diff --git a/CHANGES.txt b/CHANGES.txt index 2170eed1..106e9aa6 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -16,6 +16,21 @@ python 3.6 or newer (3.4/3.5 might work, but they are not tested). Fixed: +- CVE-2024-39124 - The classhelpers (_generic.help.html) are + vulnerable to an XSS attack. A specially crafted URL that used + that endpoint would result in running a script embedded in the + URL. (Found/reported by Alec Romano (4rdr), fix/tests John + Rouillard) +- CVE-2024-39125 - If the Referer header is set to a script tag, + it will be executed when the error in the Referer header is + reported. (Found/reported by Alec Romano (4rdr), fix/tests John + Rouillard) +- CVE-2024-39126 - PDF, XML and SVG files attached to an issue can contain + embedded JavaScript. This JavaScript was executed when the file was + accessed. PDF files are now downloaded and not displayed in the + browser. A content security policy is added for all download files + which prevents code execution in SVG files. (Found/reported by Alec + Romano (4rdr), fix/tests John Rouillard) - issue2551282 - MySQL utf8mb4 issues and issue2551115 - Use utf8mb4 as a default for MySQL instead of utf8 The default database type and collations have been set to: diff --git a/doc/CVE.txt b/doc/CVE.txt new file mode 100644 index 00000000..10b72530 --- /dev/null +++ b/doc/CVE.txt @@ -0,0 +1,100 @@ +.. comments: + This file is a temporary way to post CVE notifications before + a release. + + Document the CVE fix info in upgrading.txt. Publishing + upgrading.txt would push info on the next release not the current + release. + + So we comment out a reference anchor in upgrading.txt and use that + comment to extract the section from upgrading.txt into CVE.txt. + The extracted section gets the same anchor that is in upgrading.txt, + but is is not commented out. + + Then we add a summary to the list of CVE's in security.txt using a + :ref: to the anchor. If CVE.txt is part of the build and + upgrading.txt has a commented out anchor, security.txt entries link + to CVE.html in the generated documentation. + + In upgrading.txt add a + + .. comment: _CVE-2024-39124: + + before the section for the CVE (use the real CVE number). At the + end of the CVE section add an end comment: + + .. comment: end of CVE include marker + + Update security.txt with a :ref: to the CVE section. E.G. a + security.txt references look like: + + * `CVE-2024-39124`_ - :ref:`classhelpers (_generic.help.html) are + vulnerable to an XSS attack. ` Requires fixing + tracker homes. + + where is the reference. The same reference anchor + is present (commented out) in upgrading.txt. In CVE.txt you + replicate the existing anchor and include to extract the content + section from upgrading.txt. E.G. + + .. _CVE-2024-39124: + + .. include:: upgrading.txt + :start-after: .. comment: _CVE-2024-39124: + :end-before: .. comment: end of CVE + + After building the docs, install docs/security.html and + docs/CVE.html on the web site. Use the security.html URL + on the web site to update the CVE report. + + When the release is ready, replace 'comment: _CVE' with '_CVE' in + upgrading.txt. This makes the anchors in upgrading.txt live. + + Then disable CVE.txt by removing CVE.txt from contents.txt in the + toctree hidden section. Also add CVE.txt to exclude_patterns in + conf.py. + + No change needs to happen to security.txt as it's using a :ref: and + we just changed the location for the ref so sphinx will get the + links correct. + + Now build the docs and publish to the web site. + +=========== +Roundup CVE +=========== + +This is a list of remediation for CVE's that are not fixed in the +latest release. When the latest release fixes the CVE, see `the +upgrading doc `_ for these details. + +.. contents:: + :local: + :depth: 2 + +.. _CVE-2024-39124: + +.. note:: + + Prior to the release of Roundup 2.4.0, you can access updated + tracker templates that address CVE-2024-39124 from + `CVE-2024-39124-templates.zip + <../CVE-2024-39124-templates.zip>`_. Download and extract the zip + file to generate a templates subdirectory containing the classic, + minimal and other tracker