| Deutsch English Français Italiano |
|
<20250713041255.EF3066A01A3@pe15.cs.umb.edu> View for Bookmarking (what is this?) Look up another Usenet article |
Path: nntp.eternal-september.org!news.eternal-september.org!eternal-september.org!feeder3.eternal-september.org!fu-berlin.de!uni-berlin.de!not-for-mail
From: "John P. Rouillard" <rouilj@cs.umb.edu>
Newsgroups: comp.lang.python.announce
Subject: [Python-announce] Roundup 2.5.0 release announcement (including security fix)
Date: Sun, 13 Jul 2025 00:12:55 -0400
Lines: 371
Sender: rouilj@cs.umb.edu
Approved: python-announce-list@python.org
Message-ID: <20250713041255.EF3066A01A3@pe15.cs.umb.edu>
Reply-To: python-list@python.org, rouilj@ieee.org
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
X-Trace: news.uni-berlin.de 5bUJESTaMRU4I4H29oMY5QP4hTwVMCwZQ9KK37+2yOsw==
Cancel-Lock: sha1:bGt7xsxMlDpP7yXXDNr7ehrj5dI= sha256:eiezewUEuqAGV0mByM7lUvvVOAfTC2YhdNTK/dz+Y8A=
Delivered-To: python-announce-list@x.python.org
Authentication-Results: mail.python.org; dkim=pass
reason="2048-bit key; unprotected key"
header.d=cs.umb.edu header.i=@cs.umb.edu header.b=HNiw54b9;
dkim-adsp=pass; dkim-atps=neutral
X-Spam-Status: OK 0.000
X-Spam-Evidence: '*H*': 1.00; '*S*': 0.00; 'generated': 0.03; '3.7':
0.03; 'argument': 0.04; 'parameter': 0.04; 'pip': 0.04; '(e.g.':
0.05; '3.6': 0.05; 'error:': 0.05; 'issue.': 0.05; 'pypi': 0.05;
'skip:= 10': 0.05; 'app.': 0.07; 'cpu': 0.07; 'exit': 0.07;
'explicitly': 0.07; 'filter': 0.07; 'http': 0.07; 'lets': 0.07;
'mysql': 0.07; 'partial': 0.07; 'template': 0.07; 'updates.':
0.07; 'url:mailman': 0.09; '(python': 0.09; 'data)': 0.09;
'expression': 0.09; 'filtering': 0.09; 'gpg': 0.09; 'json': 0.09;
'logged': 0.09; 'manages': 0.09; 'notifying': 0.09; 'page:': 0.09;
'parties': 0.09; 'patches': 0.09; 'properties': 0.09;
'questions:': 0.09; 'reporting': 0.09; 'repository.': 0.09;
'skip:` 10': 0.09; 'skip:` 20': 0.09; 'skip:x 10': 0.09;
'subject:release': 0.09; 'ticket.': 0.09; 'timeout': 0.09;
'token': 0.09; 'typeerror:': 0.09; 'upgrading': 0.09; 'utility':
0.09; 'values.': 0.09; 'log': 0.12; '(b)': 0.16; '(note': 0.16;
'3.4': 0.16; '3.7.': 0.16; 'all:': 0.16; 'arguments': 0.16;
'classic': 0.16; 'command-line': 0.16; 'database,': 0.16;
'database.': 0.16; 'default.': 0.16; 'deploy': 0.16; 'detection,':
0.16; 'displayed': 0.16; 'doc': 0.16; 'encrypted': 0.16;
'endpoint': 0.16; 'expressions': 0.16; 'expressions.': 0.16;
'fetching': 0.16; 'fixes': 0.16; 'flag': 0.16; 'functions,': 0.16;
'functions.': 0.16; 'hash': 0.16; 'hassle.': 0.16; 'header:Reply-
to:1': 0.16; 'improves': 0.16; 'incorrectly.': 0.16; 'input.':
0.16; 'instance': 0.16; 'irc,': 0.16; 'item,': 0.16; 'jinja2':
0.16; 'logs': 0.16; 'objects.': 0.16; 'operation.': 0.16; 'paths':
0.16; 'roundup': 0.16; 'splitting': 0.16; 'syntax,': 0.16;
'template.': 0.16; 'testing.': 0.16; 'times,': 0.16;
'to:addr:lists.sourceforge.net': 0.16; 'tracebacks': 0.16; 'url-
ip:204/8': 0.16; 'url:project': 0.16; 'url:pypi': 0.16; 'usable':
