Released 2023-02-22

Security and maintenance release addressing an information disclosure issue (CVE-2023-22476), with thanks to d3vpoo1 for identifying and responsibly reporting it, as well as a vulnerability in bundled moment.js library (CVE-2022-31129). This release also resolves over 20 issues including several PHP 8.x compatibility fixes.

All installations are strongly advised to upgrade as soon as possible.

  • 0030841: [api rest] Update Slim Framework to 3.12.4 (dregad)
  • 0031836: [bugtracker] Date conversion fails when editing a project version using a non-US date format (dregad)
  • 0031889: [bugtracker] Product Version / Target Version - Date missing (dregad)
  • 0031086: [security] CVE-2023-22476: Private issue summary disclosure (dregad)
  • 0030791: [security] Allow adding relation type noopener/noreferrer to outgoing links (dregad)
  • 0024720: [ldap] Editing user with use_ldap_email = ON empties email address (dregad)
  • 0031827: [reports] Graphviz logs syntax error in line xx near ';' (atrol)
  • 0031712: [code cleanup] PHP 8.1 deprecated warnings (dregad)
  • 0031159: [tagging] Undefined constants TAG_NOT_ATTACHED + TAG_ALREADY_ATTACHED in tag_api.php (dregad)
  • 0030922: [bugtracker] Browser extensions may trigger automatic bug monitoring (community)
  • 0030918: [markdown] URLs should only be converted to links when process_url is ON (dregad)
  • 0030835: [ui] unreachable submit button (Update Information) on issue update when using tab key (dregad)
  • 0030814: [signup] Captcha audio not working (dregad)
  • 0030794: [signup] Captcha image not showing on PHP 8.1 (dregad)
  • 0030777: [upgrade] Scalar typehint is not supported in PHP 5.x (dregad)
  • 0030793: [bugtracker] config_flush_cache() doesn't clean the eval cache for individual options (dregad)
  • 0030772: [security] Update moment.js to 2.29.4 (dregad)
  • 0030771: [ldap] Poor error handling when $g_login_method = LDAP and PHP extension missing (dregad)
  • 0031876: [plug-ins] XML import: Undefined property warning when importing bug notes (dregad)
  • 0030429: [other] Upcoming incompatibility with PHP 8.2, "Deprecate ${} string interpolation" RFC (dregad)
  • 0030790: [ldap] Deprecated conversion of false to array in ldap_api.php with PHP 8.1 (dregad)
  • 0032037: [bugtracker] Remove "sponsorship_total" from columns default (dregad)
  • 0031943: [installation] Creation of dynamic properies is deprecated in PHP 8.2 (dregad)
  • 0031829: [ui] Status color boxes shown in black on bug_relationship_graph.php (dregad)
  • 0022238: [documentation] Missing columns on $g_view_issues_page_columns documentation (dregad)
25 issues View Issues