Trac 0.9.5 is out and fixes a number of bugs and security vulnerabilities. It would be nice to have it in portage quickly. Thanks. see: http://projects.edgewall.com/trac/wiki/ChangeLog
Well, eh... yay for crappy release notes. I have no idea what they mean: # Fixed wiki macro XSS vulnerability. http://jvn.jp/jp/JVN%2384091359/index.html The link is bogus and that thing has been fixed in 0.9.3 AFAIK (http://secunia.com/advisories/18465/). Someone please verify.
(In reply to comment #1) > Well, eh... yay for crappy release notes. I have no idea what they mean: > > # Fixed wiki macro XSS vulnerability. > http://jvn.jp/jp/JVN%2384091359/index.html So it seems. > The link is bogus and that thing has been fixed in 0.9.3 AFAIK > (http://secunia.com/advisories/18465/). > > Someone please verify. Maybe here are better notes: http://projects.edgewall.com/trac/log/branches/0.9-stable?rev=3201&stop_rev=2918 or here http://projects.edgewall.com/trac/query?status=closed&milestone=0.9.5 http://projects.edgewall.com/trac/changeset/3204 I don't know about the XSS vulnerability but this is just a minor bugfix release. There are other things fixed too. Renaming the 0.9.4 ebuild -> 0.9.5 should work fine.
*** Bug 130433 has been marked as a duplicate of this bug. ***
Please jakub, add CC maintainers when reassigning, especially for security bugs. This new vulnerability has nothing to do with the one fixed in 0.9.3 (http://secunia.com/advisories/18465/). This is a new XSS vulnerability that affect trac's macros. Default macros were fixed by sanitizing user input (http://projects.edgewall.com/trac/changeset/3201).
Julien it is the job for Security to CC maintainers. I guess Jakub is more than busy enough without having to look up maintainers.
OK then, excuse my mistake. www-trac-0.9.5 is now in CVS. Arches please test and stable, thanks.
ppc stable
x86 stable
Ready for GLSA vote Without more details, voting no.
Voting NO and closing.
