roundup (1.4.15-3+deb6u1) squeeze-lts; urgency=high

    Roundup used to allow certain HTML-Tags in OK- and Error-messages. 
    Since these messages are passed via the URL (due to roundup 
    redirecting after an edit), we did have security-issues 
    (see issue2550724).

    If you have customized OK- or Error messages in your
    roundup-installation and you're were using features like bold 
    or italic parts of the message you will have to do without this 
    highlighting and remove HTML tags from messages.
  
    If you were using <br> tags for multi-line messages, you now 
    should use newlines instead, these will be replaced with <br/> 
    during formatting.

    Note that the previous implementation also allowed links inside
    messages. Since these links could be set by an attacker, no links
    in roundup messages are supported anymore. This does *not* affect 
    the "clear this message" link in OK-messages as it is generated 
    by the template and is not part of the OK-message.

    If you have not modified any roundup messages, you need not do 
    anything, the templates shipped with roundup did not use HTML 
    tags in messages for highlighting.

 -- Thorsten Alteholz <debian@alteholz.de>  Sun, 23 Aug 2015 16:41:10 +0200
