Bug 456874 (CVE-2008-3328)

Summary: trac: multiple security fixes in 0.10.5 (CVE-2008-2951, CVE-2008-3328)
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dcantrell, gwync, jeff, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 665462 (view as bug list) Environment:
Last Closed: 2010-12-23 22:25:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 665462    

Description Tomas Hoger 2008-07-28 11:32:59 UTC 
Upstream trac 0.10.5 fixes two non-critical security issues:

  http://trac.edgewall.org/wiki/ChangeLog#a0.10.5


CVE-2008-2951:
Open redirect vulnerability in the search script in Trac before 0.10.5
allows remote attackers to redirect users to arbitrary web sites and
conduct phishing attacks via a URL in the q parameter.

References:
http://holisticinfosec.org/content/view/72/45/
http://www.osvdb.org/46513

Upstream patch:
http://trac.edgewall.org/changeset/7224/branches/0.10-stable


CVE-2008-3328:
Cross-site scripting (XSS) vulnerability in the wiki engine in Trac
before 0.10.5 allows remote attackers to inject arbitrary web script
or HTML via unknown vectors.

Upstream patch:
http://trac.edgewall.org/changeset/7207/branches/0.10-stable

Upstream bug:
http://trac.edgewall.org/ticket/7332
Comment 1 Tomas Hoger 2008-07-28 11:43:21 UTC 
Rawhide is already updated to upstream 0.10.5, F-8, F-9 and EPEL5 use 0.10.4.

Based on a very quick look over 0.9.3 code in EPEL4, it seems to be affected by
CVE-2008-2951 (no quickjump verification seems to be performed) and is probably
not affected by CVE-2008-3328.  Please correct me if I'm wrong.
Comment 2 Fedora Update System 2008-07-29 13:05:03 UTC 
trac-0.10.5-1.fc8 has been submitted as an update for Fedora 8
Comment 3 Fedora Update System 2008-07-29 13:28:20 UTC 
trac-0.10.5-1.fc9 has been submitted as an update for Fedora 9
Comment 4 Fedora Update System 2008-07-30 20:05:54 UTC 
trac-0.10.5-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2008-07-30 20:06:12 UTC 
trac-0.10.5-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Jeffrey C. Ollie 2009-11-02 20:45:30 UTC 
Can this be closed now?  I'm no longer maintaining trac, but I'd like to make sure the issue was resolved.
Comment 7 Jesse Keating 2009-11-02 21:34:42 UTC 
I thought bodhi would automatically close it.  But since this is a bug on security response, I'm not sure what the right thing to do here is.
Comment 8 Jeffrey C. Ollie 2009-11-02 21:39:29 UTC 
On another bug, Tomas Hoger said that Bodhi deliberately does not close security response reports because the security team wants to make sure that the fix gets into all affected versions, not just the first one that pushed a package to stable.
Comment 9 Tomas Hoger 2009-11-03 07:48:55 UTC 
EPEL4 still has 0.9.3-2.el4.  According to comment #1, it seemed affected by one of the issues.  I don't remember the details though.  Feel free to close this if EPEL4 does not need fixing.
Comment 10 Vincent Danen 2010-04-15 20:50:44 UTC 
Is trac in EPEL4 no longer maintained?  That is the only package holding this up from being closed.
Comment 11 Jesse Keating 2010-04-15 21:16:53 UTC 
Ah, I think I just forgot about doing EL4, I'll look into it.
Comment 12 Vincent Danen 2010-12-23 22:25:08 UTC 
EPEL4 still hasn't been updated, so just created a tracking bug for it (bug #665462) and will close this one.