(dregad) - closed.
- 0015260: [bugtracker] access_get_status_threshold() returns incorrect value \ 
for NEW (dregad) - closed.
- 0015264: [custom fields] custom_field_get_id_from_name() broken since 1.2.12 \ 
(dregad) - closed.
- 0015265: [custom fields] custom_field_get_id_from_name() doesn't cache result \ 
of obsolete custom field names (dregad) - closed.
- 0015280: [code cleanup] Form in manage_columns_inc.php has misleading name and \ 
unnecessary multipart encoding (dregad) - closed.
- 0015320: [filters] Date filters broken since 1.2.12 (rombert) - closed.
- 0015360: [bugtracker] Add Missing config 'reminder_receive_threshold' in \ 
workflow threshold page (dregad) - closed.
- 0015370: [bugtracker] When a bug is resolved on report, default the handler to \ 
the current user (rombert) - closed.
- 0015373: [security] CVE-2013-0197 XSS vulnerability with match_type filter \ 
(dhx) - closed.
- 0015382: [email] Additional improvements to email logging (dregad) - closed.
- 0015388: [filters] Update the match_type parameter to be XSS-safe by itself \ 
(dregad) - closed.
- 0015389: [filters] Display of match_type filter property for unknown types \ 
(dregad) - closed.
- 0015356: [api soap] improve error handling in mc_issue_api.php (rombert) - closed.
- 0014157: [api soap] Array to string conversion error on soap request with PHP \ 
5.4 (rombert) - closed.
- 0014672: [api soap] Slow performance of SOAP calls due to nusuoap (rombert) - \ 
closed.
- 0015222: [api soap] mc_project_delete_category fails to delete category \ 
(rombert) - closed.