Skip to content

2.5.1
Compare
Choose a tag to compare
@ZeiP ZeiP released this 24 Sep 10:05
· 928 commits to master since this release
v2.5.1
05b0b99
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

See doc/upgrading.md for the upgrade documentation!

Security issue disclosure

Joe Thorpe from Secarma disclosed an XSS issue that was inadvertently
fixed in 2.5.0 by another bug fix. Tracks previously rendered XSS content
in the user's own data. The content is only shown to the user themself,
which mitigates the vulnerability in the normal use case where a single
user account is only used by one person. The CVSS rating for self-XSS is
debatable and thus is not published for this issue.

I want to thank Joe for reporting the issue and for the insightful discussion
regarding the issue. Thanks to the disclosure there is now also a written
security policy for the project.

Bug fixes

  • Editing a due date in the calendar view fixed
  • Adding actions in the context view fixed
  • Fixed the recurring todo UI
Assets 2
Loading