Tracks is a GTD™ web application, built with Ruby on Rails
See doc/upgrading.md for the upgrade documentation!
Joe Thorpe from Secarma disclosed an XSS issue that was inadvertently fixed in 2.5.0 by another bug fix. Tracks previously rendered XSS content in the user's own data. The content is only shown to the user themself, which mitigates the vulnerability in the normal use case where a single user account is only used by one person. The CVSS rating for self-XSS is debatable and thus is not published for this issue.
I want to thank Joe for reporting the issue and for the insightful discussion regarding the issue. Thanks to the disclosure there is now also a written security policy for the project.
See doc/upgrading.md for the upgrade documentation!
Plenty of security fixes.
A small update to the new todo creation sidebar to make use of bootstrap's styles to provide more space for the UI.
This is a quick release to fix an issue in the migration to the new release. There are no changes affecting a fresh install compared to version 2.4.0.
PLEASE NOTE: Upgrading to 2.4.0 from earlier versions might fail at least with a MySQL database because of a broken migration. We suggest using 2.4.0 only for new installs for now.
We need your help to finalize the release -- please test this new version for both clean installations and upgrades, and report any issues.
Note that there are some slight changes to the installation and upgrading procedures, so please test these documents by following their instructions to the letter, and report any problems.