0.16; 'usual,': 0.16; 'windows.': 0.16; 'python': 0.16; 'values':
0.17; 'instead': 0.17; "can't": 0.17; 'code.': 0.19; 'uses': 0.19;
'returned': 0.81; 'client': 0.82; 'click': 0.83; '**the': 0.84;
'attribute': 0.84; 'discovered.': 0.84; 'double-click': 0.84;
'handed': 0.84; 'improvement.': 0.84; 'incorrect': 0.84;
'received:158': 0.84; 'rounds': 0.84; 'schema': 0.84; 'skeleton':
0.84; 'skip:= 70': 0.84; 'strings': 0.84; 'upgraded': 0.84; 'url-
ip:104.18.12.149/32': 0.84; 'url-ip:104.18.12/24': 0.84; 'url-
ip:104.18.13.149/32': 0.84; 'url-ip:104.18.13/24': 0.84;
'url:sourceforge': 0.84; 'caused': 0.86; 'behind': 0.88;
'property': 0.88; 'url:p': 0.88; '403': 0.91; 'acknowledge': 0.91;
'demo': 0.91; 'fixed.': 0.91; 'flexible': 0.91; 'include:': 0.91;
'pdf,': 0.91; 'texts': 0.91; 'magic': 0.93; 'performs': 0.93;
'responsive': 0.93; 'storage': 0.95; 'turned': 0.95; 'winning':
0.95; 'goals': 0.96
DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.cs.umb.edu 56FF61201FE
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.umb.edu;
s=default; t=1752379974;
bh=FQhoVfPQYVfh7Z4xmykkm+dXGRudmnl0XXJCInR6ryo=;
h=From:To:Cc:Subject:Reply-to:Date:From;
b=HNiw54b9ob3hbdvmVijVoETwl/wCtZ/rUFCt5hU0sHK5ZL7uhFY8oFAyupWErYw7b
NTYB+vQZbCzfXpnM06ubMbSx7Z8AJEP50pqvareVAPmyuOdfRCFIPuIuTQPtx7jp/S
T4LXhajNxRblJQ3HYrTHA6UpRtVCwGiqgFIWbDPbQxfUFyGiKQiEbmiFnoyf0D8YLF
oOt/DBaogAuiiqLqLfjcMinLo/MZiZN+D02ujhYME6RmdFKeeVegfvwsr/njlZSvfR
kxGfqjHsFCmMVmDq3qLSzA5yTYRi6Wd9yD4ecRsKke9S2NEHQHXTxjSgivuTx5YDBH
MKlAHiWXIDbzA==
ZReturn-Receipt-To: rouilj@cs.umb.edu
ZDisposition-Notification-To: rouilj@cs.umb.edu
Content-ID: <1539020.1752379975.1@pe15.cs.umb.edu>
X-MailFrom: rouilj@cs.umb.edu
X-Mailman-Rule-Hits: emergency
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-python-announce-list.python.org-0; header-match-python-announce-list.python.org-1; header-match-python-announce-list.python.org-2; header-match-python-announce-list.python.org-3; header-match-python-announce-list.python.org-4
Message-ID-Hash: BOITRFLKXUM23EAGJ3XNEBLVMD4YITJF
X-Message-ID-Hash: BOITRFLKXUM23EAGJ3XNEBLVMD4YITJF
X-Mailman-Approved-At: Sun, 13 Jul 2025 00:26:20 -0400
X-Mailman-Version: 3.3.11b1
Precedence: list
List-Id: Announcement-only list for the Python programming language <python-announce-list.python.org>
Archived-At: <https://mail.python.org/archives/list/python-announce-list@python.org/message/BOITRFLKXUM23EAGJ3XNEBLVMD4YITJF/>
List-Archive: <https://mail.python.org/archives/list/python-announce-list@python.org/>
List-Help: <mailto:python-announce-list-request@python.org?subject=help>
List-Owner: <mailto:python-announce-list-owner@python.org>
List-Post: <mailto:python-announce-list@python.org>
List-Subscribe: <mailto:python-announce-list-join@python.org>
List-Unsubscribe: <mailto:python-announce-list-leave@python.org>
Hello all:
I'm proud to release version 2.5.0 of the Roundup issue
tracker. This release is a bugfix and feature release, so
make sure to read https://www.roundup-tracker.org/docs/upgrading.html
to bring your tracker up to date.
