11I'm proud to release version 2.4.0 of the Roundup issue
2- tracker. This release is a bugfix and feature
3- release, so make sure to read `docs/upgrading.txt
2+ tracker. This release is a bugfix and feature release, so
3+ make sure to read `docs/upgrading.txt
44<https://www.roundup-tracker.org/docs/upgrading.html>`_ to
55bring your tracker up to date.
66
77The 79 changes, as usual, include some new features and many
88bug fixes.
99
10+ Version 2.4.0 will be the last release to support Python
11+ 2. The next minor release, planned for mid 2025, will occur
12+ 5 years after Roundup started supporting Python 3.
13+
1014Note that you should run ``roundup-admin ... migrate`` to
1115update the database schema version. Do this before you use
1216the web, command-line or mail interface and before any users
@@ -91,9 +95,9 @@ release are:
9195* sqlite version 1 and StructuredText support removed.
9296
9397The file CHANGES.txt has a detailed list of feature
94- additions and bug fixes for each release. The most
95- recent changes from there are at the end of this
96- announcement. Also see the information in doc/upgrading.txt.
98+ additions and bug fixes for each release. The most recent
99+ changes from there are at the end of this announcement. Also
100+ see the information in doc/upgrading.txt.
97101
98102If you find bugs, please report them to issues AT
99103roundup-tracker.org or create an account at
@@ -113,13 +117,12 @@ all your trackers to update the database schema version. Do
113117this before you use the web, command-line or mail interface
114118and before any users access the tracker.
115119
116- Roundup requires Python 2 newer than version 2.7.12 or
117- Python 3 newer than or equal to version 3.6 for correct
118- operation. (Python 3.4 or 3.5 may work, but are not tested.)
119- Note that Python 2 support is being removed from the CI
120- platforms, so you should deploy new trackers with Python 3
121- and plan on upgrading older trackers from Python 2 to Python
122- 3. See the upgrade guide.
120+ Roundup requires Python 2 newer than version 2.7.12 or Python 3
121+ newer than or equal to version 3.6 for correct operation. (Python
122+ 3.4 or 3.5 may work, but are not tested.) Note that Roundup 2.4.0
123+ will be the last release to support Python 2. You should deploy
124+ new trackers with Python 3 and plan on upgrading older trackers
125+ from Python 2 to Python 3. See the upgrade guide.
123126
124127To give Roundup a try, just download (directions above),
125128unpack and run::
@@ -181,4 +184,268 @@ Recent Changes
181184
182185From 2.3.0 to 2.4.0
183186
184- TBA
187+ Fixed:
188+
189+ - CVE-2024-39124 - The classhelpers (_generic.help.html) are
190+ vulnerable to an XSS attack. A specially crafted URL that used
191+ that endpoint would result in running a script embedded in the
192+ URL. (Found/reported by Alec Romano (4rdr), fix/tests John
193+ Rouillard)
194+ - CVE-2024-39125 - If the Referer header is set to a script tag,
195+ it will be executed when the error in the Referer header is
196+ reported. (Found/reported by Alec Romano (4rdr), fix/tests John
197+ Rouillard)
198+ - CVE-2024-39126 - PDF, XML and SVG files attached to an issue can contain
199+ embedded JavaScript. This JavaScript was executed when the file was
200+ accessed. PDF files are now downloaded and not displayed in the
201+ browser. A content security policy is added for all download files
202+ which prevents code execution in SVG files. (Found/reported by Alec
203+ Romano (4rdr), fix/tests John Rouillard)
204+ - issue2551282 - MySQL utf8mb4 issues and
205+ issue2551115 - Use utf8mb4 as a default for MySQL instead of utf8
206+ The default database type and collations have been set to:
207+ utf8mb4, utf8mb4_unicode_ci and utf8mb4_0900_bin. They are (sadly)
208+ configurable from config.ini. Require directions on upgrading the
209+ MySQL db have been documented in upgrading.txt.
