Mercurial > p > roundup > code
diff doc/security.txt @ 8365:4ac0bbb3e440
bug(security): CVE-2025-53865 - XSS bug
Extensive fixes in devel, responsive templates known to be
exploitable.
Similar constructs in classic and minimal templates not known
to be exploitable, but changed anyway.
doc/upgrading.txt:
Reformat to 66 characters.
Update with assigned CVE number.
Add section on fixing tal:replace with unsafe data.
Document analysis and assumptions in comment in file.
doc/security.txt:
Update with CVE number.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Fri, 11 Jul 2025 19:30:27 -0400 |
| parents | abf1297e7a94 |
| children | 58a1b4051a57 |
line wrap: on
line diff
--- a/doc/security.txt Thu Jul 10 23:03:27 2025 -0400 +++ b/doc/security.txt Fri Jul 11 19:30:27 2025 -0400 @@ -28,8 +28,8 @@ CVE Announcements ----------------- - * `CVE-2025-pending`_ - :ref:`XSS security issue with devel or - responsive templates <CVE-2025-pending>`. Fixed in release 2.5.0, + * `CVE-2025-53865`_ - :ref:`XSS security issue with devel or + responsive templates <CVE-2025-53865>`. Fixed in release 2.5.0, directions available for fixing trackers based on these templates. * `CVE-2024-39124`_ - :ref:`classhelpers (_generic.help.html) are @@ -43,8 +43,8 @@ executed. <CVE-2024-39126>` Fixed in release 2.4.0, directions available for fixing in prior versions. -.. _CVE-2025-pending: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-pending +.. _CVE-2025-53865: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-53865 .. _CVE-2024-39124: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39124 .. _CVE-2024-39125: