Skip to content

Commit

Permalink
Version 2.5.1
Browse files Browse the repository at this point in the history
  • Loading branch information
ZeiP committed Sep 24, 2020
1 parent c2dbebf commit 5e5715d
Show file tree
Hide file tree
Showing 3 changed files with 25 additions and 7 deletions.
5 changes: 1 addition & 4 deletions SECURITY.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,7 @@

## Supported Versions

| Version | Supported |
| ------- | ------------------ |
| 2.4.x | :white_check_mark: |
| <2.4.x | :x: |
Only the most recent stable version is supported.

## Reporting a Vulnerability

Expand Down
2 changes: 1 addition & 1 deletion config/initializers/tracks.rb
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
tracks_version='2.5.0'
tracks_version='2.5.1'
# comment out next two lines if you do not want (or can not) the date of the
# last git commit in the footer
info=`git log --pretty=format:"%ai" -1`
Expand Down
25 changes: 23 additions & 2 deletions doc/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,7 +1,28 @@
## Version 2.5.0

See doc/upgrading.md for the upgrade documentation!

## Version 2.5.1

### Security issue disclosure

Joe Thorpe from Secarma disclosed an XSS issue that was inadvertently
fixed in 2.5.0 by another bug fix. Tracks previously rendered XSS content
in the user's own data. The content is only shown to the user themself,
which mitigates the vulnerability in the normal use case where a single
user account is only used by one person. The CVSS rating for self-XSS is
debatable and thus is not published for this issue.

I want to thank Joe for reporting the issue and for the insightful discussion
regarding the issue. Thanks to the disclosure there is now also a written
security policy for the project.

### Bug fixes

* Editing a due date in the calendar view fixed
* Adding actions in the context view fixed
* Fixed the recurring todo UI

## Version 2.5.0

### New features
* Updated documentation both in the doc directory and online.
* .skip-docker file has been replaced with .use-docker, see upgrading.md for
Expand Down

0 comments on commit 5e5715d

Please sign in to comment.