Mercurial > p > roundup > code
diff doc/announcement.txt @ 8357:abf1297e7a94
bug(security): fix XSS exploit in devel and responsive templates
Replace all occurances of:
tal:content="structure context/MUMBLE/plain"
with
tal:content="context/MUMBLE/plain"
This seems to have been an old way to handle display of a field when
the user did not have edit rights. It does not occur in current (later
than 2009) classic tracker templates. But probably was unsed in
earlier classic templates since devel, reponsive and the roundup issue
tracker templates were based on classic.
Add CVE placeholder to security.txt and link to fix directions added
to upgrading.txt. Add note in announcement.txt and CHANGES.txt
Add a details element around the table of contents in the upgrading
guide. It was getting long.
Updated a missed XSS issue in the roundup tracker template. Live site
is already fixed.
XSS bug reported by 4bug of ChaMd5 Security Team H1 Group
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Tue, 08 Jul 2025 13:38:08 -0400 |
| parents | 85aae98b8c82 |
| children |
line wrap: on
line diff
--- a/doc/announcement.txt Tue Jul 08 10:23:09 2025 -0400 +++ b/doc/announcement.txt Tue Jul 08 13:38:08 2025 -0400 @@ -4,7 +4,7 @@ <https://www.roundup-tracker.org/docs/upgrading.html>`_ to bring your tracker up to date. -The 41 changes, as usual, include some new features and many +The 42 changes, as usual, include some new features and many bug fixes. Version 2.5.0 does not support Python 2. The minimum Python @@ -28,6 +28,13 @@ Among the significant enhancements in version 2.5.0 compared to the 2.4.0 release are: +* **XSS vulnerability with devel and responsive templates fixed** + + Just before release an XSS security issue with trackers based on + the devel or responsive templates was discovered. The updating + directions include instructions on fixing this issue with the + html templates. + * **The property/field advanced search expression feature has been enhanced and documented.**