Mercurial > p > roundup > code
comparison doc/announcement.txt @ 4308:b30bdfae4461
Fix security hole allowing user permission escalation
(thanks Ralf Schlatterbeck)
also update docs and prepare for a release
| author | Richard Jones <richard@users.sourceforge.net> |
|---|---|
| date | Sun, 20 Dec 2009 23:24:21 +0000 |
| parents | ffc6fa77e551 |
| children | 4ce71b5480a8 |
comparison
equal
deleted
inserted
replaced
| 4307:82f7f8708e1b | 4308:b30bdfae4461 |
|---|---|
| 1 I'm proud to release version 1.4.10 of Roundup which fixes some bugs: | 1 I'm proud to release version 1.4.11 of Roundup which fixes a number bugs |
| 2 and closes a potential security hole. | |
| 2 | 3 |
| 3 - Minor update of doc/developers.txt to point to the new resources | 4 All tracker maintainers must read the upgrading documentation to make sure |
| 4 on www.roundup-tracker.org (Bernhard Reiter) | 5 the hole is fixed in their tracker. |
| 5 - Small CSS improvements regaring the search box (thanks Thomas Arendsan Hein) | 6 |
| 6 (issue 2550589) | 7 Other changes in this release: |
| 7 - Indexers behaviour made more consistent regarding length of indexed words | 8 |
| 8 and stopwords (thanks Thomas Arendsen Hein, Bernhard Reiter)(issue 2550584) | 9 - Generic class editor may now restore retired items (thanks Ralf Hemmecke) |
| 9 - fixed typos in the installation instructions (thanks Thomas Arendsen Hein) | 10 - Fix security hole allowing user permission escalation (thanks Ralf |
| 10 (issue 2550573) | 11 Schlatterbeck) |
| 11 - New config option csv_field_size: Pythons csv module (which is used | 12 - More SSL fixes. SSL wants the underlying socket non-blocking. So we |
| 12 for export/import) has a new field size limit starting with python2.5. | 13 don't call socket.setdefaulttimeout in case of SSL. This apparently |
| 13 We now issue a warning during export if the limit is too small and use | 14 never raises a WantReadError from SSL. |
| 14 the csv_field_size configuration during import to set the limit for | 15 This also fixes a case where a WantReadError is raised and apparently |
| 15 the csv module. | 16 the bytes already read are dropped (seems the WantReadError is really |
| 16 - Small fix for CGI-handling of XMLRPC requests for python2.4, this | 17 an error, not just an indication to retry). |
| 17 worked only for 2.5 and beyond due to a change in the xmlrpc interface | 18 - Correct initial- and end-handshakes for SSL |
| 18 in python | 19 - Update FAQ to mention infinite redirects with pathological settings of |
| 19 - Document filter method of xmlrpc interface | 20 the tracker->web variable. Closes issue2537286, thanks to "stuidge" |
| 20 - Fix interaction of SSL and XMLRPC, now XMLRPC works with SSL | 21 for reporting. |
| 22 - Fix some format errors in italian translation file | |
| 23 - Some bugs issue classifiers were causing database lookup errors | |
| 24 - Fix security-problem: If user hasn't permission on a message (notably | |
| 25 files and content properties) and is on the nosy list, the content was | |
| 26 sent via email. We now check that user has permission on the message | |
| 27 content and files properties. Thanks to Intevation for funding this | |
| 28 fix. | |
| 29 - Fix traceback on .../msgN/ url, this requests the file content and for | |
| 30 apache mod_wsgi produced a traceback because the mime type is None for | |
| 31 messages, fixes issue2550586, thanks to Thomas Arendsen Hein for | |
| 32 reporting and to Intevation for funding the fix. | |
| 33 - Handle OPTIONS http request method in wsgi handler, fixes issue2550587. | |
| 34 Thanks to Thomas Arendsen Hein for reporting and to Intevation for | |
| 35 funding the fix. | |
| 36 - Add documentation for migrating to the Register permission and | |
| 37 fix mailgw to use Register permission, fixes issue2550599 | |
| 38 - Fix styling of calendar to make it more usable, fixes issue2550608 | |
| 39 - Fix typo in email section of user guide, fixes issue2550607 | |
| 40 - Fix WSGI response code (thanks Peter Pöml) | |
| 41 - Fix linking of an existing item to a newly created item, e.g. | |
| 42 edit action in web template is name="issue-1@link@msg" value="msg1" | |
| 43 would trigger a traceback about an unbound variable. | |
| 44 Add new regression test for this case. May be related to (now closed) | |
| 45 issue1177477. Thanks to Intevation for funding the fix. | |
| 46 - Clean up all the places where role processing occurs. This is now in a | |
| 47 central place in hyperdb.Class and is used consistently throughout. | |
| 48 This also means now a template can override the way role processing | |
| 49 occurs (e.g. for elaborate permission schemes). Thanks to intevation | |
| 50 for funding the change. | |
| 51 - Fix issue2550606 (german translation bug) "an hour" is only used in | |
| 52 the context "in an hour" or "an hour ago" which translates to german | |
| 53 "in einer Stunde" or "vor einer Stunde". So "an hour" is translated | |
| 54 "einer Stunde" (which sounds wrong at first). Also note that date.py | |
| 55 already has a comment saying "XXX this is internationally broken" -- | |
| 56 but at least there's a workaround for german :-) Thanks to Chris | |
| 57 (radioking) for reporting. | |
| 21 | 58 |
| 22 If you're upgrading from an older version of Roundup you *must* follow | 59 If you're upgrading from an older version of Roundup you *must* follow |
| 23 the "Software Upgrade" guidelines given in the maintenance documentation. | 60 the "Software Upgrade" guidelines given in the maintenance documentation. |
| 24 | 61 |
| 25 Roundup requires python 2.3 or later (but not 3+) for correct operation. | 62 Roundup requires python 2.3 or later (but not 3+) for correct operation. |