templates. + +.. include:: upgrading.txt + :start-after: .. comment: _CVE-2024-39124: + :end-before: .. comment: + +.. _CVE-2024-39125: + +.. include:: upgrading.txt + :start-after: .. comment: _CVE-2024-39125: + :end-before: .. comment: + +.. _CVE-2024-39126: + +.. include:: upgrading.txt + :start-after: .. comment: _CVE-2024-39126: + :end-before: .. comment: end of CVE include marker diff --git a/doc/acknowledgements.txt b/doc/acknowledgements.txt index 54663e5a..0db8ae3c 100644 --- a/doc/acknowledgements.txt +++ b/doc/acknowledgements.txt @@ -40,6 +40,8 @@ Norbert Schlemmer - docker support Bharath Kanama, Nikunj Thakkar, Patel Malav - classhelper web component development. +Alec Romano (4rdr) - identified multiple security issues + 2.3 --- diff --git a/doc/announcement.txt b/doc/announcement.txt index 800beb22..82214502 100644 --- a/doc/announcement.txt +++ b/doc/announcement.txt @@ -4,7 +4,7 @@ release, so make sure to read `docs/upgrading.txt `_ to bring your tracker up to date. -The 67 changes, as usual, include some new features and many +The 79 changes, as usual, include some new features and many bug fixes. Note that you should run ``roundup-admin ... migrate`` to @@ -22,12 +22,16 @@ You can install it with:: then unpack and test/install from the tarball. -Beta 2 includes a small change to the classic tracker's -classhelper.js to fix a bug found after beta 1 was released. - Among the notable improvements in 2.4.0 from the 2.3.0 release are: +* three CVE's have been fixed. One requires changes to your + tracker's home directory. The other two are fixed by + installing 2.4.0. See + https://www.roundup-tracker.org/docs/security.html for + details and instructions on how to fix these in 2.4.0 and + earlier releases. + * new classhelper component thanks to a team of students from CS682 at U-Mass Boston. This fixes many issues with the old classhelper. It is implemented as a web-component @@ -87,7 +91,7 @@ release are: * sqlite version 1 and StructuredText support removed. The file CHANGES.txt has a detailed list of feature -additions and bug fixes (67) for each release. The most +additions and bug fixes for each release. The most recent changes from there are at the end of this announcement. Also see the information in doc/upgrading.txt. diff --git a/doc/security.txt b/doc/security.txt index 89676352..e9756e00 100644 --- a/doc/security.txt +++ b/doc/security.txt @@ -1,20 +1,51 @@ .. meta:: :description: Documentation on how to report security issues with - Roundup. Also index to security related portions in other - Roundup documentation. How to verify distribution using gpg. + Roundup. Index to recent security related (CVE) descriptions + in other Roundup documentation. How to verify distribution + using gpg. .. index:: single: Reporting Security Issues + single: CVE announcements single: Security Issues, Reporting + single: Security Issues, Remediation + single: Security Issues, CVE announcements ======================= Roundup Security Issues ======================= -This page documents how to report security issues and verify the -signatures for Roundup releases. +This page documents CVE's fixed starting with version 2.4.0, how to +report security issues, and verify the signatures for Roundup +source release tarballs. + +.. contents:: + :local: + :depth: 2 + +CVE Announcements +----------------- + + * `CVE-2024-39124`_ - :ref:`classhelpers (_generic.help.html) are + vulnerable to an XSS attack. ` Requires fixing + tracker homes. + * `CVE-2024-39125`_ - :ref:`if Referer header is set to a script tag, + it will be executed. ` Fixed in release 2.4.0, + directions available for fixing in prior versions. + * `CVE-2024-39126`_ - :ref:`PDF, XML and SVG files downloaded from an + issue can contain embedded JavaScript which is + executed. ` Fixed in release 2.4.0, directions + available for fixing in prior versions. + +.. _CVE-2024-39124: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39124 +.. _CVE-2024-39125: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39125 +.. _CVE-2024-39126: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39126 + Reporting Security Issues ------------------------- @@ -88,8 +119,8 @@ Once you have loaded the public key, you need a detached signature for your release. -Download and Verify with Detached Signature -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Download Detached Signature and Verify +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This needs to be done once for each release you wish to verify. @@ -137,5 +168,6 @@ If something is wrong you will see:: gpg: using RSA key 411E354B5D1AF26125D621221F2DD0CB756A76D8 gpg: BAD signature from "Roundup Team (signing key for roundup releases) " -**do not use** the tarball if the signature is BAD. Email the -roundup-devel mailing list if you have this happen to you. +**do not use** the tarball if the signature is BAD. Email the mailing +list: roundup-devel at lists.sourceforge.net if you have this happen +to you. diff --git a/doc/upgrading.txt b/doc/upgrading.txt index 6ada66a4..e1d6f32f 100644 --- a/doc/upgrading.txt +++ b/doc/upgrading.txt @@ -122,12 +122,290 @@ This will insert the bad API login rate limiting settings. Also if you have ``html_version`` set to ``xhtml``, you will get an error. -Use of xhtml html_version disabled (required) ---------------------------------------------- +.. comment: _CVE-2024-39124: -If you enabled xhtml formatted templates, you will need to -change them to html (html4) format. Also change the value of -``html_version`` from ``xhtml`` to ``html``. +Fix for CVE-2024-39124 in help/calendar popups (recommended) +------------------------------------------------------------ + +Classhelper components accessed via URL using ``@template=help``, +``@template=calendar`` or other template frame in the classhelper +can run JavaScript embedded in the URL. If user clicks on a +malicious URL that: + + * arrives in an email, + * is embedded in a note left on a ticket [#markdown-note]_, + * left on some other web page + +the JavaScript code will be executed. This vulnerability seems to +be limited to manually crafted URL's. It has not been generated +by using Roundup's mechanism for generating classhelper URLs. + +The files that need to be changed to fix this depend on the +template used to create the tracker. Check the +TEMPLATE-INFO.txt file in your tracker home. The template +name is the first component of the ``Name`` field. For +example trackers with Names like:: + + Name: classic-bugtracker + + Name: devel-mytracker + +were derived from the ``classic`` and ``devel`` templates +respectively. If your tracker is derived from the jinja2 +template, you may not be affected as it doesn't provide +classhelpers by default. If you aren't sure which tracker +template was used to create your tracker home, check the +``html/help.html`` file for the word ``Javascript``. If your +help.html is missing the word ``Javascript``, follow the +directions for the classic template. + +If you have not modified the original tracker html +templates, you can copy replacement files from the new +templates supplied with release 2.4.0. If you install 2.4.0 +in a `new virtual environment +`_, you can use the +command ``roundup-admin templates`` to find the installation +path of the default templates. + +If your template was based on the classic template, replace the +following files in your tracker: + + * html/_generic.calendar.html + * html/_generic.help-list.html + * html/_generic.help-submit.html + * html/_generic.help.html + * html/user.help-search.html + * html/user.help.html + +If your template was based on the minimal template, replace the +following files in your tracker: + + * html/_generic.calendar.html + * html/_generic.help.html + +If your template was based on the responsive or devel templates, +replace the following files in your tracker: + + * html/_generic.calendar.html + * html/_generic.help-submit.html + * html/help.html + * html/user.help-search.html + * html/user.help.html + +As an example, assume Roundup's virtual environment is +``/tools/roundup``. The classic tracker's default template will +be in ``/tools/roundup/share/roundup/templates/classic``. +Copy +``/tools/roundup/share/roundup/templates/classic/html/_generic.calendar.html`` +to ``html/_generic.calendar.html`` in