Mercurial > p > roundup > code
comparison doc/CVE.txt @ 8416:370689471a08 issue2550923_computed_property
merge from default branch accumulated changes since Nov 2023
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Sun, 17 Aug 2025 16:12:25 -0400 |
| parents | d6b447de4f59 |
| children |
comparison
equal
deleted
inserted
replaced
| 7693:78585199552a | 8416:370689471a08 |
|---|---|
| 1 .. comments: | |
| 2 This file is a temporary way to post CVE notifications before | |
| 3 a release. | |
| 4 | |
| 5 Document the CVE fix info in upgrading.txt. We extract the sections | |
| 6 from upgrading.txt that deal with the CVE into a separate CVE.html. | |
| 7 An updated docs/security.html and docs/CVE.html provide the details | |
| 8 on a between release CVE announcment. | |
| 9 | |
| 10 Publishing upgrading.txt would include info on the to be released | |
| 11 roundup software and wouldn't match the rest of the release docs. | |
| 12 | |
| 13 To extract the info from upgrading.txt to use in CVE.html, add a | |
| 14 commented out a reference anchor in upgrading.txt. Then in CVE.txt | |
| 15 we use an include directive with start-after and end-before options | |
| 16 to exract the sections from upgrading.txt into CVE.html. | |
| 17 | |
| 18 The extracted section in CVE.txt gets the same anchor that is in | |
| 19 upgrading.txt, but is is not commented out. This allows us to swap | |
| 20 out CVE.txt and uncomment the reference in upgrading.txt. Then | |
| 21 rerunning sphinx-build will make security.html point to the sections | |
| 22 in upgrading.html. | |
| 23 | |
| 24 For example, in upgrading.txt add a | |
| 25 | |
| 26 .. comment: _CVE-2024-39124: | |
| 27 | |
| 28 before the section for the CVE (use the real CVE number). At the | |
| 29 end of the CVE section add an end comment: | |
| 30 | |
| 31 .. comment: end of CVE include marker | |
| 32 | |
| 33 Update security.txt with a :ref: to the CVE section. E.G. a | |
| 34 security.txt references look like: | |
| 35 | |
| 36 * `CVE-2024-39124`_ - :ref:`classhelpers (_generic.help.html) are | |
| 37 vulnerable to an XSS attack. <CVE-2024-39124>` Requires fixing | |
| 38 tracker homes. | |
| 39 | |
| 40 where <CVE-2024-39124> is the reference. The same reference anchor | |
| 41 is present (commented out) in upgrading.txt. In CVE.txt you | |
| 42 replicate the existing anchor and include to extract the content | |
| 43 section from upgrading.txt. E.G. | |
| 44 | |
| 45 .. _CVE-2024-39124: | |
| 46 | |
| 47 .. include:: upgrading.txt | |
| 48 :start-after: .. comment: _CVE-2024-39124: | |
| 49 :end-before: .. comment: end of CVE | |
| 50 | |
| 51 After building the docs, install docs/security.html and | |
| 52 docs/CVE.html on the web site. Reference: | |
| 53 | |
| 54 https://www.roundup-tracker.org/docs/security.html | |
| 55 | |
| 56 in the CVE announcement from Mitre. | |
| 57 | |
| 58 When the release is ready, replace 'comment: _CVE' with '_CVE' in | |
| 59 upgrading.txt. This makes the anchors in upgrading.txt live. | |
| 60 | |
| 61 Then disable CVE.txt by removing CVE.txt from contents.txt in the | |
| 62 toctree hidden section. Also add docs/CVE.txt to exclude_patterns in | |
| 63 conf.py. | |
| 64 | |
| 65 No change needs to happen to security.txt as it's using a :ref: and | |
| 66 we just changed the location for the ref so sphinx will get the | |
| 67 links correct. | |
| 68 | |
| 69 Now build the docs and publish to the web site. | |
| 70 | |
| 71 =========== | |
| 72 Roundup CVE | |
| 73 =========== | |
| 74 | |
| 75 This is a list of remediation for CVE's that are not fixed in the | |
| 76 latest release. When the latest release fixes the CVE, see `the | |
| 77 upgrading doc <upgrading.html>`_ for these details. | |
| 78 | |
| 79 .. contents:: | |
| 80 :local: | |
| 81 :depth: 2 | |
| 82 | |
| 83 .. _CVE-2024-39124: | |
| 84 | |
| 85 .. note:: | |
| 86 | |
| 87 Prior to the release of Roundup 2.4.0, you can access updated | |
| 88 tracker templates that address CVE-2024-39124 from | |
| 89 `CVE-2024-39124-templates.zip | |
| 90 <../CVE-2024-39124-templates.zip>`_. Download and extract the zip | |
| 91 file to generate a templates subdirectory containing the classic, | |
| 92 minimal and other tracker templates. | |
| 93 | |
| 94 .. include:: upgrading.txt | |
| 95 :start-after: .. comment: _CVE-2024-39124: | |
| 96 :end-before: .. comment: | |
| 97 | |
| 98 .. _CVE-2024-39125: | |
| 99 | |
| 100 .. include:: upgrading.txt | |
| 101 :start-after: .. comment: _CVE-2024-39125: | |
| 102 :end-before: .. comment: | |
| 103 | |
| 104 .. _CVE-2024-39126: | |
| 105 | |
| 106 .. include:: upgrading.txt | |
| 107 :start-after: .. comment: _CVE-2024-39126: | |
| 108 :end-before: .. comment: end of CVE include marker |