Warning: mysqli::__construct(): (HY000/1203): User howardkn already has more than 'max_user_connections' active connections in D:\Inetpub\vhosts\howardknight.net\al.howardknight.net\includes\artfuncs.php on line 21
Failed to connect to MySQL: (1203) User howardkn already has more than 'max_user_connections' active connectionsPath: nntp.eternal-september.org!news.eternal-september.org!eternal-september.org!feeder3.eternal-september.org!fu-berlin.de!uni-berlin.de!not-for-mail From: "John P. Rouillard" Newsgroups: comp.lang.python.announce Subject: [Python-announce] Roundup 2.5.0 release announcement (including security fix) Date: Sun, 13 Jul 2025 00:12:55 -0400 Lines: 371 Sender: rouilj@cs.umb.edu Approved: python-announce-list@python.org Message-ID: <20250713041255.EF3066A01A3@pe15.cs.umb.edu> Reply-To: python-list@python.org, rouilj@ieee.org Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Trace: news.uni-berlin.de 5bUJESTaMRU4I4H29oMY5QP4hTwVMCwZQ9KK37+2yOsw== Cancel-Lock: sha1:bGt7xsxMlDpP7yXXDNr7ehrj5dI= sha256:eiezewUEuqAGV0mByM7lUvvVOAfTC2YhdNTK/dz+Y8A= Delivered-To: python-announce-list@x.python.org Authentication-Results: mail.python.org; dkim=pass reason="2048-bit key; unprotected key" header.d=cs.umb.edu header.i=@cs.umb.edu header.b=HNiw54b9; dkim-adsp=pass; dkim-atps=neutral X-Spam-Status: OK 0.000 X-Spam-Evidence: '*H*': 1.00; '*S*': 0.00; 'generated': 0.03; '3.7': 0.03; 'argument': 0.04; 'parameter': 0.04; 'pip': 0.04; '(e.g.': 0.05; '3.6': 0.05; 'error:': 0.05; 'issue.': 0.05; 'pypi': 0.05; 'skip:= 10': 0.05; 'app.': 0.07; 'cpu': 0.07; 'exit': 0.07; 'explicitly': 0.07; 'filter': 0.07; 'http': 0.07; 'lets': 0.07; 'mysql': 0.07; 'partial': 0.07; 'template': 0.07; 'updates.': 0.07; 'url:mailman': 0.09; '(python': 0.09; 'data)': 0.09; 'expression': 0.09; 'filtering': 0.09; 'gpg': 0.09; 'json': 0.09; 'logged': 0.09; 'manages': 0.09; 'notifying': 0.09; 'page:': 0.09; 'parties': 0.09; 'patches': 0.09; 'properties': 0.09; 'questions:': 0.09; 'reporting': 0.09; 'repository.': 0.09; 'skip:` 10': 0.09; 'skip:` 20': 0.09; 'skip:x 10': 0.09; 'subject:release': 0.09; 'ticket.': 0.09; 'timeout': 0.09; 'token': 0.09; 'typeerror:': 0.09; 'upgrading': 0.09; 'utility': 0.09; 'values.': 0.09; 'log': 0.12; '(b)': 0.16; '(note': 0.16; '3.4': 0.16; '3.7.': 0.16; 'all:': 0.16; 'arguments': 0.16; 'classic': 0.16; 'command-line': 0.16; 'database,': 0.16; 'database.': 0.16; 'default.': 0.16; 'deploy': 0.16; 'detection,': 0.16; 'displayed': 0.16; 'doc': 0.16; 'encrypted': 0.16; 'endpoint': 0.16; 'expressions': 0.16; 'expressions.': 0.16; 'fetching': 0.16; 'fixes': 0.16; 'flag': 0.16; 'functions,': 0.16; 'functions.': 0.16; 'hash': 0.16; 'hassle.': 0.16; 'header:Reply- to:1': 0.16; 'improves': 0.16; 'incorrectly.': 0.16; 'input.': 0.16; 'instance': 0.16; 'irc,': 0.16; 'item,': 0.16; 'jinja2': 0.16; 'logs': 0.16; 'objects.': 0.16; 'operation.': 0.16; 'paths': 0.16; 'roundup': 0.16; 'splitting': 0.16; 'syntax,': 0.16; 'template.': 0.16; 'testing.': 0.16; 'times,': 0.16; 'to:addr:lists.sourceforge.net': 0.16; 'tracebacks': 0.16; 'url- ip:204/8': 0.16; 'url:project': 0.16; 'url:pypi': 0.16; 'usable': 0.16; 'usual,': 0.16; 'windows.': 0.16; 'python': 0.16; 'values': 0.17; 'instead': 0.17; "can't": 0.17; 'code.': 0.19; 'uses': 0.19; 'returned': 0.81; 'client': 0.82; 'click': 0.83; '**the': 0.84; 'attribute': 0.84; 'discovered.': 0.84; 'double-click': 0.84; 'handed': 0.84; 'improvement.': 0.84; 'incorrect': 0.84; 'received:158': 0.84; 'rounds': 0.84; 'schema': 0.84; 'skeleton': 0.84; 'skip:= 70': 0.84; 'strings': 0.84; 'upgraded': 0.84; 'url- ip:104.18.12.149/32': 0.84; 'url-ip:104.18.12/24': 0.84; 'url- ip:104.18.13.149/32': 0.84; 'url-ip:104.18.13/24': 0.84; 'url:sourceforge': 0.84; 'caused': 0.86; 'behind': 0.88; 'property': 0.88; 'url:p': 0.88; '403': 0.91; 'acknowledge': 0.91; 'demo': 0.91; 'fixed.': 0.91; 'flexible': 0.91; 'include:': 0.91; 'pdf,': 0.91; 'texts': 0.91; 'magic': 0.93; 'performs': 0.93; 'responsive': 0.93; 'storage': 0.95; 'turned': 0.95; 'winning': 0.95; 'goals': 0.96 DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.cs.umb.edu 56FF61201FE DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.umb.edu; s=default; t=1752379974; bh=FQhoVfPQYVfh7Z4xmykkm+dXGRudmnl0XXJCInR6ryo=; h=From:To:Cc:Subject:Reply-to:Date:From; b=HNiw54b9ob3hbdvmVijVoETwl/wCtZ/rUFCt5hU0sHK5ZL7uhFY8oFAyupWErYw7b NTYB+vQZbCzfXpnM06ubMbSx7Z8AJEP50pqvareVAPmyuOdfRCFIPuIuTQPtx7jp/S T4LXhajNxRblJQ3HYrTHA6UpRtVCwGiqgFIWbDPbQxfUFyGiKQiEbmiFnoyf0D8YLF oOt/DBaogAuiiqLqLfjcMinLo/MZiZN+D02ujhYME6RmdFKeeVegfvwsr/njlZSvfR kxGfqjHsFCmMVmDq3qLSzA5yTYRi6Wd9yD4ecRsKke9S2NEHQHXTxjSgivuTx5YDBH MKlAHiWXIDbzA== ZReturn-Receipt-To: rouilj@cs.umb.edu ZDisposition-Notification-To: rouilj@cs.umb.edu Content-ID: <1539020.1752379975.1@pe15.cs.umb.edu> X-MailFrom: rouilj@cs.umb.edu X-Mailman-Rule-Hits: