Your message dated Mon, 23 Jan 2006 01:17:06 -0800
with message-id <[EMAIL PROTECTED]>
and subject line Bug#348791: fixed in trac 0.8.1-3sarge3
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 18 Jan 2006 23:57:38 +0000
>From [EMAIL PROTECTED] Wed Jan 18 15:57:38 2006
Return-path: <[EMAIL PROTECTED]>
Received: from sdcarl02.strategicdata.com.au ([203.214.67.82])
by spohr.debian.org with esmtp (Exim 4.50)
id 1EzNBJ-0008Sn-Nn
for [EMAIL PROTECTED]; Wed, 18 Jan 2006 15:57:38 -0800
Received: by sdcarl02.strategicdata.com.au (Postfix, from userid 1188)
id 16C18C00054B; Thu, 19 Jan 2006 10:57:35 +1100 (EST)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Geoff Crompton <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: trac: XSS vulnerability in WikiProcessor
X-Mailer: reportbug 3.8
Date: Thu, 19 Jan 2006 10:57:35 +1100
Message-Id: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
Package: trac
Version: 0.8.1-3sarge2
Severity: normal
http://www.securityfocus.com/bid/16198 discusses an XSS vulnerability in trac.
It's fixed in 0.9.3, and is discussed in more detail at
http://projects.edgewall.com/trac/ticket/2473.
I've tested this against my sarge version 0.8.1-3sarge2 and an IE browser, and
it is vulnerable.
Unfortunately securityfocus don't have a CVE number up for this yet.
Cheers,
Geoff
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686-smp
Locale: LANG=en_AU, LC_CTYPE=en_AU (charmap=ISO-8859-1)
Versions of packages trac depends on:
ii python 2.3.5-2 An interactive high-level object-o
ii python-clearsilver 0.9.13-3.2 python bindings for clearsilver
ii python-sqlite 1.0.1-2 python interface to SQLite
ii python2.3-subversion 1.1.4-2 python modules for interfacing wit
ii subversion 1.1.4-2 advanced version control system (a
-- no debconf information
---------------------------------------
Received: (at 348791-close) by bugs.debian.org; 23 Jan 2006 09:20:34 +0000
>From [EMAIL PROTECTED] Mon Jan 23 01:20:34 2006
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 4.50)
id 1F0xow-0001z3-T7; Mon, 23 Jan 2006 01:17:06 -0800
From: Otavio Salvador <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.65 $
Subject: Bug#348791: fixed in trac 0.8.1-3sarge3
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Mon, 23 Jan 2006 01:17:06 -0800
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
Source: trac
Source-Version: 0.8.1-3sarge3
We believe that the bug you reported is fixed in the latest version of
trac, which is due to be installed in the Debian FTP archive:
trac_0.8.1-3sarge3.diff.gz
to pool/main/t/trac/trac_0.8.1-3sarge3.diff.gz
trac_0.8.1-3sarge3.dsc
to pool/main/t/trac/trac_0.8.1-3sarge3.dsc
trac_0.8.1-3sarge3_all.deb
to pool/main/t/trac/trac_0.8.1-3sarge3_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Otavio Salvador <[EMAIL PROTECTED]> (supplier of updated trac package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 18 Jan 2006 23:38:36 -0200
Source: trac
Binary: trac
Architecture: source all
Version: 0.8.1-3sarge3
Distribution: stable-security
Urgency: high
Maintainer: Martin Schulze <[EMAIL PROTECTED]>
Changed-By: Otavio Salvador <[EMAIL PROTECTED]>
Description:
trac - Enhanced wiki and issue tracking system for software development
Closes: 348791
Changes:
trac (0.8.1-3sarge3) stable-security; urgency=high
.
* debian/patches/10_securityfixes.diff (Closes: #348791):
Fix CVE-2005-4065 and CVE-2005-4644 vulnerabilities.
Files:
cb4d61028dc622d02d3b8c0ff858416e 656 web optional trac_0.8.1-3sarge3.dsc
6dfb5852433afe58057848058005497e 12672 web optional trac_0.8.1-3sarge3.diff.gz
c8953db99c9532a6971163c91facedbc 198526 web optional trac_0.8.1-3sarge3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFD0ME+W5ql+IAeqTIRAmUQAKCKRYMwxGNE4x9VCqDgoKh/yJqDBACgj4mU
abJkd+STBLLILi7uABBt6po=
=0abS
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
