Mercurial > p > roundup > code

annotate doc/CVE.txt @ 8506:b6c6891754e9

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
bug: fix mis-commit of perf tests and crash fix for setTranslation The commit included more than it should have. It included some memory dump code that is not part of production. Also removed WIP for fixing crash bug when translation unable to create .mo file - issue2551405
author John Rouillard <rouilj@ieee.org>
date Thu, 25 Dec 2025 12:14:53 -0500
parents d6b447de4f59
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
8062
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
1 .. comments:
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
2 This file is a temporary way to post CVE notifications before
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
3 a release.
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
4
8064
d6b447de4f59 docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
5 Document the CVE fix info in upgrading.txt. We extract the sections
d6b447de4f59 docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
6 from upgrading.txt that deal with the CVE into a separate CVE.html.
d6b447de4f59 docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
7 An updated docs/security.html and docs/CVE.html provide the details
d6b447de4f59 docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
8 on a between release CVE announcment.
d6b447de4f59 docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
9
d6b447de4f59 docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
10 Publishing upgrading.txt would include info on the to be released
d6b447de4f59 docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
11 roundup software and wouldn't match the rest of the release docs.
8062
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
12
8064
d6b447de4f59 docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
13 To extract the info from upgrading.txt to use in CVE.html, add a
d6b447de4f59 docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
14 commented out a reference anchor in upgrading.txt. Then in CVE.txt
d6b447de4f59 docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
15 we use an include directive with start-after and end-before options
d6b447de4f59 docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
16 to exract the sections from upgrading.txt into CVE.html.
8062
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
17
8064
d6b447de4f59 docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
18 The extracted section in CVE.txt gets the same anchor that is in
d6b447de4f59 docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
19 upgrading.txt, but is is not commented out. This allows us to swap
d6b447de4f59 docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
20 out CVE.txt and uncomment the reference in upgrading.txt. Then
d6b447de4f59 docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
21 rerunning sphinx-build will make security.html point to the sections
d6b447de4f59 docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
22 in upgrading.html.
8062
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
23
8064
d6b447de4f59 docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
24 For example, in upgrading.txt add a
8062
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
25
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
26 .. comment: _CVE-2024-39124:
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
27
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
28 before the section for the CVE (use the real CVE number). At the
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
29 end of the CVE section add an end comment:
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
30
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
31 .. comment: end of CVE include marker
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
32
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
33 Update security.txt with a :ref: to the CVE section. E.G. a
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
34 security.txt references look like:
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
35
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
36 * `CVE-2024-39124`_ - :ref:`classhelpers (_generic.help.html) are
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
37 vulnerable to an XSS attack. <CVE-2024-39124>` Requires fixing
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
38 tracker homes.
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
39
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
40 where <CVE-2024-39124> is the reference. The same reference anchor
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
41 is present (commented out) in upgrading.txt. In CVE.txt you
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
42 replicate the existing anchor and include to extract the content
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
43 section from upgrading.txt. E.G.
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
44
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
45 .. _CVE-2024-39124:
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
46
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
47 .. include:: upgrading.txt
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
48 :start-after: .. comment: _CVE-2024-39124:
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
49 :end-before: .. comment: end of CVE
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
50
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
51 After building the docs, install docs/security.html and
8064
d6b447de4f59 docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
52 docs/CVE.html on the web site. Reference:
d6b447de4f59 docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
53
d6b447de4f59 docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
54 https://www.roundup-tracker.org/docs/security.html
d6b447de4f59 docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
55
d6b447de4f59 docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
56 in the CVE announcement from Mitre.
8062
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
57
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
58 When the release is ready, replace 'comment: _CVE' with '_CVE' in
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
59 upgrading.txt. This makes the anchors in upgrading.txt live.
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
60
8064
d6b447de4f59 docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
61 Then disable CVE.txt by removing CVE.txt from contents.txt in the
d6b447de4f59 docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
62 toctree hidden section. Also add docs/CVE.txt to exclude_patterns in
8062
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
63 conf.py.
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
64
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
65 No change needs to happen to security.txt as it's using a :ref: and
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
66 we just changed the location for the ref so sphinx will get the
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
67 links correct.
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
68
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
69 Now build the docs and publish to the web site.
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
70
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
71 ===========
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
72 Roundup CVE
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
73 ===========
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
74
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
75 This is a list of remediation for CVE's that are not fixed in the
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
76 latest release. When the latest release fixes the CVE, see `the
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
77 upgrading doc <upgrading.html>`_ for these details.
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
78
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
79 .. contents::
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
80 :local:
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
81 :depth: 2
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
82
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
83 .. _CVE-2024-39124:
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
84
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
85 .. note::
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
86
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
87 Prior to the release of Roundup 2.4.0, you can access updated
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
88 tracker templates that address CVE-2024-39124 from
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
89 `CVE-2024-39124-templates.zip
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
90 <../CVE-2024-39124-templates.zip>`_. Download and extract the zip
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
91 file to generate a templates subdirectory containing the classic,
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
92 minimal and other tracker templates.
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
93
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
94 .. include:: upgrading.txt
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
95 :start-after: .. comment: _CVE-2024-39124:
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
96 :end-before: .. comment:
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
97
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
98 .. _CVE-2024-39125:
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
99
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
100 .. include:: upgrading.txt
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
101 :start-after: .. comment: _CVE-2024-39125:
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
102 :end-before: .. comment:
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
103
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
104 .. _CVE-2024-39126:
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
105
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
106 .. include:: upgrading.txt
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
107 :start-after: .. comment: _CVE-2024-39126:
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
108 :end-before: .. comment: end of CVE include marker
Roundup Issue Tracker: http://roundup-tracker.org/