Mercurial > p > roundup > code
comparison doc/CVE.txt @ 8062:28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
Directions for fixing:
* `CVE-2024-39124`_ - :ref:`classhelpers (_generic.help.html) are
vulnerable to an XSS attack. <CVE-2024-39124>` Requires fixing
tracker homes.
* `CVE-2024-39125`_ - :ref:`if Referer header is set to a script
tag, it will be executed. <CVE-2024-39125>` Fixed in release 2.4.0,
directions available for fixing in prior versions.
* `CVE-2024-39126`_ - :ref:`PDF, XML and SVG files downloaded from
an issue can contain embedded JavaScript which is
executed. <CVE-2024-39126>` Fixed in release 2.4.0, directions
available for fixing in prior versions.
prior to 2.4.0 release this weekend that fixes the last two CVE's.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Tue, 09 Jul 2024 09:07:09 -0400 |
| parents | |
| children | d6b447de4f59 |
comparison
equal
deleted
inserted
replaced
| 8061:b1d384d23cdb | 8062:28aa76443f58 |
|---|---|
| 1 .. comments: | |
| 2 This file is a temporary way to post CVE notifications before | |
| 3 a release. | |
| 4 | |
| 5 Document the CVE fix info in upgrading.txt. Publishing | |
| 6 upgrading.txt would push info on the next release not the current | |
| 7 release. | |
| 8 | |
| 9 So we comment out a reference anchor in upgrading.txt and use that | |
| 10 comment to extract the section from upgrading.txt into CVE.txt. | |
| 11 The extracted section gets the same anchor that is in upgrading.txt, | |
| 12 but is is not commented out. | |
| 13 | |
| 14 Then we add a summary to the list of CVE's in security.txt using a | |
| 15 :ref: to the anchor. If CVE.txt is part of the build and | |
| 16 upgrading.txt has a commented out anchor, security.txt entries link | |
| 17 to CVE.html in the generated documentation. | |
| 18 | |
| 19 In upgrading.txt add a | |
| 20 | |
| 21 .. comment: _CVE-2024-39124: | |
| 22 | |
| 23 before the section for the CVE (use the real CVE number). At the | |
| 24 end of the CVE section add an end comment: | |
| 25 | |
| 26 .. comment: end of CVE include marker | |
| 27 | |
| 28 Update security.txt with a :ref: to the CVE section. E.G. a | |
| 29 security.txt references look like: | |
| 30 | |
| 31 * `CVE-2024-39124`_ - :ref:`classhelpers (_generic.help.html) are | |
| 32 vulnerable to an XSS attack. <CVE-2024-39124>` Requires fixing | |
| 33 tracker homes. | |
| 34 | |
| 35 where <CVE-2024-39124> is the reference. The same reference anchor | |
| 36 is present (commented out) in upgrading.txt. In CVE.txt you | |
| 37 replicate the existing anchor and include to extract the content | |
| 38 section from upgrading.txt. E.G. | |
| 39 | |
| 40 .. _CVE-2024-39124: | |
| 41 | |
| 42 .. include:: upgrading.txt | |
| 43 :start-after: .. comment: _CVE-2024-39124: | |
| 44 :end-before: .. comment: end of CVE | |
| 45 | |
| 46 After building the docs, install docs/security.html and | |
| 47 docs/CVE.html on the web site. Use the security.html URL | |
| 48 on the web site to update the CVE report. | |
| 49 | |
| 50 When the release is ready, replace 'comment: _CVE' with '_CVE' in | |
| 51 upgrading.txt. This makes the anchors in upgrading.txt live. | |
| 52 | |
| 53 Then disable CVE.txt by removing CVE.txt from contents.txt in the | |
| 54 toctree hidden section. Also add CVE.txt to exclude_patterns in | |
| 55 conf.py. | |
| 56 | |
| 57 No change needs to happen to security.txt as it's using a :ref: and | |
| 58 we just changed the location for the ref so sphinx will get the | |
| 59 links correct. | |
| 60 | |
| 61 Now build the docs and publish to the web site. | |
| 62 | |
| 63 =========== | |
| 64 Roundup CVE | |
| 65 =========== | |
| 66 | |
| 67 This is a list of remediation for CVE's that are not fixed in the | |
| 68 latest release. When the latest release fixes the CVE, see `the | |
| 69 upgrading doc <upgrading.html>`_ for these details. | |
| 70 | |
| 71 .. contents:: | |
| 72 :local: | |
| 73 :depth: 2 | |
| 74 | |
| 75 .. _CVE-2024-39124: | |
| 76 | |
| 77 .. note:: | |
| 78 | |
| 79 Prior to the release of Roundup 2.4.0, you can access updated | |
| 80 tracker templates that address CVE-2024-39124 from | |
| 81 `CVE-2024-39124-templates.zip | |
| 82 <../CVE-2024-39124-templates.zip>`_. Download and extract the zip | |
| 83 file to generate a templates subdirectory containing the classic, | |
| 84 minimal and other tracker templates. | |
| 85 | |
| 86 .. include:: upgrading.txt | |
| 87 :start-after: .. comment: _CVE-2024-39124: | |
| 88 :end-before: .. comment: | |
| 89 | |
| 90 .. _CVE-2024-39125: | |
| 91 | |
| 92 .. include:: upgrading.txt | |
| 93 :start-after: .. comment: _CVE-2024-39125: | |
| 94 :end-before: .. comment: | |
| 95 | |
| 96 .. _CVE-2024-39126: | |
| 97 | |
| 98 .. include:: upgrading.txt | |
| 99 :start-after: .. comment: _CVE-2024-39126: | |
| 100 :end-before: .. comment: end of CVE include marker |