Mercurial > p > roundup > code
annotate doc/CVE.txt @ 8062:28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
Directions for fixing:
* `CVE-2024-39124`_ - :ref:`classhelpers (_generic.help.html) are
vulnerable to an XSS attack. <CVE-2024-39124>` Requires fixing
tracker homes.
* `CVE-2024-39125`_ - :ref:`if Referer header is set to a script
tag, it will be executed. <CVE-2024-39125>` Fixed in release 2.4.0,
directions available for fixing in prior versions.
* `CVE-2024-39126`_ - :ref:`PDF, XML and SVG files downloaded from
an issue can contain embedded JavaScript which is
executed. <CVE-2024-39126>` Fixed in release 2.4.0, directions
available for fixing in prior versions.
prior to 2.4.0 release this weekend that fixes the last two CVE's.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Tue, 09 Jul 2024 09:07:09 -0400 |
| parents | |
| children | d6b447de4f59 |
| rev | line source |
|---|---|
|
8062
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
1 .. comments: |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
2 This file is a temporary way to post CVE notifications before |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
3 a release. |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
4 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
5 Document the CVE fix info in upgrading.txt. Publishing |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
6 upgrading.txt would push info on the next release not the current |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
7 release. |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
8 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
9 So we comment out a reference anchor in upgrading.txt and use that |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
10 comment to extract the section from upgrading.txt into CVE.txt. |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
11 The extracted section gets the same anchor that is in upgrading.txt, |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
12 but is is not commented out. |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
13 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
14 Then we add a summary to the list of CVE's in security.txt using a |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
15 :ref: to the anchor. If CVE.txt is part of the build and |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
16 upgrading.txt has a commented out anchor, security.txt entries link |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
17 to CVE.html in the generated documentation. |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
18 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
19 In upgrading.txt add a |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
20 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
21 .. comment: _CVE-2024-39124: |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
22 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
23 before the section for the CVE (use the real CVE number). At the |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
24 end of the CVE section add an end comment: |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
25 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
26 .. comment: end of CVE include marker |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
27 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
28 Update security.txt with a :ref: to the CVE section. E.G. a |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
29 security.txt references look like: |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
30 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
31 * `CVE-2024-39124`_ - :ref:`classhelpers (_generic.help.html) are |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
32 vulnerable to an XSS attack. <CVE-2024-39124>` Requires fixing |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
33 tracker homes. |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
34 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
35 where <CVE-2024-39124> is the reference. The same reference anchor |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
36 is present (commented out) in upgrading.txt. In CVE.txt you |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
37 replicate the existing anchor and include to extract the content |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
38 section from upgrading.txt. E.G. |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
39 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
40 .. _CVE-2024-39124: |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
41 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
42 .. include:: upgrading.txt |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
43 :start-after: .. comment: _CVE-2024-39124: |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
44 :end-before: .. comment: end of CVE |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
45 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
46 After building the docs, install docs/security.html and |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
47 docs/CVE.html on the web site. Use the security.html URL |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
48 on the web site to update the CVE report. |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
49 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
50 When the release is ready, replace 'comment: _CVE' with '_CVE' in |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
51 upgrading.txt. This makes the anchors in upgrading.txt live. |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
52 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
53 Then disable CVE.txt by removing CVE.txt from contents.txt in the |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
54 toctree hidden section. Also add CVE.txt to exclude_patterns in |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
55 conf.py. |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
56 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
57 No change needs to happen to security.txt as it's using a :ref: and |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
58 we just changed the location for the ref so sphinx will get the |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
59 links correct. |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
60 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
61 Now build the docs and publish to the web site. |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
62 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
63 =========== |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
64 Roundup CVE |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
65 =========== |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
66 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
67 This is a list of remediation for CVE's that are not fixed in the |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
68 latest release. When the latest release fixes the CVE, see `the |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
69 upgrading doc <upgrading.html>`_ for these details. |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
70 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
71 .. contents:: |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
72 :local: |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
73 :depth: 2 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
74 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
75 .. _CVE-2024-39124: |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
76 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
77 .. note:: |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
78 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
79 Prior to the release of Roundup 2.4.0, you can access updated |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
80 tracker templates that address CVE-2024-39124 from |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
81 `CVE-2024-39124-templates.zip |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
82 <../CVE-2024-39124-templates.zip>`_. Download and extract the zip |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
83 file to generate a templates subdirectory containing the classic, |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
84 minimal and other tracker templates. |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
85 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
86 .. include:: upgrading.txt |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
87 :start-after: .. comment: _CVE-2024-39124: |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
88 :end-before: .. comment: |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
89 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
90 .. _CVE-2024-39125: |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
91 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
92 .. include:: upgrading.txt |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
93 :start-after: .. comment: _CVE-2024-39125: |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
94 :end-before: .. comment: |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
95 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
96 .. _CVE-2024-39126: |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
97 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
98 .. include:: upgrading.txt |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
99 :start-after: .. comment: _CVE-2024-39126: |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
100 :end-before: .. comment: end of CVE include marker |