your tracker's home +directory. Repeat for every one of the files that needs to +be replaced. + +If you have made local changes to your popup/classhelper +files or have created new help templates based on the +existing ones, don't copy the default files. Instead, follow +the directions below to modify each file as needed for your +template. + +In the examples below, your script tag may differ. For +example it could include:: + + tal:attributes="nonce request/client/client_nonce" + +If it does, keep the differences. You want to make changes +to remove the structure option but keep the rest of the +valid attributes. + +Most files have a small script that sets a few variables +from the settings in the URL. You should change:: + + + field = '${request/form/property/value}';"> diff --git a/share/roundup/templates/classic/html/_generic.help.html b/share/roundup/templates/classic/html/_generic.help.html index ae862149..d3c79d5c 100644 --- a/share/roundup/templates/classic/html/_generic.help.html +++ b/share/roundup/templates/classic/html/_generic.help.html @@ -9,7 +9,7 @@ tal:content="property | default" i18n:translate="" /> help - diff --git a/share/roundup/templates/classic/html/user.help.html b/share/roundup/templates/classic/html/user.help.html index 55fc4265..3187cfde 100644 --- a/share/roundup/templates/classic/html/user.help.html +++ b/share/roundup/templates/classic/html/user.help.html @@ -14,11 +14,10 @@ tal:replace="config/TRACKER_NAME" /> diff --git a/share/roundup/templates/devel/html/user.help-search.html b/share/roundup/templates/devel/html/user.help-search.html index c3874bef..7ecf99cb 100644 --- a/share/roundup/templates/devel/html/user.help-search.html +++ b/share/roundup/templates/devel/html/user.help-search.html @@ -5,11 +5,10 @@ Search input for user helper diff --git a/share/roundup/templates/devel/html/user.help.html b/share/roundup/templates/devel/html/user.help.html index 29b32897..82c999d3 100644 --- a/share/roundup/templates/devel/html/user.help.html +++ b/share/roundup/templates/devel/html/user.help.html @@ -6,7 +6,7 @@ field request/form/property/value"> + diff --git a/share/roundup/templates/responsive/html/user.help-search.html b/share/roundup/templates/responsive/html/user.help-search.html index c3874bef..7ecf99cb 100644 --- a/share/roundup/templates/responsive/html/user.help-search.html +++ b/share/roundup/templates/responsive/html/user.help-search.html @@ -5,11 +5,10 @@ Search input for user helper diff --git a/share/roundup/templates/responsive/html/user.help.html b/share/roundup/templates/responsive/html/user.help.html index 29b32897..82c999d3 100644 --- a/share/roundup/templates/responsive/html/user.help.html +++ b/share/roundup/templates/responsive/html/user.help.html @@ -6,7 +6,7 @@ field request/form/property/value"> ' + cl.main() + match_at=out[0].find('\n", + f.content) + def test_byte_Ranges(self): """ Roundup only handles one simple two number range, or a single number to start from: @@ -1308,6 +1326,7 @@ def test_new_issue_with_file_upload(self): f = session.get(self.url_base()+'/file%(file)s/text1.txt'%m.groupdict()) self.assertEqual(f.text, file_content) self.assertEqual(f.headers["X-Content-Type-Options"], "nosniff") + self.assertEqual(f.headers["Content-Security-Policy"], "script-src 'none'") print(f.text) def test_new_file_via_rest(self): diff --git a/website/issues/html/_generic.calendar.html b/website/issues/html/_generic.calendar.html index e12a2191..9b9a936c 100644 --- a/website/issues/html/_generic.calendar.html +++ b/website/issues/html/_generic.calendar.html @@ -8,7 +8,7 @@ + field = '${request/form/property/value}';"> diff --git a/website/issues/html/_generic.help-submit.html b/website/issues/html/_generic.help-submit.html index d3b88550..911e3249 100644 --- a/website/issues/html/_generic.help-submit.html +++ b/website/issues/html/_generic.help-submit.html @@ -7,11 +7,14 @@ Generic submit page for framed helper windows + diff --git a/website/issues/html/user.help.html b/website/issues/html/user.help.html index 63bd27ac..9978b3a6 100644 --- a/website/issues/html/user.help.html +++ b/website/issues/html/user.help.html @@ -15,11 +15,10 @@