Mercurial > p > roundup > code
comparison doc/security.txt @ 8416:370689471a08 issue2550923_computed_property
merge from default branch accumulated changes since Nov 2023
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Sun, 17 Aug 2025 16:12:25 -0400 |
| parents | c7a2e01793cd |
| children |
comparison
equal
deleted
inserted
replaced
| 7693:78585199552a | 8416:370689471a08 |
|---|---|
| 1 .. meta:: | 1 .. meta:: |
| 2 :description: | 2 :description: |
| 3 Documentation on how to report security issues with | 3 Documentation on how to report security issues with |
| 4 Roundup. Also index to security related portions in other | 4 Roundup. Index to recent security related (CVE) descriptions |
| 5 Roundup documentation. How to verify distribution using gpg. | 5 in other Roundup documentation. How to verify distribution |
| 6 using gpg. | |
| 6 | 7 |
| 7 .. index:: | 8 .. index:: |
| 8 single: Reporting Security Issues | 9 single: Reporting Security Issues |
| 10 single: CVE announcements | |
| 9 single: Security Issues, Reporting | 11 single: Security Issues, Reporting |
| 12 single: Security Issues, Remediation | |
| 13 single: Security Issues, CVE announcements | |
| 10 | 14 |
| 11 | 15 |
| 12 ======================= | 16 ======================= |
| 13 Roundup Security Issues | 17 Roundup Security Issues |
| 14 ======================= | 18 ======================= |
| 15 | 19 |
| 16 This page documents how to report security issues and verify the | 20 This page documents CVE's fixed starting with version 2.4.0, how to |
| 17 signatures for Roundup releases. | 21 report security issues, and verify the signatures for Roundup |
| 22 source release tarballs. | |
| 23 | |
| 24 .. contents:: | |
| 25 :local: | |
| 26 :depth: 2 | |
| 27 | |
| 28 CVE Announcements | |
| 29 ----------------- | |
| 30 | |
| 31 * `CVE-2025-53865`_ - :ref:`XSS security issue with devel or | |
| 32 responsive templates <CVE-2025-53865>`. Fixed in release 2.5.0, | |
| 33 directions available for fixing trackers based on these templates. | |
| 34 | |
| 35 * `CVE-2024-39124`_ - :ref:`classhelpers (_generic.help.html) are | |
| 36 vulnerable to an XSS attack. <CVE-2024-39124>` Requires fixing | |
| 37 tracker homes. | |
| 38 * `CVE-2024-39125`_ - :ref:`if Referer header is set to a script tag, | |
| 39 it will be executed. <CVE-2024-39125>` Fixed in release 2.4.0, | |
| 40 directions available for fixing in prior versions. | |
| 41 * `CVE-2024-39126`_ - :ref:`PDF, XML and SVG files downloaded from an | |
| 42 issue can contain embedded JavaScript which is | |
| 43 executed. <CVE-2024-39126>` Fixed in release 2.4.0, directions | |
| 44 available for fixing in prior versions. | |
| 45 | |
| 46 .. _CVE-2025-53865: | |
| 47 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-53865 | |
| 48 .. _CVE-2024-39124: | |
| 49 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39124 | |
| 50 .. _CVE-2024-39125: | |
| 51 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39125 | |
| 52 .. _CVE-2024-39126: | |
| 53 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39126 | |
| 54 | |
| 18 | 55 |
| 19 Reporting Security Issues | 56 Reporting Security Issues |
| 20 ------------------------- | 57 ------------------------- |
| 21 Security issues with Roundup should be reported by email to: | 58 Security issues with Roundup should be reported by email to: |
| 22 | 59 |
| 86 | 123 |
| 87 Once you have loaded the public key, you need a detached signature for | 124 Once you have loaded the public key, you need a detached signature for |
| 88 your release. | 125 your release. |
| 89 | 126 |
| 90 | 127 |
| 91 Download and Verify with Detached Signature | 128 Download Detached Signature and Verify |
| 92 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | 129 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 93 | 130 |
