mirror of
https://github.com/TracksApp/tracks.git
synced 2025-12-16 15:20:13 +01:00
Version 2.5.1
This commit is contained in:
Jyri-Petteri Paloposki
parent
c2dbebf235
commit
5e5715d9de
3 changed files with 25 additions and 7 deletions
|
|
@ -1,7 +1,28 @@
|
|||
## Version 2.5.0
|
||||
|
||||
See doc/upgrading.md for the upgrade documentation!
|
||||
|
||||
## Version 2.5.1
|
||||
|
||||
### Security issue disclosure
|
||||
|
||||
Joe Thorpe from Secarma disclosed an XSS issue that was inadvertently
|
||||
fixed in 2.5.0 by another bug fix. Tracks previously rendered XSS content
|
||||
in the user's own data. The content is only shown to the user themself,
|
||||
which mitigates the vulnerability in the normal use case where a single
|
||||
user account is only used by one person. The CVSS rating for self-XSS is
|
||||
debatable and thus is not published for this issue.
|
||||
|
||||
I want to thank Joe for reporting the issue and for the insightful discussion
|
||||
regarding the issue. Thanks to the disclosure there is now also a written
|
||||
security policy for the project.
|
||||
|
||||
### Bug fixes
|
||||
|
||||
* Editing a due date in the calendar view fixed
|
||||
* Adding actions in the context view fixed
|
||||
* Fixed the recurring todo UI
|
||||
|
||||
## Version 2.5.0
|
||||
|
||||
### New features
|
||||
* Updated documentation both in the doc directory and online.
|
||||
* .skip-docker file has been replaced with .use-docker, see upgrading.md for
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue