Tracks 2.7.1 is primarily a security release. This release fixes a few reflected XSS vulnerabilities (CVE-2024-41805) of moderate severity.

This release of Tracks is tested on Ruby versions 3.0, 3.1, 3.2 and 3.3.

The release changes the way the Dockerfile works, and because of that requires slight changes to Docker build commands. See the documentation for details.

Security advisory CVE-2024-41805 (severity 6.1 / moderate)

This release fixes a few reflected XSS vulnerabilities which enabled execution of malicious JavaScript in the context of a user’s browser if that user clicks on a malicious link, possibly allowing retrieval or modification of the current user’s data. The issue is of moderate severity (score 6.1/10) with the CVSS rating CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N.

I want to thank Alec Romano for reporting the issues.

New features

• The test suite now uses always the same Dockerfile as the main build.
• The Dockerfile now supports environment-specific builds via stages. Note: This requires slight changes to docker build commands, see documentation!

Deprecations

• This will be the last release to support Ruby 3.0, which is already end-of-life.

Bug fixes

• Lots of dependencies have been updated (including security updates).
• Fixed Docker build not working on an archive version (ie. one not cloned with Git)
• An error is shown if the user being created already exists.
• The TOS error in user creation is now in template.
• Schema.rb has been updated for Postgres support.

Updated translations

• Spanish (thanks Gallegonovato!)
• Finnish (by maintainer Jyri-Petteri ”ZeiP” Paloposki)

You can download the release here. Upgrade instructions can be found in the manual.

Thanks to the contributors of this version listed above. The maintainer of Tracks is Jyri-Petteri “ZeiP” Paloposki.

We gladly welcome any contributions and help you can offer. Get started!