Mercurial > p > roundup > code
annotate doc/CVE.txt @ 8094:8e310a7b5e09
issue2551131 - Return accept-patch if patch body not accepted (415 code)
Now returns:
Accept-Patch: application/json, application/x-www-form-urlencoded
for PATCH verb.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Tue, 16 Jul 2024 20:23:36 -0400 |
| parents | d6b447de4f59 |
| children |
| rev | line source |
|---|---|
|
8062
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
1 .. comments: |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
2 This file is a temporary way to post CVE notifications before |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
3 a release. |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
4 |
|
8064
d6b447de4f59
docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents:
8062
diff
changeset
|
5 Document the CVE fix info in upgrading.txt. We extract the sections |
|
d6b447de4f59
docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents:
8062
diff
changeset
|
6 from upgrading.txt that deal with the CVE into a separate CVE.html. |
|
d6b447de4f59
docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents:
8062
diff
changeset
|
7 An updated docs/security.html and docs/CVE.html provide the details |
|
d6b447de4f59
docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents:
8062
diff
changeset
|
8 on a between release CVE announcment. |
|
d6b447de4f59
docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents:
8062
diff
changeset
|
9 |
|
d6b447de4f59
docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents:
8062
diff
changeset
|
10 Publishing upgrading.txt would include info on the to be released |
|
d6b447de4f59
docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents:
8062
diff
changeset
|
11 roundup software and wouldn't match the rest of the release docs. |
|
8062
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
12 |
|
8064
d6b447de4f59
docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents:
8062
diff
changeset
|
13 To extract the info from upgrading.txt to use in CVE.html, add a |
|
d6b447de4f59
docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents:
8062
diff
changeset
|
14 commented out a reference anchor in upgrading.txt. Then in CVE.txt |
|
d6b447de4f59
docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents:
8062
diff
changeset
|
15 we use an include directive with start-after and end-before options |
|
d6b447de4f59
docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents:
8062
diff
changeset
|
16 to exract the sections from upgrading.txt into CVE.html. |
|
8062
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
17 |
|
8064
d6b447de4f59
docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents:
8062
diff
changeset
|
18 The extracted section in CVE.txt gets the same anchor that is in |
|
d6b447de4f59
docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents:
8062
diff
changeset
|
19 upgrading.txt, but is is not commented out. This allows us to swap |
|
d6b447de4f59
docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents:
8062
diff
changeset
|
20 out CVE.txt and uncomment the reference in upgrading.txt. Then |
|
d6b447de4f59
docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents:
8062
diff
changeset
|
21 rerunning sphinx-build will make security.html point to the sections |
|
d6b447de4f59
docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents:
8062
diff
changeset
|
22 in upgrading.html. |
|
8062
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
23 |
|
8064
d6b447de4f59
docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents:
8062
diff
changeset
|
24 For example, in upgrading.txt add a |
|
8062
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
25 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
26 .. comment: _CVE-2024-39124: |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
27 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
28 before the section for the CVE (use the real CVE number). At the |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
29 end of the CVE section add an end comment: |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
30 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
31 .. comment: end of CVE include marker |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
32 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
33 Update security.txt with a :ref: to the CVE section. E.G. a |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
34 security.txt references look like: |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
35 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
36 * `CVE-2024-39124`_ - :ref:`classhelpers (_generic.help.html) are |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
37 vulnerable to an XSS attack. <CVE-2024-39124>` Requires fixing |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
38 tracker homes. |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
39 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
40 where <CVE-2024-39124> is the reference. The same reference anchor |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
41 is present (commented out) in upgrading.txt. In CVE.txt you |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
42 replicate the existing anchor and include to extract the content |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
43 section from upgrading.txt. E.G. |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
44 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
45 .. _CVE-2024-39124: |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
46 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
47 .. include:: upgrading.txt |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
48 :start-after: .. comment: _CVE-2024-39124: |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
49 :end-before: .. comment: end of CVE |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
50 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
51 After building the docs, install docs/security.html and |
|
8064
d6b447de4f59
docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents:
8062
diff
changeset
|
52 docs/CVE.html on the web site. Reference: |
|
d6b447de4f59
docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents:
8062
diff
changeset
|
53 |
|
d6b447de4f59
docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents:
8062
diff
changeset
|
54 https://www.roundup-tracker.org/docs/security.html |
|
d6b447de4f59
docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents:
8062
diff
changeset
|
55 |
|
d6b447de4f59
docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents:
8062
diff
changeset
|
56 in the CVE announcement from Mitre. |
|
8062
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
57 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
58 When the release is ready, replace 'comment: _CVE' with '_CVE' in |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
59 upgrading.txt. This makes the anchors in upgrading.txt live. |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
60 |
|
8064
d6b447de4f59
docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents:
8062
diff
changeset
|
61 Then disable CVE.txt by removing CVE.txt from contents.txt in the |
|
d6b447de4f59
docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents:
8062
diff
changeset
|
62 toctree hidden section. Also add docs/CVE.txt to exclude_patterns in |
|
8062
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
63 conf.py. |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
64 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
65 No change needs to happen to security.txt as it's using a :ref: and |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
66 we just changed the location for the ref so sphinx will get the |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
67 links correct. |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
68 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
69 Now build the docs and publish to the web site. |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
70 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
71 =========== |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
72 Roundup CVE |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
73 =========== |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
74 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
75 This is a list of remediation for CVE's that are not fixed in the |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
76 latest release. When the latest release fixes the CVE, see `the |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
77 upgrading doc <upgrading.html>`_ for these details. |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
78 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
79 .. contents:: |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
80 :local: |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
81 :depth: 2 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
82 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
83 .. _CVE-2024-39124: |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
84 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
85 .. note:: |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
86 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
87 Prior to the release of Roundup 2.4.0, you can access updated |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
88 tracker templates that address CVE-2024-39124 from |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
89 `CVE-2024-39124-templates.zip |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
90 <../CVE-2024-39124-templates.zip>`_. Download and extract the zip |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
91 file to generate a templates subdirectory containing the classic, |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
92 minimal and other tracker templates. |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
93 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
94 .. include:: upgrading.txt |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
95 :start-after: .. comment: _CVE-2024-39124: |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
96 :end-before: .. comment: |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
97 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
98 .. _CVE-2024-39125: |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
99 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
100 .. include:: upgrading.txt |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
101 :start-after: .. comment: _CVE-2024-39125: |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
102 :end-before: .. comment: |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
103 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
104 .. _CVE-2024-39126: |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
105 |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
106 .. include:: upgrading.txt |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
107 :start-after: .. comment: _CVE-2024-39126: |
|
28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
108 :end-before: .. comment: end of CVE include marker |