Summary: | www-apps/trac 0.9.3 is out - fixes XSS vulnerability | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Milton YATES <milton.yates> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | web-apps |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://secunia.com/advisories/18048/ | ||
Whiteboard: | B4 [glsa] DerCorny | ||
Package list: | Runtime testing required: | --- |
Description
Milton YATES
2006-01-08 09:00:06 UTC
Secunia Advisory: SA18048 Print Advisory Release Date: 2005-12-16 Critical: Less critical Impact: Cross Site Scripting Where: From remote Solution Status: Unpatched Software: Trac 0.x Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it. Description: Christophe Truc has reported a vulnerability in Trac, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to the URL path isn't properly sanitised before being returned to the user after accessing a missing page. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerability has been reported in versions 0.9, 0.9.1, and 0.9.2. Other versions may also be affected. Solution: Edit the source code to ensure that input is properly sanitised. Provided and/or discovered by: Christophe Truc web-apps, pls do your magic. thanks In CVS, thanks. arches, please test and stable, thx No need to stable, these bugs only affect 0.9.x ebuilds which were never marked stable. See previous security issue with 0.9.x : http://bugs.gentoo.org/show_bug.cgi?id=114205 Oh, ok then, thanks a lot for the headsup, closing without GLSA. Reopening, as it appears that Trac-0.8.x versions are affected by one vulnerability, but upstream hasn't planned to backport the fix (http://projects.edgewall.com/trac/changeset/2724) to 0.8.x (too much work). That's why we have to mark 0.9.3 stable for x86 and ppc (only arches where trac-0.8.x is marked stable), as well as its currently unstable dependencies: * dev-python/pysqlite-2.0.4 and/or 2.0.5 * app-text/pytextile-2.0.10 It would also be nice if dev-libs/clearsilver-0.10.1 was marked stable in the same breath, though this isn't mandatory. x86 done ppc stable Ready for glsa vote. Tend to say no. I vote yes, as for all XSS things on a typically Internet-facing, open-to-anyone-for-posting thing. I vote yes as well Then we go GLSA 200601-12 Thanks everybody. |