| changeset | c7a2e01793cd |
|---|---|
| branch | |
| bookmark | |
| tag | 2.5.0 |
| user | John Rouillard <rouilj@ieee.org> |
| description | build: 2.5.0 release checkin. Tag to come. |
| files |
| changeset | 58a1b4051a57 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | doc: update/clarify verifcation directions. |
| files |
| changeset | 4ac0bbb3e440 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | bug(security): CVE-2025-53865 - XSS bug Extensive fixes in devel, responsive templates known to be exploitable. Similar constructs in classic and minimal templates not known to be exploitable, but changed anyway. doc/upgrading.txt: Reformat to 66 characters. Update with assigned CVE number. Add section on fixing tal:replace with unsafe data. Document analysis and assumptions in comment in file. doc/security.txt: Update with CVE number. |
| files |
| changeset | abf1297e7a94 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | bug(security): fix XSS exploit in devel and responsive templates Replace all occurances of: tal:content="structure context/MUMBLE/plain" with tal:content="context/MUMBLE/plain" This seems to have been an old way to handle display of a field when the user did not have edit rights. It does not occur in current (later than 2009) classic tracker templates. But probably was unsed in earlier classic templates since devel, reponsive and the roundup issue tracker templates were based on classic. Add CVE placeholder to security.txt and link to fix directions added to upgrading.txt. Add note in announcement.txt and CHANGES.txt Add a details element around the table of contents in the upgrading guide. It was getting long. Updated a missed XSS issue in the roundup tracker template. Live site is already fixed. XSS bug reported by 4bug of ChaMd5 Security Team H1 Group |
| files |
| changeset | 4dfc07ee489a |
|---|---|
| branch | |
| bookmark | |
| tag | 2.4.0 |
| user | John Rouillard <rouilj@ieee.org> |
| description | docs: add 2.4.0 gpg signature. |
| files |
| changeset | 28aa76443f58 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125 Directions for fixing: * `CVE-2024-39124`_ - :ref:`classhelpers (_generic.help.html) are vulnerable to an XSS attack. <CVE-2024-39124>` Requires fixing tracker homes. * `CVE-2024-39125`_ - :ref:`if Referer header is set to a script tag, it will be executed. <CVE-2024-39125>` Fixed in release 2.4.0, directions available for fixing in prior versions. * `CVE-2024-39126`_ - :ref:`PDF, XML and SVG files downloaded from an issue can contain embedded JavaScript which is executed. <CVE-2024-39126>` Fixed in release 2.4.0, directions available for fixing in prior versions. prior to 2.4.0 release this weekend that fixes the last two CVE's. |
| files |
| changeset | 301b0988a351 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | 2.4.0b2 release updates |
| files |
| changeset | 75774e89b483 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | 2.4.0b1 release commits |
| files |
| changeset | ed2bc951277b |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Updates for 2.3.0 release. |
| files |
| changeset | 51fc06fabcee |
|---|---|
| branch | |
| bookmark | |
| tag | 2.3.0b2 |
| user | John Rouillard <rouilj@ieee.org> |
| description | Changes for roundup release 2.3.0b2 I missed changing announcements.txt so the b1 release has the 2.2.0 release announcment when I uploaded to test.pipi.org. |
| files |
| changeset | 1c291a05d90f |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Add front matter and header "Reporting Security Issues" |
| files |
| changeset | bd5bebb11695 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | add headers; make signature list multicolum |
| files |
| changeset | 32bd5013bf32 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Fix missed format changes. |
| files |
| changeset | 186956a87ad7 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | issue2551279 - GPG support removed from pypi - rewrite pgp signature validation. Added/updated documentation on using gpg signature files for the distribution to security.txt. Added signature files to main website/mercurial. Removed verification documentation from public key file included in distribution. key file now references security.txt/.html. |
| files |
| changeset | a3223f1966fc |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | update to use ralf's preferred email address. |
| files |
| changeset | ffe29ee47c47 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | merge |
| files |
