Bug 456874 - (CVE-2008-3328) trac: multiple security fixes in 0.10.5 (CVE-2008-2951, CVE-2008-3328)
trac: multiple security fixes in 0.10.5 (CVE-2008-2951, CVE-2008-3328)
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On:
Blocks: 665462
  Show dependency treegraph
Reported: 2008-07-28 07:32 EDT by Tomas Hoger
Modified: 2013-01-09 23:45 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 665462 (view as bug list)
Last Closed: 2010-12-23 17:25:08 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2008-07-28 07:32:59 EDT
Upstream trac 0.10.5 fixes two non-critical security issues:


Open redirect vulnerability in the search script in Trac before 0.10.5
allows remote attackers to redirect users to arbitrary web sites and
conduct phishing attacks via a URL in the q parameter.


Upstream patch:

Cross-site scripting (XSS) vulnerability in the wiki engine in Trac
before 0.10.5 allows remote attackers to inject arbitrary web script
or HTML via unknown vectors.

Upstream patch:

Upstream bug:
Comment 1 Tomas Hoger 2008-07-28 07:43:21 EDT
Rawhide is already updated to upstream 0.10.5, F-8, F-9 and EPEL5 use 0.10.4.

Based on a very quick look over 0.9.3 code in EPEL4, it seems to be affected by
CVE-2008-2951 (no quickjump verification seems to be performed) and is probably
not affected by CVE-2008-3328.  Please correct me if I'm wrong.
Comment 2 Fedora Update System 2008-07-29 09:05:03 EDT
trac-0.10.5-1.fc8 has been submitted as an update for Fedora 8
Comment 3 Fedora Update System 2008-07-29 09:28:20 EDT
trac-0.10.5-1.fc9 has been submitted as an update for Fedora 9
Comment 4 Fedora Update System 2008-07-30 16:05:54 EDT
trac-0.10.5-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2008-07-30 16:06:12 EDT
trac-0.10.5-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Jeffrey C. Ollie 2009-11-02 15:45:30 EST
Can this be closed now?  I'm no longer maintaining trac, but I'd like to make sure the issue was resolved.
Comment 7 Jesse Keating 2009-11-02 16:34:42 EST
I thought bodhi would automatically close it.  But since this is a bug on security response, I'm not sure what the right thing to do here is.
Comment 8 Jeffrey C. Ollie 2009-11-02 16:39:29 EST
On another bug, Tomas Hoger said that Bodhi deliberately does not close security response reports because the security team wants to make sure that the fix gets into all affected versions, not just the first one that pushed a package to stable.
Comment 9 Tomas Hoger 2009-11-03 02:48:55 EST
EPEL4 still has 0.9.3-2.el4.  According to comment #1, it seemed affected by one of the issues.  I don't remember the details though.  Feel free to close this if EPEL4 does not need fixing.
Comment 10 Vincent Danen 2010-04-15 16:50:44 EDT
Is trac in EPEL4 no longer maintained?  That is the only package holding this up from being closed.
Comment 11 Jesse Keating 2010-04-15 17:16:53 EDT
Ah, I think I just forgot about doing EL4, I'll look into it.
Comment 12 Vincent Danen 2010-12-23 17:25:08 EST
EPEL4 still hasn't been updated, so just created a tracking bug for it (bug #665462) and will close this one.

Note You need to log in before you can comment on or make changes to this bug.