Releases: TracksApp/tracks
v2.7.1
Security advisory CVE-2024-41805 (severity 6.1 / moderate)
This release fixes a few reflected XSS vulnerabilities which enabled execution
of malicious JavaScript in the context of a user’s browser if that user clicks
on a malicious link, possibly allowing retrieval or modification of the current
user's data. The issue is of moderate severity (score 6.1/10) with the CVSS
rating CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N.
I want to thank Alec Romano for reporting the issues.
New features
- The test suite now uses always the same Dockerfile as the main build.
- The Dockerfile now supports environment-specific builds via stages.
Note: This requires slight changes to docker build commands, see documentation!
Deprecations
- This will be the last release to support Ruby 3.0, which is already end-of-life.
Bug fixes
- Lots of dependencies have been updated (including security updates).
- Fixed Docker build not working on an archive version (ie. one not cloned with Git)
- An error is shown if the user being created already exists.
- The TOS error in user creation is now in template.
- Schema.rb has been updated for Postgres support.
Updated translations
- Spanish (thanks Gallegonovato!)
- Finnish (by maintainer Jyri-Petteri ”ZeiP” Paloposki)
2.7.0
Removed features
- Support for Ruby 2.6 and 2.7 were dropped.
- Support for inbound message handling was dropped due to API changes caused by required Ruby on Rails upgrade. If you need this, comment in the issue #2463
- Rubocop is no longer used in the CI due to missing support for Ruby > 2.5.
Deprecations
- This will be the last release to support Ruby 3.0, which is already end-of-life.
Bug fixes
- The base version for the Docker image was updated from Ruby 2.7 to Ruby 3.3.
- Lots of dependencies have been updated (including security updates).
Updated translations
- Spanish (thanks Gallegonovato!)
- Dutch (thanks Ranforingus!)
- Russian (thanks Alexey Svistunov!)
- Turkish (thanks Burak Hüseyin Ekseli!)
2.6.1
Deprecations
- This will be the last release to support Ruby 2.6, which is already end-of-life.
Bug fixes
- Lots of dependencies have been updated (including security updates).
- Fixed some documentation.
- Updated and added missing Datepicker localisations which caused some locales to fail.
- Added PostgreSQL documentation (thanks Sean Pappalardo!)
- URL options can be specified to make autocompletion work behind a proxy (thanks Michal Koutný!)
Updated translations
- Finnish (by maintainer Jyri-Petteri ”ZeiP” Paloposki)
- Spanish (thanks Francisco Serrador!)
- Norwegian Bokmål (thanks Allan Nordhøy!)
2.6.0
New features
- Ruby 3.0 is now supported.
- Support obsidian links in notes.
Removed features
- No longer supporting EOL Ruby 2.5
Bug fixes
- Fix Docker image functionality in certain cases.
- Lots of dependencies have been upgraded.
- Fixed some error messages in import.
- Fixed import in the Docker image.
- Footer shows the Git version hash and date in the Docker image
Updated translations
- Finnish (by maintainer Jyri-Petteri ”ZeiP” Paloposki)
- Turkish (thanks Burak Ekseli!)
- Spanish (thanks Francisco Serrador!)
2.5.2
New features
- Whole Tracks is now translatable.
- New Finnish locale by the maintainer Jyri-Petteri ”ZeiP” Paloposki.
- Update last login field when validating an existing login.
- Show more users in the user list and allow changing the order criteria.
Bug fixes
- Fix tag-specific task lists to work in a multi-user environment.
- Fix setting the due date in the calendar view.
- Fix a bug causing 500 errors for users with different locales.
- Lots of dependencies have been upgraded.
- Better CI tests.
- Code style fixes.
- Small style issues.
2.5.1
See doc/upgrading.md for the upgrade documentation!
Security issue disclosure
Joe Thorpe from Secarma disclosed an XSS issue that was inadvertently
fixed in 2.5.0 by another bug fix. Tracks previously rendered XSS content
in the user's own data. The content is only shown to the user themself,
which mitigates the vulnerability in the normal use case where a single
user account is only used by one person. The CVSS rating for self-XSS is
debatable and thus is not published for this issue.
I want to thank Joe for reporting the issue and for the insightful discussion
regarding the issue. Thanks to the disclosure there is now also a written
security policy for the project.
Bug fixes
- Editing a due date in the calendar view fixed
- Adding actions in the context view fixed
- Fixed the recurring todo UI
2.5.0
See doc/upgrading.md for the upgrade documentation!
New features
- Updated documentation both in the doc directory and online.
- .skip-docker file has been replaced with .use-docker, see upgrading.md for
details. - Added email, last login, creation and update time to the user model.
- Added terms of service and email fields to the signup form. The TOS link is
defined in site.yml, see config/site.yml.tmpl. - New, lighter default color scheme. The black color scheme is also available
for selection in the user preferences. Default theme can be set in site.yml. - Added a help page to the ? menu linking to online help assets.
- Allow the user to remove their own account.
Removed features
- Ruby versions below 2.5 are no longer supported.
- Old Internet Explorer versions (7 and 8) are no longer supported.
Bug fixes
- Fixed the signup form to use login form styles.
- Lots of dependencies have been upgraded, including Rails major upgrade.
- Fixed some minor UI bugs.
2.4.2
2.4.1
This is a quick release to fix an issue in the migration to the new release. There are no changes affecting a fresh install compared to version 2.4.0.
Bug fixes
- Fixed a bug in the tag migration that prevented the migration from completing at least in some MySQL environments. The bug only affected upgrading an existing Tracks installation.
2.4.0
PLEASE NOTE: Upgrading to 2.4.0 from earlier versions might fail at least with a MySQL database because of a broken migration. We suggest using 2.4.0 only for new installs for now.
New features
- Removed support for deprecated password-hashing algorithm. This
eliminates config.salt. Note the addition of a pre-upgrade step to
check for obsolete passwords. - All tags now belong to a user. Existing tags are migrated to users based on
the taggings and duplicated as necessary. If there's only one user, all unused tags are
assigned to them, otherwise unused tags are removed. - All REST APIs now also accept user token as password.
- The stats view now uses Charts.js instead of the Flash-based chart library.
- A Docker environment is used unless the .skip-docker file exists.
- Rails 5.2
- Thin replaces WEBrick as the included web server
- Tracks is tested on Ruby 2.4 and 2.5
- The MessageGateway will save the received email as an attachement to the todo
- Add a configuration option for serving static assets from Rails
Removed features
- Ruby versions below 2.4 are no longer supported.
Bug fixes
- Multiple fixes to REST APIs.
- Several UI bugs fixed.