Released 2022-06-24

Security and maintenance release fixing vulnerabilities with SVG files attachments (CVE-2022-33910), which are now disabled by default; instances with a custom $g_disallowed_files should add svg to the list. Support for PHP 5.6 has been restored, fixing the regression introduced in 2.25.4.

  • 0030416: [security] Upgrade guzzlehttp/guzzle from 6.5.5 to 6.5.8 (dregad)
  • 0029135: [security] CVE-2022-33910: Unrestricted SVG File Upload leads to CSS Injection (dregad)
  • 0030541: [documentation] Impossibility of deleting attachment with form security validation turned on (dregad)
  • 0030193: [bugtracker] PHP 5.6 support broken (dregad)
  • 0030204: [filters] Create Permalink - special characters handling (dregad)
  • 0030533: [security] Wrong bugnote_user_edit_threshold value used when checking permissions to edit bugnote (community)
  • 0030384: [security] CVE-2022-33910: Stored XSS via SVG file upload (dregad)
7 issues View Issues