Bug 542394 (CVE-2009-4405)

Summary: trac: please update to the latest stable version (0.11.4 -> 0.11.6)
Product: [Fedora] Fedora Reporter: Jose Pedro Oliveira <jose.p.oliveira.oss>
Component: tracAssignee: Gwyn Ciesla <gwync>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: dcantrell, fschwarz, gwync, vdanen
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 0.11.6-1.fc11 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-01-12 23:33:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Jose Pedro Oliveira 2009-11-29 16:20:21 UTC
Description of problem:
The latest upstream version is 0.11.6 (released yesterday). The current Fedora 12 (and rawhide version) is 0.11.4. 

Version-Release number of selected component (if applicable):
trac-0.11.4-2.fc12.src.rpm

Expected results:
To have trac 0.11.6 available for F-12 and rawhide.

Additional info:

Release notes from versions 0.11.5 and 0.11.6:
----------
http://trac.edgewall.org/browser/tags/trac-0.11.5/RELEASE
----------
Changes in 0.11.5

 * Implemented pre-upgrade backup support for PostgreSQL and MySQL (#2304)
 * Fixed PostgreSQL upgrade issue (#8378)
 * More robust diff parsing (#2672)
 * Avoid intermittent hangs by not calling apr_terminate explicitly (#7785)
 * Fixed display of merge properties for scoped repositories #7715.
----------
http://trac.edgewall.org/browser/tags/trac-0.11.6/RELEASE
----------
Changes in 0.11.6

 * Fixed the policy checks in report results when using alternate formats.
 * Added a check for the "raw" role that is missing in docutils < 0.6.
 * Re-enabled connection pooling with SQLite (#3446).
 * Added caching of configuration options (#8510).
 * Fixed the "database is locked" issue with SQLite (#3446, #8468).
 * Deprecated SQLite 2.x support (#8625).
 * Fixed hanlding of times in timezones with DST (#8240).
 * Avoid corruption of trac.ini during write (#8623).
 * Improved support for revision ranges in the revision log view (#8349)
----------

Comment 1 Felix Schwarz 2009-11-29 20:11:38 UTC
Jon, Jesse: Ok, if I go ahead and update the package?

Comment 2 Gwyn Ciesla 2009-11-30 14:33:12 UTC
Well, I'm not sure where Jesse is in his work on this, so I'm hesitant to say yes at this point.  Jesse?

Comment 3 Jesse Keating 2009-11-30 16:58:49 UTC
Feel free to get this update out into rawhide and updates-testing where appropriate.  I can rebase my work forward.

Comment 4 Gwyn Ciesla 2009-11-30 17:39:39 UTC
Ok.  Felix, if you've got this ready, feel free, otherwise I can do it.

Comment 5 Jose Pedro Oliveira 2009-12-04 20:06:38 UTC
Ping! Felix: does you offer still stands?

Comment 6 Fedora Update System 2009-12-05 16:50:06 UTC
trac-0.11.6-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/trac-0.11.6-1.fc12

Comment 7 Fedora Update System 2009-12-10 04:16:16 UTC
trac-0.11.6-1.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update trac'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12975

Comment 8 Fedora Update System 2009-12-22 04:54:19 UTC
trac-0.11.6-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Vincent Danen 2009-12-23 21:39:47 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-4405 to
the following vulnerability:

Name: CVE-2009-4405
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4405
Assigned: 20091223
Reference: MISC: https://bugzilla.redhat.com/show_bug.cgi?id=542394
Reference: CONFIRM: http://trac.edgewall.org/browser/tags/trac-0.11.6/RELEASE
Reference: FEDORA:FEDORA-2009-12975
Reference: URL: https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01169.html
Reference: SECUNIA:37807
Reference: URL: http://secunia.com/advisories/37807
Reference: SECUNIA:37901
Reference: URL: http://secunia.com/advisories/37901
Reference: VUPEN:ADV-2009-3615
Reference: URL: http://www.vupen.com/english/advisories/2009/3615
Reference: XF:trac-alternate-security-bypass(54983)
Reference: URL: http://xforce.iss.net/xforce/xfdb/54983

Multiple unspecified vulnerabilities in Trac before 0.11.6 have
unknown impact and attack vectors, possibly related to (1) "policy
checks in report results when using alternate formats" or (2) a "check
for the 'raw' role that is missing in docutils < 0.6."


Fedora 11 still requires this fix as it is providing 0.11.4.

Comment 10 Felix Schwarz 2009-12-24 13:28:46 UTC
I'm aware of the F11 problem and will fix it tomorrow.

Comment 11 Fedora Update System 2009-12-25 11:56:44 UTC
trac-0.11.6-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/trac-0.11.6-1.fc11

Comment 12 Fedora Update System 2010-01-02 03:28:45 UTC
trac-0.11.6-1.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update trac'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2010-0007

Comment 13 Fedora Update System 2010-01-12 23:33:05 UTC
trac-0.11.6-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.