The 42 changes, as usual, include some new features and many bug
fixes. One bug fix is an XSS security issue with CVE-2025-53865
primarily with the responsve and devel templates. See: =
https://www.roundup-tracker.org/docs/upgrading.html#xss-security-issue-=
with-devel-and-responsive-templates-recommended
Version 2.5.0 does not support Python 2. The minimum Python
version is 3.7.
Among the significant enhancements in version 2.5.0 compared to
the 2.4.0 release are:
* **XSS vulnerability with devel and responsive templates fixed**
Just before release an XSS security issue with trackers based on
the devel or responsive templates was discovered. The updating
directions include instructions on fixing this issue with the
html templates.
* **The property/field advanced search expression feature has been
enhanced and documented.**
Search expressions are usually built using the
expression editor on the search page. They can be built manually
by modifying the search URL but the RPN search expression format
was undocumented. Errors in expressions could return results that
didn't match the user's intent. This release documents the RPN
expression syntax, adds basic expression error detection, and
improves error reporting.
* **The default hash method for password storage is more secure.**
We use PBKDF2 with SHA512 (was SHA1). With this change you can
lower the value of password_pbkdf2_default_rounds in your
tracker's config.ini. Check the upgrading documentation for more
info. (Note this may cause longer authentication times, the
upgrade doc describes how to downgrade the hash method if required.)
* **Roundup's session token is now prefixed with the magic
``__Secure__`` tag when using HTTPS.**
This adds another layer of protection in addition to the
existing ``Secure`` property that comes with the session cookie.
* **Data authorization can be done at the database level speeding up
display of index pages.**
Roundup verifies the user's authorization for the data fetched
from the database after retrieving data from the database. A new
optional ``filter`` argument has been added to Permission
objects. When the administrator supplies a filter function, it
can boost performance with SQL server databases by pushing
selection criteria to the database. By offloading some
permission checks to the database, less data is retrieved from
the database. This leads to quicker display of index pages with
reduced CPU and network traffic.
* **The REST endpoint can supply binary data (images, pdf, ...) to
its clients.**
Requesting binary data from a REST endpoint has been a
hassle. Since JSON can't handle binary data, images (and other
binary data) need to be encoded. This makes them significantly
larger. The workaround was to use a non-REST endpoint for fetching
non-text attachments. This update lets the REST endpoint return
raw message or file content data. You can utilize the
``binary_content`` endpoint along with an appropriate ``Accept``
header (e.g. ``image/jpeg``) in your request.
* **Extract translatable strings from your tracker easily.**
The ``roundup-gettext`` tool has been enhanced to extract
translatable strings from detectors and extensions. This will
simplify the process of translating your trackers.
Other miscellaneous fixes include:
* Fix a crash bug on Windows with Python 3.13.
* Update documentation on required REST headers, along with other
documentation updates.
* Improve handling of an error condition generated when an invalid
REST response format is requested. For example if XML output is
requested, but dicttoxml is not installed, we now return an
error without doing any work.
* Fix an incorrect error report when a PUT REST request sets
the user's email address to its current value.
* Add support for the ``defusedxml`` Python module to enhance
security when using XML.
* Introduce the templating function:
``utils.set_http_response(integer)`` to set the HTTP return code
========== REMAINDER OF ARTICLE TRUNCATED ==========