Tracks 2.5.1 released

| Comments

Tracks 2.5.1 includes bug fixes for a couple of long-standing UI issues and some dependency upgrades. See also the release notes for 2.5.0 for major changes since 2.4.

Ruby versions below 2.5 are not supported. This release of Tracks is tested on Ruby versions 2.5, 2.6 and 2.7.

Security issue disclosure

Joe Thorpe from Secarma disclosed an XSS issue that was inadvertently fixed in 2.5.0 by another bug fix. Tracks previously rendered XSS content in the user’s own data. The content is only shown to the user themself, which mitigates the vulnerability in the normal use case where a single user account is only used by one person. The CVSS rating for self-XSS is debatable and thus is not published for this issue.

I want to thank Joe for reporting the issue and for the insightful discussion regarding the issue. Thanks to the disclosure there is now also a written security policy for the project.

Bug fixes

  • Editing a due date in the calendar view fixed
  • Adding actions in the context view fixed
  • Fixed the recurring todo UI

You can download the release here. Upgrade instructions can be found in the manual.

Thanks to the contributors of this version:


  • Jyri-Petteri “ZeiP” Paloposki


  • Dan Rice and
  • Greg Sutcliffe

We gladly welcome any contributions and help you can offer. Get started!