Tracks v2.5.1 Release Notes

Release Date: 2020-09-24 // about 2 years ago
  • ๐Ÿ“š See doc/upgrading.md for the upgrade documentation!

    ๐Ÿ”’ Security issue disclosure

    Joe Thorpe from Secarma disclosed an XSS issue that was inadvertently
    ๐Ÿ›  fixed in 2.5.0 by another bug fix. Tracks previously rendered XSS content
    in the user's own data. The content is only shown to the user themself,
    which mitigates the vulnerability in the normal use case where a single
    ๐Ÿ‘‰ user account is only used by one person. The CVSS rating for self-XSS is
    debatable and thus is not published for this issue.

    I want to thank Joe for reporting the issue and for the insightful discussion
    regarding the issue. Thanks to the disclosure there is now also a written
    ๐Ÿ”’ security policy for the project.

    ๐Ÿ› Bug fixes

    • ๐Ÿ›  Editing a due date in the calendar view fixed
    • โž• Adding actions in the context view fixed
    • ๐Ÿ›  Fixed the recurring todo UI

Previous changes from v2.5.0

  • ๐Ÿ“š See doc/upgrading.md for the upgrade documentation!

    ๐Ÿ†• New features

    • ๐Ÿ“š Updated documentation both in the doc directory and online.
    • โฌ†๏ธ .skip-docker file has been replaced with .use-docker, see upgrading.md for
      details.
    • โž• Added email, last login, creation and update time to the user model.
    • โž• Added terms of service and email fields to the signup form. The TOS link is
      ๐Ÿ‘€ defined in site.yml, see config/site.yml.tmpl.
    • ๐Ÿ†• New, lighter default color scheme. The black color scheme is also available
      0๏ธโƒฃ for selection in the user preferences. Default theme can be set in site.yml.
    • โž• Added a help page to the ? menu linking to online help assets.
    • ๐Ÿ‘ Allow the user to remove their own account.

    โœ‚ Removed features

    • ๐Ÿ’Ž Ruby versions below 2.5 are no longer supported.
    • ๐Ÿ‘ Old Internet Explorer versions (7 and 8) are no longer supported.

    ๐Ÿ› Bug fixes

    • ๐Ÿ›  Fixed the signup form to use login form styles.
    • โฌ†๏ธ Lots of dependencies have been upgraded, including Rails major upgrade.
    • ๐Ÿ›  Fixed some minor UI bugs.