Merge pull request #2491 from TracksApp/release_2.5.1

Version 2.5.1

SECURITY.md

@@ -2,10 +2,7 @@
 
 ## Supported versions
 
-| Version | Supported          |
+Only the most recent stable version is supported.
-| ------- | ------------------ |
-| 2.4.x   | :white_check_mark: |
-| <2.4.x   | :x:                |
 
 ## Reporting a vulnerability
 

config/initializers/tracks.rb

@@ -1,4 +1,4 @@
-tracks_version='2.5.0'
+tracks_version='2.5.1'
 # comment out next two lines if you do not want (or can not) the date of the
 # last git commit in the footer
 info=`git log --pretty=format:"%ai" -1`

doc/CHANGELOG.md

@@ -1,7 +1,28 @@
-## Version 2.5.0
-
 See doc/upgrading.md for the upgrade documentation!
 
+## Version 2.5.1
+
+### Security issue disclosure
+
+Joe Thorpe from Secarma disclosed an XSS issue that was inadvertently
+fixed in 2.5.0 by another bug fix. Tracks previously rendered XSS content
+in the user's own data. The content is only shown to the user themself,
+which mitigates the vulnerability in the normal use case where a single
+user account is only used by one person. The CVSS rating for self-XSS is
+debatable and thus is not published for this issue.
+
+I want to thank Joe for reporting the issue and for the insightful discussion
+regarding the issue. Thanks to the disclosure there is now also a written
+security policy for the project.
+
+### Bug fixes
+
+* Editing a due date in the calendar view fixed
+* Adding actions in the context view fixed
+* Fixed the recurring todo UI
+
+## Version 2.5.0
+
 ### New features
 * Updated documentation both in the doc directory and online.
 * .skip-docker file has been replaced with .use-docker, see upgrading.md for