Trac 0.9.3 is out and fixes a number of bugs and security vulnerabilities. It would be nice to have it in portage quickly.
Secunia Advisory: SA18048 Print Advisory
Release Date: 2005-12-16
Impact: Cross Site Scripting
Where: From remote
Solution Status: Unpatched
Software: Trac 0.x
Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.
Christophe Truc has reported a vulnerability in Trac, which can be exploited by malicious people to conduct cross-site scripting attacks.
Input passed to the URL path isn't properly sanitised before being returned to the user after accessing a missing page. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
The vulnerability has been reported in versions 0.9, 0.9.1, and 0.9.2. Other versions may also be affected.
Edit the source code to ensure that input is properly sanitised.
Provided and/or discovered by:
web-apps, pls do your magic. thanks
In CVS, thanks.
arches, please test and stable, thx
No need to stable, these bugs only affect 0.9.x ebuilds which were never marked stable. See previous security issue with 0.9.x : http://bugs.gentoo.org/show_bug.cgi?id=114205
Oh, ok then, thanks a lot for the headsup, closing without GLSA.
Reopening, as it appears that Trac-0.8.x versions are affected by one vulnerability, but upstream hasn't planned to backport the fix (http://projects.edgewall.com/trac/changeset/2724) to 0.8.x (too much work).
That's why we have to mark 0.9.3 stable for x86 and ppc (only arches where trac-0.8.x is marked stable), as well as its currently unstable dependencies:
* dev-python/pysqlite-2.0.4 and/or 2.0.5
It would also be nice if dev-libs/clearsilver-0.10.1 was marked stable in the same breath, though this isn't mandatory.
Ready for glsa vote. Tend to say no.
I vote yes, as for all XSS things on a typically Internet-facing, open-to-anyone-for-posting thing.
I vote yes as well
Then we go