| 94 This needs to be done once for each release you wish to verify. | 131 This needs to be done once for each release you wish to verify. |
| 95 | 132 |
| 96 The Python Package Index (PyPI) used to support uploading gpg detached | 133 The Python Package Index (PyPI) used to support uploading gpg detached |
| 97 signatures. However that is no longer supported and downloading | 134 signatures. However that is no longer supported and downloading |
| 100 As a result, the signatures for all Roundup final releases starting | 137 As a result, the signatures for all Roundup final releases starting |
| 101 with 1.6.0 have been moved and are linked below: | 138 with 1.6.0 have been moved and are linked below: |
| 102 | 139 |
| 103 .. rst-class:: multicol | 140 .. rst-class:: multicol |
| 104 | 141 |
| 142 * `2.5.0 <../signatures/roundup-2.5.0.tar.gz.asc>`_ | |
| 143 * `2.4.0 <../signatures/roundup-2.4.0.tar.gz.asc>`_ | |
| 144 * `2.4.0b2 <../signatures/roundup-2.4.0b2.tar.gz.asc>`_ | |
| 105 * `2.3.0 <../signatures/roundup-2.3.0.tar.gz.asc>`_ | 145 * `2.3.0 <../signatures/roundup-2.3.0.tar.gz.asc>`_ |
| 106 * `2.3.0b2 <../signatures/roundup-2.3.0b2.tar.gz.asc>`_ | 146 * `2.3.0b2 <../signatures/roundup-2.3.0b2.tar.gz.asc>`_ |
| 107 * `2.2.0 <../signatures/roundup-2.2.0.tar.gz.asc>`_ | 147 * `2.2.0 <../signatures/roundup-2.2.0.tar.gz.asc>`_ |
| 108 * `2.1.0 <../signatures/roundup-2.1.0.tar.gz.asc>`_ | 148 * `2.1.0 <../signatures/roundup-2.1.0.tar.gz.asc>`_ |
| 109 * `2.0.0 <../signatures/roundup-2.0.0.tar.gz.asc>`_ | 149 * `2.0.0 <../signatures/roundup-2.0.0.tar.gz.asc>`_ |
| 123 gpg: Good signature from "Roundup Team (signing key for roundup releases) <roundup-devel at lists.sourceforge.net>" [unknown] | 163 gpg: Good signature from "Roundup Team (signing key for roundup releases) <roundup-devel at lists.sourceforge.net>" [unknown] |
| 124 gpg: WARNING: This key is not certified with a trusted signature! | 164 gpg: WARNING: This key is not certified with a trusted signature! |
| 125 gpg: There is no indication that the signature belongs to the owner. | 165 gpg: There is no indication that the signature belongs to the owner. |
| 126 Primary key fingerprint: 411E 354B 5D1A F261 25D6 2122 1F2D D0CB 756A 76D8 | 166 Primary key fingerprint: 411E 354B 5D1A F261 25D6 2122 1F2D D0CB 756A 76D8 |
| 127 | 167 |
| 128 which verifies the tarball integrity. The WARNING is expected and the | 168 which verifies the tarball integrity. The WARNING is expected. |
| 129 date corresponds to the newest renewal of the Roundup key. As long as | 169 The date should be close to the release date of the version of Roundup. |
| 130 you see the output starting with "Good signature from" followed by the | 170 As long as you see the output starting with "Good signature from" |
| 131 Key Info for your key, everything is OK. | 171 followed by the Key Info above, everything is OK. |
| 132 | 172 |
| 133 If something is wrong you will see:: | 173 If something is wrong you will see:: |
| 134 | 174 |
| 135 gpg: Signature made Wed 13 Jul 2022 12:24:14 AM EDT | 175 gpg: Signature made Wed 13 Jul 2022 12:24:14 AM EDT |
| 136 gpg: using RSA key 411E354B5D1AF26125D621221F2DD0CB756A76D8 | 176 gpg: using RSA key 411E354B5D1AF26125D621221F2DD0CB756A76D8 |
| 137 gpg: BAD signature from "Roundup Team (signing key for roundup releases) <roundup-devel at lists.sourceforge.net>" | 177 gpg: BAD signature from "Roundup Team (signing key for roundup releases) <roundup-devel at lists.sourceforge.net>" |
| 138 | 178 |
| 139 **do not use** the tarball if the signature is BAD. Email the | 179 **do not use** the tarball if the signature is BAD. Email the mailing |
| 140 roundup-devel mailing list if you have this happen to you. | 180 list: roundup-devel at lists.sourceforge.net if you have this happen |
| 181 to you. |