| changeset | 1836e0ef7751 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Add new security.txt Add to index, remove security.txt from exclude list in website. Add :orphan: to security-history.txt since it is only linked from upgrading.txt. |
| files |
| changeset | 8ee41c7372e7 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | anatoly techtonik <techtonik@gmail.com> |
| description | doc: Fix some Sphinx warnings. |
| files |
| changeset | 32b24abfe98e |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Eric S. Raymond <esr@thyrsus.com> |
| description | Documentation polishing. |
| files |
| changeset | 33a1f03b9de0 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Eric S. Raymond <esr@thyrsus.com> |
| description | Remove $-cookies that have been misleading since roundup moved off CVS. One of these, a $Date$ cookie, might accidentally expanded correctly by Subversion *if* keyword expansion was enabled on that file; but judging by the ancientness of the date, it probably wasn't. In any case, git doesn't do any keyword expansion at all, so there isn't an equivalent to translate these into. |
| files |
| changeset | 251382399e45 |
|---|---|
| branch | |
| bookmark | |
| tag | 1.4.0 |
| user | Richard Jones <richard@users.sourceforge.net> |
| description | update |
| files |
| changeset | 43ab730ee194 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Richard Jones <richard@users.sourceforge.net> |
| description | instance -> tracker, node -> item |
| files |
| changeset | 299f4890427d |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Richard Jones <richard@users.sourceforge.net> |
| description | documentation reorg post-new-security |
| files |
| changeset | 38a74d1351c5 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Richard Jones <richard@users.sourceforge.net> |
| description | documentation updates |
| files |
| changeset | 502a5ae11cc5 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Richard Jones <richard@users.sourceforge.net> |
| description | Very close now. The cgi and mailgw now use the new security API. The two templates have been migrated to that setup. Lots of unit tests. Still some issue in the web form for editing Roles assigned to users. |
| files |
| changeset | b0d3d3535998 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Richard Jones <richard@users.sourceforge.net> |
| description | Bugger it. Here's the current shape of the new security implementation. Still to do: . call the security funcs from cgi and mailgw . change shipped templates to include correct initialisation and remove the old config vars ... that seems like a lot. The bulk of the work has been done though. Honest :) |
| files |
| changeset | 7d41d4dae378 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Richard Jones <richard@users.sourceforge.net> |
| description | this could work... |
| files |
| changeset | 2ccfd7fa0099 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Richard Jones <richard@users.sourceforge.net> |
| description | Getting closer to a good framework. |
| files |
| changeset | d19dd123bda2 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Richard Jones <richard@users.sourceforge.net> |
| description | just some formatting and a minor clarification. |
| files |
| changeset | a4ab8fdf83a2 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Richard Jones <richard@users.sourceforge.net> |
| description | More (hopefully final) thoughts. |
| files |
| changeset | a3de8f9b2ede |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Richard Jones <richard@users.sourceforge.net> |
| description | more thoughts... almost there I think |
| files |
| changeset | 261a71cb7f7f |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Richard Jones <richard@users.sourceforge.net> |
| description | Some refinements |
| files |
| changeset | e07e5903c3b4 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Richard Jones <richard@users.sourceforge.net> |
| description | Updated documents |
| files |
| changeset | 2a0886bacdcc |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Richard Jones <richard@users.sourceforge.net> |
| description | Note correct API calls in the doc ;) |
| files |
| changeset | 811475894dd9 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Richard Jones <richard@users.sourceforge.net> |
| description | More thoughts |
| files |
| changeset | d341cd0e7689 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Richard Jones <richard@users.sourceforge.net> |
| description | Latest thoughts. |
| files |
| changeset | 2a563dbacd65 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Richard Jones <richard@users.sourceforge.net> |
| description | Initial doc holding collated thoughts on roundup security. |
| files |