Mercurial > p > roundup > code
view website/www/code.txt @ 8062:28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
Directions for fixing:
* `CVE-2024-39124`_ - :ref:`classhelpers (_generic.help.html) are
vulnerable to an XSS attack. <CVE-2024-39124>` Requires fixing
tracker homes.
* `CVE-2024-39125`_ - :ref:`if Referer header is set to a script
tag, it will be executed. <CVE-2024-39125>` Fixed in release 2.4.0,
directions available for fixing in prior versions.
* `CVE-2024-39126`_ - :ref:`PDF, XML and SVG files downloaded from
an issue can contain embedded JavaScript which is
executed. <CVE-2024-39126>` Fixed in release 2.4.0, directions
available for fixing in prior versions.
prior to 2.4.0 release this weekend that fixes the last two CVE's.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Tue, 09 Jul 2024 09:07:09 -0400 |
| parents | 141225d2981e |
| children |
line wrap: on
line source
.. meta:: :description: Information for developers of Roundup. Including directions on checking code from repository, how to run demo mode and execute tests. Code ==== Project history is maintained in `CHANGES.txt <https://sourceforge.net/p/roundup/code/ci/tip/tree/CHANGES.txt>`_ file in code repository of Roundup, which can also be viewed online through SourceForge `web interface <https://sourceforge.net/p/roundup/code/ci/default/tree/>`_. Get sources ----------- Official **read-only access** to Mercurial repository is provided through :: hg clone http://hg.code.sf.net/p/roundup/code roundup **Read/write access** requires SSH password or SSH key authorization (see `SourceForge.net docs for details <https://sourceforge.net/p/forge/documentation/Mercurial/>`_) :: hg clone ssh://USERNAME@hg.code.sf.net/p/roundup/code roundup You also need to be added as a Roundup developer for write access - ask for it on the :doc:`roundup-devel list <contact>`. You can also use the Roundup mirror on GitHub. It lags behind the Mercurial repository, but is usually only a couple of weeks old. You can clone it using:: git clone https://github.com/roundup-tracker/roundup.git Note that even though we have a mirror on GitHub we don't use Issues (use https://issues.roundup-tracker.org) or Pull requests. The GitHub mirror is used for CI. Run demo -------- Roundup doesn't need any dependencies and works out of the box. Demo is accessible at http://localhost:8917/demo/ by default :: cd roundup python demo.py Execute tests ------------- :: python -m pytest test See repository `README.txt <https://sourceforge.net/p/roundup/code/ci/tip/tree/README.txt>`_ for more info.