Mercurial > p > roundup > code
comparison doc/security.txt @ 8062:28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
Directions for fixing:
* `CVE-2024-39124`_ - :ref:`classhelpers (_generic.help.html) are
vulnerable to an XSS attack. <CVE-2024-39124>` Requires fixing
tracker homes.
* `CVE-2024-39125`_ - :ref:`if Referer header is set to a script
tag, it will be executed. <CVE-2024-39125>` Fixed in release 2.4.0,
directions available for fixing in prior versions.
* `CVE-2024-39126`_ - :ref:`PDF, XML and SVG files downloaded from
an issue can contain embedded JavaScript which is
executed. <CVE-2024-39126>` Fixed in release 2.4.0, directions
available for fixing in prior versions.
prior to 2.4.0 release this weekend that fixes the last two CVE's.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Tue, 09 Jul 2024 09:07:09 -0400 |
| parents | 301b0988a351 |
| children | 4dfc07ee489a |
comparison
equal
deleted
inserted
replaced
| 8061:b1d384d23cdb | 8062:28aa76443f58 |
|---|---|
| 1 .. meta:: | 1 .. meta:: |
| 2 :description: | 2 :description: |
| 3 Documentation on how to report security issues with | 3 Documentation on how to report security issues with |
| 4 Roundup. Also index to security related portions in other | 4 Roundup. Index to recent security related (CVE) descriptions |
| 5 Roundup documentation. How to verify distribution using gpg. | 5 in other Roundup documentation. How to verify distribution |
| 6 using gpg. | |
| 6 | 7 |
| 7 .. index:: | 8 .. index:: |
| 8 single: Reporting Security Issues | 9 single: Reporting Security Issues |
| 10 single: CVE announcements | |
| 9 single: Security Issues, Reporting | 11 single: Security Issues, Reporting |
| 12 single: Security Issues, Remediation | |
| 13 single: Security Issues, CVE announcements | |
| 10 | 14 |
| 11 | 15 |
| 12 ======================= | 16 ======================= |
| 13 Roundup Security Issues | 17 Roundup Security Issues |
| 14 ======================= | 18 ======================= |
| 15 | 19 |
| 16 This page documents how to report security issues and verify the | 20 This page documents CVE's fixed starting with version 2.4.0, how to |
| 17 signatures for Roundup releases. | 21 report security issues, and verify the signatures for Roundup |
| 22 source release tarballs. | |
| 23 | |
| 24 .. contents:: | |
| 25 :local: | |
| 26 :depth: 2 | |
| 27 | |
| 28 CVE Announcements | |
| 29 ----------------- | |
| 30 | |
| 31 * `CVE-2024-39124`_ - :ref:`classhelpers (_generic.help.html) are | |
| 32 vulnerable to an XSS attack. <CVE-2024-39124>` Requires fixing | |
| 33 tracker homes. | |
| 34 * `CVE-2024-39125`_ - :ref:`if Referer header is set to a script tag, | |
| 35 it will be executed. <CVE-2024-39125>` Fixed in release 2.4.0, | |
| 36 directions available for fixing in prior versions. | |
| 37 * `CVE-2024-39126`_ - :ref:`PDF, XML and SVG files downloaded from an | |
| 38 issue can contain embedded JavaScript which is | |
| 39 executed. <CVE-2024-39126>` Fixed in release 2.4.0, directions | |
| 40 available for fixing in prior versions. | |
| 41 | |
| 42 .. _CVE-2024-39124: | |
| 43 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39124 | |
| 44 .. _CVE-2024-39125: | |
| 45 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39125 | |
| 46 .. _CVE-2024-39126: | |
| 47 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39126 | |
| 48 | |
| 18 | 49 |
| 19 Reporting Security Issues | 50 Reporting Security Issues |
| 20 ------------------------- | 51 ------------------------- |
| 21 Security issues with Roundup should be reported by email to: | 52 Security issues with Roundup should be reported by email to: |
| 22 | 53 |
| 86 | 117 |
| 87 Once you have loaded the public key, you need a detached signature for | 118 Once you have loaded the public key, you need a detached signature for |
| 88 your release. | 119 your release. |
| 89 | 120 |
| 90 | 121 |
| 91 Download and Verify with Detached Signature | 122 Download Detached Signature and Verify |
| 92 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | 123 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 93 | 124 |
| 94 This needs to be done once for each release you wish to verify. | 125 This needs to be done once for each release you wish to verify. |
| 95 | 126 |
| 96 The Python Package Index (PyPI) used to support uploading gpg detached | 127 The Python Package Index (PyPI) used to support uploading gpg detached |
| 97 signatures. However that is no longer supported and downloading | 128 signatures. However that is no longer supported and downloading |
| 135 | 166 |
| 136 gpg: Signature made Wed 13 Jul 2022 12:24:14 AM EDT | 167 gpg: Signature made Wed 13 Jul 2022 12:24:14 AM EDT |
| 137 gpg: using RSA key 411E354B5D1AF26125D621221F2DD0CB756A76D8 | 168 gpg: using RSA key 411E354B5D1AF26125D621221F2DD0CB756A76D8 |
| 138 gpg: BAD signature from "Roundup Team (signing key for roundup releases) <roundup-devel at lists.sourceforge.net>" | 169 gpg: BAD signature from "Roundup Team (signing key for roundup releases) <roundup-devel at lists.sourceforge.net>" |
| 139 | 170 |
| 140 **do not use** the tarball if the signature is BAD. Email the | 171 **do not use** the tarball if the signature is BAD. Email the mailing |
| 141 roundup-devel mailing list if you have this happen to you. | 172 list: roundup-devel at lists.sourceforge.net if you have this happen |
| 173 to you. |