210+ - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
211+ Failed API login rate limiting with expiring lockout added. (John
212+ Rouillard)
213+ - issue2551184 - improve i18n handling. Patch to test to make sure it
214+ uses the test tracker's locale files and not other locale
215+ files. (Marcus Priesch)
216+ - issue2551283 - fail if version 2.4.9 of markdown2 is used, it broke
217+ [issue1](issue1) style links. Support markdown2 2.4.8 and earlier
218+ and 2.4.10 with its new schema filtering method. (John Rouillard)
219+ - multiple flake8 fixes (John Rouillard)
220+ - rename loop variable in 'for sendto in sendto:' (John Rouillard)
221+ - issue2551193 - Fix roundup for removal of cgi and cgitb standard
222+ python modules (and FieldStorage/MiniFieldStorage). Replaced imports
223+ from cgi to use roundup.anypy.cgi_ which will load the system cgi
224+ unless it is missing. Then it will load roundup.anypy.vendored.cgi
225+ and make *FieldStroage symbols available. Roundp uses its own
226+ cgitb.py and not the system cgitb.py. It looks like it's the
227+ precursor to the system cgitb.py. (John Rouillard)
228+ - issue2551278 - datetime.datetime.utcnow deprecation. Replace
229+ calls with equivalent that produces timezone aware dates rather than
230+ naive dates. (John Rouillard)
231+ - when using "roundup-admin display" indent the listing only if
232+ headers or protected fields are requested. This makes the output
233+ look like it did previously to 2.3.0 if the new features aren't
234+ used. Roundup-admin output was never meant to be machine parsed, but
235+ don't break it unless required. (John Rouillard)
236+ - issue2551290 - pip install roundup Hangs on Windows 10
237+ The install under windows goes into an infinite loop using pip or
238+ source install. (John Rouillard)
239+ - Document use of pyreadline3 to allow roundup-admin to have CLI editing
240+ on windows. (John Rouillard)
241+ - issue2551293 - remove schema_hook from Tracker instance. Looks like
242+ it was an obsolete hook used for testing. Never documented and not
243+ accessible from schema.py.
244+ - Fix roundup-admin security command. Lowercase its optional
245+ argument. Roles are indexed by lower case role name. So 'security
246+ User' and 'security user' should generate the same output. (John
247+ Rouillard from issue on mailing list by Chuck Cunningham)
248+ - make roundup-server exit more quickly on ^C. This seems to be
249+ limited to windows. (John Rouillard)
250+ - Fix error handling so failure during import of a non-user item
251+ doesn't cause a second traceback. (Found by Norbert Schlemmer, fix
252+ John Rouillard)
253+ - Handle out of memory error when importing large trackers in
254+ PostgreSQL. (Found by Norbert Schlemmer, extensive testing by
255+ Norbert, fix John Rouillard)
256+ - use unittest.mock rather than mock for
257+ test/test_hyperdbvals.py. (found by Ralf Schlatterbeck. Fix John
258+ Rouillard)
259+ - disable proxy with wget in roundup_healthcheck. (Norbert Schlemmer
260+ Noschvie on github.com)
261+ - support dicttoxml2.py for Roundup running on 3.7 and
262+ newer. dicttoxml uses a type alias: collection.Iterator that is
263+ dropped in Python 3.10. (found by Norbert Schlemmer, fix John
264+ Rouillard)
265+ - fix duplicate html id 'password' in user.item.html in all templates except
266+ jinja2. (John Rouillard)
267+ - fix unclosed file when saving index in indexer_dbm.py. (John Rouillard)
268+ - fix task index in devel tracker so it doesn't cause a crash if all
269+ fields are selected. (John Rouillard)
270+ - fix windows install. When using pip share directory is installed in
271+ a directory tree under the lib directory. Fix it so that Lib/share
272+ is used to install the share tree. The lets Roundup find tracker
273+ templates and translation files. (Found by Simon Eigeldinger, fix
274+ John Rouillard)
275+ - fix roundup-demo, interactive mode would nuke an existing tracker.
276+ (Found Tonu Mikk, fix John Rouillard)
277+ - fix detection/reporting when using a SQLite3 library without FTS5
278+ support. Install docs updated to state that FTS5 support is required
279+ when using SQLite for back end. (Found Tonu Mikk, fix John
280+ Rouillard)
281+ - issue2551320: user.help-search.html doesn't respect
282+ properties. Setting url parameter properties when using the
283+ classhelp for users now shows the requested properties. (Found by
284+ Patel Malav and Nikunj Thakkar of the UMass-Boston CS682 Spring
285+ 2024 class; fix John Rouillard)
286+ - use ast.eval_literal() rather than eval() to turn CSV exported
287+ string values into Python object/values.
288+ - use template's guess at Content-Type in headers only if Content-Type
289+ is not already set. This allows a template to set its own content
290+ type. For example: _generic.translate can set content type (via
291+ request.client.additional_headers) to application/json and return
292+ json from the template. This json could access the 1i18n functions
293+ for a javascript helper. (John Rouillard)
294+ - when template processing raises an exception the line number is
295+ sometimes missing. This causes cgitb to raise a second exception
296+ which clobbers the info about the template issue. As a stop-gap set
297+ the line number to -1 so the original traceback can be seen. This
298+ could be a bug in ZopeTAL. (John Rouillard)
299+ - issue2551328 - REST results show next link if number of results is a
300+ multiple of page size. There should be no next link. (Found by Patel
301+ Malav and Bharath Kanama of the UMass-Boston CS682 Spring 2024
302+ class; fix John Rouillard)
303+ - issue2551264 - REST X-Total-Count header and @total_size count
304+ incorrect when paginated - correct values are now returned.
305+ (John Rouillard)
306+ - issue2551331 - Fix repeat first/last methods. (John Rouillard)
307+ - Fix import/export on windows. Use unix line terminating characters.
308+ (John Rouillard)
309+ - Fix anydbm session/otks clear() method on windows when backed by
310+ dumbdbm. Also make anydbm detect the initialized database when
311+ using dumbdbm. (John Rouillard)
312+ - Use of '-' directory in static_files config option under windows
313+ Python fixed. (John Rouillard)
314+ - issue2551334 - number of test bugs that prevented test suite from
315+ running under Windows Python are fixed. WIP. (John Rouillard)
316+ - issue2551302 - Remove support for sqlite version 1 from
317+ back_sqlite.py. We have been using sqlite3 for over a decade. (John
318+ Rouillard)
319+ - issue2551285 - Remove StructuredText support. reStructuredText is
320+ still supported. (John Rouillard)
321+ - Use roundup-demo -p option to set listening port. Was ignored
322+ before. (John Rouillard)
323+ - issue2551346 - Classic tracker's statusauditor raises error if
324+ detectors/config.ini missing
325+ STATUSAUDITOR_CHATTING_REQUIRES_TWO_USERS. The statusauditor.py for
326+ jinja2 and classic templates has been changed to assume that this
327+ option is off when the setting is missing from
328+ detectors/config.ini. Other templates do not implement this option.
329+ (John Rouillard)
330+ - issue2551350 - Python changes for 3.12 with roundup 2.3.0. Fixes for
331+ cgitb.py crash due to pydoc.html.header() signature change. (Patch
332+ by Andrew (kragacles), applied John Rouillard)
333+ - issue2551350 - Python changes for 3.12 with roundup 2.3.0. Fixes for
334+ mailer.py crash due to change in starttls signature change. (Patch
335+ by Andrew (kragacles), modified and applied John Rouillard)
336+ - make classhelper link open in a new window by setting
337+ target="_blank". This prevents overwriting of current page with the
338+ classhelper if javascript is disabled. (John Rouillard)
339+ - issue2551341 - if @columns missing from an index url, the
340+ group headers colspan property = 0. Add "or 100" in
341+ stanza's so headers span all rows (up to 100).
342+ - fix roundup-server response requiring a 301 redirect. Did
343+ not set content length leading to hang/error. (John
344+ Rouillard)
345+ - report basename of filename when template file is invalid
346+ rather than reporting a TypeError. (John Rouillard)
347+ - Make Last-Modified header use GMT not -0000 timezone. Fix error
348+ reported by redbot testing. (John Rouillard)
349+ - Send Vary: Accept-Encoding on any file that could be compressed
350+ even if the file is not encoded/compressed. Found by Redbot
351+ testing. (John Rouillard)
352+ - make If-None-Match work for static file (@@file) case. Found by
353+ Redbot testing (John Rouillard)
354+ - Send vary: accept-encoding for if-modified-since conditional
355+ requests where the file is not modified. (John Rouillard)
356+ - Update JWT example in rest.py to use replacement for
357+ datetime.datetime.utcnow(). (John Rouillard)
358+ - issue2551219 - document requirements of PEM file when using
359+ roundup-server in SSL/TLS mode. Report better error messages
360+ when PEM file is missing certificate or private key. (John
361+ Rouillard)
362+ - Cleanup tracker index generation by roundup-server. Send
363+ correct Content-Length headers so HTTP/1.1 connections don't
364+ hang. (John Rouillard)
365+ - Fix delay when using csv export actions. The CSV file is written
366+ incrementally, so we can't determine the Content-Length. When using
367+ HTTP/1.1, this causes a delay while the browser waits for a timeout.
368+ Forcing the connection to close after the CSV file is written
369+ removes the delay. (John Rouillard)
370+
371+ Features:
372+
373+ - issue2551323 - Remove XHTML support. Disabled option to set
374+ html_version to xhtml. Running roundup commands with html_version
375+ set to xhtml will result in an "Invalid value for HTML_VERSION:
376+ 'xhtml'" error. (John Rouillard)
377+ - issue2551103 - add pragma 'display_protected' to roundup-admin. If
378+ true, print protected attributes like id, activity, actor...