emergency X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-python-announce-list.python.org-0; header-match-python-announce-list.python.org-1; header-match-python-announce-list.python.org-2; header-match-python-announce-list.python.org-3; header-match-python-announce-list.python.org-4 Message-ID-Hash: BOITRFLKXUM23EAGJ3XNEBLVMD4YITJF X-Message-ID-Hash: BOITRFLKXUM23EAGJ3XNEBLVMD4YITJF X-Mailman-Approved-At: Sun, 13 Jul 2025 00:26:20 -0400 X-Mailman-Version: 3.3.11b1 Precedence: list List-Id: Announcement-only list for the Python programming language Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Hello all: I'm proud to release version 2.5.0 of the Roundup issue tracker. This release is a bugfix and feature release, so make sure to read https://www.roundup-tracker.org/docs/upgrading.html to bring your tracker up to date. The 42 changes, as usual, include some new features and many bug fixes. One bug fix is an XSS security issue with CVE-2025-53865 primarily with the responsve and devel templates. See: = https://www.roundup-tracker.org/docs/upgrading.html#xss-security-issue-= with-devel-and-responsive-templates-recommended Version 2.5.0 does not support Python 2. The minimum Python version is 3.7. Among the significant enhancements in version 2.5.0 compared to the 2.4.0 release are: * **XSS vulnerability with devel and responsive templates fixed** Just before release an XSS security issue with trackers based on the devel or responsive templates was discovered. The updating directions include instructions on fixing this issue with the html templates. * **The property/field advanced search expression feature has been enhanced and documented.** Search expressions are usually built using the expression editor on the search page. They can be built manually by modifying the search URL but the RPN search expression format was undocumented. Errors in expressions could return results that didn't match the user's intent. This release documents the RPN expression syntax, adds basic expression error detection, and improves error reporting. * **The default hash method for password storage is more secure.** We use PBKDF2 with SHA512 (was SHA1). With this change you can lower the value of password_pbkdf2_default_rounds in your tracker's config.ini. Check the upgrading documentation for more info. (Note this may cause longer authentication times, the upgrade doc describes how to downgrade the hash method if required.) * **Roundup's session token is now prefixed with the magic ``__Secure__`` tag when using HTTPS.** This adds another layer of protection in addition to the existing ``Secure`` property that comes with the session cookie. * **Data authorization can be done at the database level speeding up display of index pages.** Roundup verifies the user's authorization for the data fetched from the database after retrieving data from the database. A new optional ``filter`` argument has been added to Permission objects. When the administrator supplies a filter function, it can boost performance with SQL server databases by pushing selection criteria to the database. By offloading some permission checks to the database, less data is retrieved from the database. This leads to quicker display of index pages with reduced CPU and network traffic. * **The REST endpoint can supply binary data (images, pdf, ...) to its clients.** Requesting binary data from a REST endpoint has been a hassle. Since JSON can't handle binary data, images (and other binary data) need to be encoded. This makes them significantly larger. The workaround was to use a non-REST endpoint for fetching non-text attachments. This update lets the REST endpoint return raw message or file content data. You can utilize the ``binary_content`` endpoint along with an appropriate ``Accept`` header (e.g. ``image/jpeg``) in your request. * **Extract translatable strings from your tracker easily.** The ``roundup-gettext`` tool has been enhanced to extract translatable strings from detectors and extensions. This will simplify the process of translating your trackers. Other miscellaneous fixes include: * Fix a crash bug on Windows with Python 3.13. * Update documentation on required REST headers, along with other documentation updates. * Improve handling of an error condition generated when an invalid REST response format is requested. For example if XML output is requested, but dicttoxml is not installed, we now return an error without doing any work. * Fix an incorrect error report when a PUT REST request sets the user's email address to its current value. * Add support for the ``defusedxml`` Python module to enhance security when using XML. * Introduce the templating function: ``utils.set_http_response(integer)`` to set the HTTP return code ========== REMAINDER OF ARTICLE TRUNCATED ==========