From 5e5715d9de2b5df18977950ccf2ac1deede420b8 Mon Sep 17 00:00:00 2001
From: Jyri-Petteri Paloposki <jyri-petteri.paloposki@iki.fi>
Date: Thu, 24 Sep 2020 12:28:57 +0300
Subject: [PATCH] Version 2.5.1

---
 SECURITY.md                   |  5 +----
 config/initializers/tracks.rb |  2 +-
 doc/CHANGELOG.md              | 25 +++++++++++++++++++++++--
 3 files changed, 25 insertions(+), 7 deletions(-)

diff --git a/SECURITY.md b/SECURITY.md
index 2eba0a1b2..9e9365942 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -2,10 +2,7 @@
 
 ## Supported Versions
 
-| Version | Supported          |
-| ------- | ------------------ |
-| 2.4.x   | :white_check_mark: |
-| <2.4.x   | :x:                |
+Only the most recent stable version is supported.
 
 ## Reporting a Vulnerability
 
diff --git a/config/initializers/tracks.rb b/config/initializers/tracks.rb
index b7b99dcc8..4acabf49a 100644
--- a/config/initializers/tracks.rb
+++ b/config/initializers/tracks.rb
@@ -1,4 +1,4 @@
-tracks_version='2.5.0'
+tracks_version='2.5.1'
 # comment out next two lines if you do not want (or can not) the date of the
 # last git commit in the footer
 info=`git log --pretty=format:"%ai" -1`
diff --git a/doc/CHANGELOG.md b/doc/CHANGELOG.md
index 657cf54ad..9a0c50a54 100644
--- a/doc/CHANGELOG.md
+++ b/doc/CHANGELOG.md
@@ -1,7 +1,28 @@
-## Version 2.5.0
-
 See doc/upgrading.md for the upgrade documentation!
 
+## Version 2.5.1
+
+### Security issue disclosure
+
+Joe Thorpe from Secarma disclosed an XSS issue that was inadvertently
+fixed in 2.5.0 by another bug fix. Tracks previously rendered XSS content
+in the user's own data. The content is only shown to the user themself,
+which mitigates the vulnerability in the normal use case where a single
+user account is only used by one person. The CVSS rating for self-XSS is
+debatable and thus is not published for this issue.
+
+I want to thank Joe for reporting the issue and for the insightful discussion
+regarding the issue. Thanks to the disclosure there is now also a written
+security policy for the project.
+
+### Bug fixes
+
+* Editing a due date in the calendar view fixed
+* Adding actions in the context view fixed
+* Fixed the recurring todo UI
+
+## Version 2.5.0
+
 ### New features
 * Updated documentation both in the doc directory and online.
 * .skip-docker file has been replaced with .use-docker, see upgrading.md for