379+ when using display or specification subcommands. (John Rouillard)
380+ - add -P pragma=value command line option to roundup-admin. Allows
381+ setting pragmas when using non-interactive mode. (John Rouillard)
382+ - issue685275 - add pragma show_retired to control display of retired
383+ items when using list/table. Add pragma display_header to print
384+ headers for display command. Header displays designator and
385+ retired/active status. (John Rouillard)
386+ - issue2551299 - support config.ini rdbms option 'service'. Allow use
387+ of a PostgreSQL connection service file (pg_service.conf) for
388+ configuring database on a per-tracker basis. Also replaces use of
389+ PGSERVICE env variable for single instance trackers. (From ML
390+ question by ivanov. John Rouillard)
391+ - issue2550852 - support for specifying a PostgreSQL schema to use for
392+ the Roundup database. (Patch by Stuart McGraw; slight modifications,
393+ tests, docs: John Rouillard).
394+ - issue2551274: add configurable logging for REST API when something
395+ fails, we now log status code and error message.
396+ (Ralf Schlatterbeck)
397+ - issue2551317 - add some Jinja2 examples to customizing.txt
398+ document. (John Rouillard)
399+ - multiple scripts/... updates - Python3, linting, enhancements:
400+ weekly-report,schema-dump.py, roundup-reminder, copy-user.py,
401+ dump_dbm_sessions_db.py, contributors.py (John Rouillard)
402+ - roundup/msgfile.py can now be called as 'python msgfmt.py de.po de.mo'
403+ or 'python msgfmt.py -o de.mo de.po' to compile a translation file if
404+ GNU msgfmt is missing. (John Rouillard)
405+ - save roundup-admin history between sessions. Load
406+ ~/.roundup_admin_rlrc file to set history-size persistently. Add
407+ pragma history_length to override for a session. (John Rouillard)
408+ - the roundup-admin history command now dumps the journal entries
409+ in a more human readable format. Use the raw option to get the older
410+ machine parsible output. (John Rouillard)
411+ - Multiple JWT secrets are supported to allow key rotation. See
412+ an updated config.ini for details. (John Rouillard)
413+ - issue2551212 - wsgi performance improvement feature added in 2.2.0
414+ is active by default. Can be turned off if needed. See upgrading.txt
415+ for info. (John Rouillard)
416+ - issue2551270 - Better templating support for JavaScript. Add
417+ utils.readfile(file, optional=False) and utils.expandfile(file,
418+ token_dict=None, optional=False). Allows reading an external file
419+ (e.g. JavaScript) and inserting it using tal:contents or equivalent
420+ jinja function. expandfile allows setting a dictionary and tokens in
421+ the file of the form "%(token_name)s" will be replaced in the file
422+ with the values from the dict. (John Rouillard)
423+ - add @group to rest interface collection queries. Useful when using
424+ optgroup in select elements. (John Rouillard)
425+ - roundup-demo can set the hostname in the URL using the -H
426+ parameter. So you can start a demo tracker that is available from
427+ your network using 'roundup-demo ... -B hostname -H hostname'. (John
428+ Rouillard)
429+ - issue2551347 - make _generic.help.html work without property
430+ settings. THis applies to classic or minimal trackers. It allows use
431+ of classhelp without the property seting for informtion only
432+ (e.g. description of what a priority or status means) without being
433+ able to select the property in the classhelper. Good for adding help
434+ for Link properties. (John Rouilllard)
435+ - issue1525113 - notation to filter by logged-in user. Use
436+ @current_user with properties that are a Link to the 'user' class to
437+ match the currently logged in user. Allows sharing of queries like
438+ "Issues I created" or "Issues I am assigned to" by removing the
439+ hard coded user id number and replacing it with the current user's
440+ id. Tracker templates updated to use it. (John Rouillard from a
441+ patch by Jon C. Thomason)
442+ - Add a /rest/data/user/roles REST endpoint. (John Rouillard)
443+ - issue2551353 - Add roundup-classhelper for 2.4.0
444+ release. Integrate new classhelper web component to wrap
445+ existing classhelper link. This fixes a number of
446+ outstanding bugs against the current classhelper using
447+ current web features. (Patel Malav, Nikunj Thakkar,
448+ Bharath Kanama with integration by John Rouillard)
449+ - disable spellcheck on all password fields to try to prevent
450+ browser from exposing passwords to external servers. (John
451+ Rouillard)
0 commit comments