Mercurial > p > roundup > code

annotate doc/CVE.txt @ 8446:14c7c07b32d8

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
feature: add thread local trace_id and trace_reason to logging. Added trace_id to default logging so that all logs for a given request share the same trace_id. This allows correlation of logs across a request. admin_guide.txt, upgrading.txt: add docs update sample configs to include trace_id. rewrite logging docs in admin_guide. Hopefully they are clearer now. clean up some stuff in the logging config file docs. admin.py: add decorators to run_command to enable trace_id. change calls to db.commit() to use run_command to get trace_id. configuration.py: clean up imports. update docstrings, comments and inline docs. add trace_id to default log format. add function for testing decorated with trace_id. add support for dumping stack trace in logging. add check for pytest in sys.modules to enable log propagation when pytest is running. Otherwise tests fail as the caplog logger doesn't see the roundup logs. logcontext.py: new file to handle thread local contextvar mangement. mailgw.py: add decorators for trace_id etc. scripts/roundup_xlmrpc_server.py: add decorators for trace_id etc. fix encoding bug turning bytes into a string. fix command line issue where we can't set encoding. (not sure if changing encoding via command line even works) cgi/client.py decorate two entry points for trace_id etc. cgi/wsgi_handler.py: decorate entry point for trace_id etc. test/test_config.py: add test for trace_id in new log format. test various cases for sinfo and errors in formating msg.
author John Rouillard <rouilj@ieee.org>
date Tue, 16 Sep 2025 22:53:00 -0400
parents d6b447de4f59
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
8062
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
1 .. comments:
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
2 This file is a temporary way to post CVE notifications before
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
3 a release.
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
4
8064
d6b447de4f59 docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
5 Document the CVE fix info in upgrading.txt. We extract the sections
d6b447de4f59 docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
6 from upgrading.txt that deal with the CVE into a separate CVE.html.
d6b447de4f59 docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
7 An updated docs/security.html and docs/CVE.html provide the details
d6b447de4f59 docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
8 on a between release CVE announcment.
d6b447de4f59 docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
9
d6b447de4f59 docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
10 Publishing upgrading.txt would include info on the to be released
d6b447de4f59 docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
11 roundup software and wouldn't match the rest of the release docs.
8062
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
12
8064
d6b447de4f59 docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
13 To extract the info from upgrading.txt to use in CVE.html, add a
d6b447de4f59 docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
14 commented out a reference anchor in upgrading.txt. Then in CVE.txt
d6b447de4f59 docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
15 we use an include directive with start-after and end-before options
d6b447de4f59 docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
16 to exract the sections from upgrading.txt into CVE.html.
8062
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
17
8064
d6b447de4f59 docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
18 The extracted section in CVE.txt gets the same anchor that is in
d6b447de4f59 docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
19 upgrading.txt, but is is not commented out. This allows us to swap
d6b447de4f59 docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
20 out CVE.txt and uncomment the reference in upgrading.txt. Then
d6b447de4f59 docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
21 rerunning sphinx-build will make security.html point to the sections
d6b447de4f59 docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
22 in upgrading.html.
8062
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
23
8064
d6b447de4f59 docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
24 For example, in upgrading.txt add a
8062
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
25
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
26 .. comment: _CVE-2024-39124:
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
27
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
28 before the section for the CVE (use the real CVE number). At the
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
29 end of the CVE section add an end comment:
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
30
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
31 .. comment: end of CVE include marker
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
32
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
33 Update security.txt with a :ref: to the CVE section. E.G. a
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
34 security.txt references look like:
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
35
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
36 * `CVE-2024-39124`_ - :ref:`classhelpers (_generic.help.html) are
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
37 vulnerable to an XSS attack. <CVE-2024-39124>` Requires fixing
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
38 tracker homes.
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
39
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
40 where <CVE-2024-39124> is the reference. The same reference anchor
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
41 is present (commented out) in upgrading.txt. In CVE.txt you
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
42 replicate the existing anchor and include to extract the content
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
43 section from upgrading.txt. E.G.
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
44
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
45 .. _CVE-2024-39124:
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
46
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
47 .. include:: upgrading.txt
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
48 :start-after: .. comment: _CVE-2024-39124:
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
49 :end-before: .. comment: end of CVE
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
50
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
51 After building the docs, install docs/security.html and
8064
d6b447de4f59 docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
52 docs/CVE.html on the web site. Reference:
d6b447de4f59 docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
53
d6b447de4f59 docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
54 https://www.roundup-tracker.org/docs/security.html
d6b447de4f59 docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
55
d6b447de4f59 docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
56 in the CVE announcement from Mitre.
8062
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
57
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
58 When the release is ready, replace 'comment: _CVE' with '_CVE' in
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
59 upgrading.txt. This makes the anchors in upgrading.txt live.
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
60
8064
d6b447de4f59 docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
61 Then disable CVE.txt by removing CVE.txt from contents.txt in the
d6b447de4f59 docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
62 toctree hidden section. Also add docs/CVE.txt to exclude_patterns in
8062
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
63 conf.py.
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
64
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
65 No change needs to happen to security.txt as it's using a :ref: and
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
66 we just changed the location for the ref so sphinx will get the
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
67 links correct.
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
68
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
69 Now build the docs and publish to the web site.
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
70
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
71 ===========
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
72 Roundup CVE
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
73 ===========
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
74
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
75 This is a list of remediation for CVE's that are not fixed in the
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
76 latest release. When the latest release fixes the CVE, see `the
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
77 upgrading doc <upgrading.html>`_ for these details.
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
78
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
79 .. contents::
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
80 :local:
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
81 :depth: 2
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
82
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
83 .. _CVE-2024-39124:
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
84
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
85 .. note::
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
86
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
87 Prior to the release of Roundup 2.4.0, you can access updated
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
88 tracker templates that address CVE-2024-39124 from
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
89 `CVE-2024-39124-templates.zip
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
90 <../CVE-2024-39124-templates.zip>`_. Download and extract the zip
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
91 file to generate a templates subdirectory containing the classic,
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
92 minimal and other tracker templates.
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
93
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
94 .. include:: upgrading.txt
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
95 :start-after: .. comment: _CVE-2024-39124:
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
96 :end-before: .. comment:
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
97
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
98 .. _CVE-2024-39125:
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
99
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
100 .. include:: upgrading.txt
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
101 :start-after: .. comment: _CVE-2024-39125:
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
102 :end-before: .. comment:
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
103
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
104 .. _CVE-2024-39126:
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
105
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
106 .. include:: upgrading.txt
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
107 :start-after: .. comment: _CVE-2024-39126:
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
108 :end-before: .. comment: end of CVE include marker
Roundup Issue Tracker: http://roundup-tracker.org/