Red Hat Bugzilla – Bug 456874
trac: multiple security fixes in 0.10.5 (CVE-2008-2951, CVE-2008-3328)
Last modified: 2013-01-09 23:45:03 EST
Upstream trac 0.10.5 fixes two non-critical security issues:
Open redirect vulnerability in the search script in Trac before 0.10.5
allows remote attackers to redirect users to arbitrary web sites and
conduct phishing attacks via a URL in the q parameter.
Cross-site scripting (XSS) vulnerability in the wiki engine in Trac
before 0.10.5 allows remote attackers to inject arbitrary web script
or HTML via unknown vectors.
Rawhide is already updated to upstream 0.10.5, F-8, F-9 and EPEL5 use 0.10.4.
Based on a very quick look over 0.9.3 code in EPEL4, it seems to be affected by
CVE-2008-2951 (no quickjump verification seems to be performed) and is probably
not affected by CVE-2008-3328. Please correct me if I'm wrong.
trac-0.10.5-1.fc8 has been submitted as an update for Fedora 8
trac-0.10.5-1.fc9 has been submitted as an update for Fedora 9
trac-0.10.5-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
trac-0.10.5-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
Can this be closed now? I'm no longer maintaining trac, but I'd like to make sure the issue was resolved.
I thought bodhi would automatically close it. But since this is a bug on security response, I'm not sure what the right thing to do here is.
On another bug, Tomas Hoger said that Bodhi deliberately does not close security response reports because the security team wants to make sure that the fix gets into all affected versions, not just the first one that pushed a package to stable.
EPEL4 still has 0.9.3-2.el4. According to comment #1, it seemed affected by one of the issues. I don't remember the details though. Feel free to close this if EPEL4 does not need fixing.
Is trac in EPEL4 no longer maintained? That is the only package holding this up from being closed.
Ah, I think I just forgot about doing EL4, I'll look into it.
EPEL4 still hasn't been updated, so just created a tracking bug for it (bug #665462) and will close this one.