Secunia: A vulnerability has been reported in Trac, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to certain parameters in the wiki engine is not properly sanitised before being returned to a user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerability affects versions prior to 0.10.5. Upstream ChangeLog [1] also lists this: # Fixes a cross-site redirection vulnerability in the quickjump function reported by Russ McRee?. [1] http://trac.edgewall.org/wiki/ChangeLog#a0.10.5
0.10.5 is already in the tree. net-mail, is this ready to go stable?
CVE-2008-2951 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2951): Open redirect vulnerability in the search script in Trac before 0.10.5 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the q parameter. CVE-2008-3328 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3328): Cross-site scripting (XSS) vulnerability in the wiki engine in Trac before 0.10.5 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.
Targets for 0.10.5: amd64 ppc x86
ppc stable
x86 stable
re-opening ... /me hands Markus a cup of coffee ;)
amd64 stable
Ready for vote, I vote NO.
NO, closing.
