Revised release notes for 1.2.14

Based on atrol's feedback, added info about #15415.
mantisbt · Jan 29, 2013 · ee3695f · ee3695f
1 parent 9147d9d
commit ee3695f
Showing 1 changed file with 10 additions and 7 deletions.
diff --git a/doc/RELEASE b/doc/RELEASE
@@ -8,7 +8,7 @@ MantisBT 1.2.14 is a security update for the stable 1.2.x branch. All
 installations that are currently running any 1.2.x version are strongly advised
 to upgrade to this release.
 
-Three cross site scripting (XSS) vulnerability issues were discovered and
+Four cross site scripting (XSS) vulnerability issues were discovered and
 resolved:
 
  - A malicious person could trick a target user's browser into executing
@@ -19,12 +19,14 @@ resolved:
    Refer to issue #15373 for detailed information.
 
  - A user holding manager/administrator permissions could create a category or
-   project name containing JavaScript code; from that point on,visitors to the
-   Summary page (summary.php) are exposed to having the JavaScript execute
+   project name containing JavaScript code; from that point on, visitors to
+   (a) the Summary page (summary.php) as well as (b) the Configuration Report
+   page (adm_config_report.php), are exposed to having the JavaScript execute
    within their browser environment. The severity of this issue is mitigated by
    the need to have a privileged account to modify category and project names.
-   Affects MantisBT 1.2.12 only (earlier versions are not impacted).
-   Refer to issue #15384 for detailed information.
+   Issue (a) affects MantisBT version 1.2.12 and above, while (b) is on 1.2.13
+   only; earlier releases are not impacted.
+   Refer to issues #15384 (a) and #15415 (b) for detailed information.
 
  - An administrator could enter a configuration option containing javascript
    code, which would then be executed when displaying the Configuration Report
@@ -54,8 +56,9 @@ A full changelog for the 1.2.x series can be found on the official site. [1]
 -------------------------------------------------
 
 This version had to be withdrawn shortly after release, as it introduced a bug
-causing the View Issues page to consume significantly more memory for instances
-with large numbers of users (order 10k+), leading to system crashes.
+(#15411) causing the View Issues page to consume significantly more memory for
+instances with large numbers of users (order 10k+), leading to system crashes,
+as well as an XSS issue (#15415) in the Configuration Report page.
 
 We recommend not to use 1.2.13, and deploy version 1.2.14 instead.