Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 456874 (CVE-2008-3328) - trac: multiple security fixes in 0.10.5 (CVE-2008-2951, CVE-2008-3328)
Summary: trac: multiple security fixes in 0.10.5 (CVE-2008-2951, CVE-2008-3328)
Alias: CVE-2008-3328
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On:
Blocks: 665462
TreeView+ depends on / blocked
Reported: 2008-07-28 11:32 UTC by Tomas Hoger
Modified: 2019-09-29 12:25 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 665462 (view as bug list)
Last Closed: 2010-12-23 22:25:08 UTC

Attachments (Terms of Use)

Description Tomas Hoger 2008-07-28 11:32:59 UTC
Upstream trac 0.10.5 fixes two non-critical security issues:


Open redirect vulnerability in the search script in Trac before 0.10.5
allows remote attackers to redirect users to arbitrary web sites and
conduct phishing attacks via a URL in the q parameter.


Upstream patch:

Cross-site scripting (XSS) vulnerability in the wiki engine in Trac
before 0.10.5 allows remote attackers to inject arbitrary web script
or HTML via unknown vectors.

Upstream patch:

Upstream bug:

Comment 1 Tomas Hoger 2008-07-28 11:43:21 UTC
Rawhide is already updated to upstream 0.10.5, F-8, F-9 and EPEL5 use 0.10.4.

Based on a very quick look over 0.9.3 code in EPEL4, it seems to be affected by
CVE-2008-2951 (no quickjump verification seems to be performed) and is probably
not affected by CVE-2008-3328.  Please correct me if I'm wrong.

Comment 2 Fedora Update System 2008-07-29 13:05:03 UTC
trac-0.10.5-1.fc8 has been submitted as an update for Fedora 8

Comment 3 Fedora Update System 2008-07-29 13:28:20 UTC
trac-0.10.5-1.fc9 has been submitted as an update for Fedora 9

Comment 4 Fedora Update System 2008-07-30 20:05:54 UTC
trac-0.10.5-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2008-07-30 20:06:12 UTC
trac-0.10.5-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Jeffrey C. Ollie 2009-11-02 20:45:30 UTC
Can this be closed now?  I'm no longer maintaining trac, but I'd like to make sure the issue was resolved.

Comment 7 Jesse Keating 2009-11-02 21:34:42 UTC
I thought bodhi would automatically close it.  But since this is a bug on security response, I'm not sure what the right thing to do here is.

Comment 8 Jeffrey C. Ollie 2009-11-02 21:39:29 UTC
On another bug, Tomas Hoger said that Bodhi deliberately does not close security response reports because the security team wants to make sure that the fix gets into all affected versions, not just the first one that pushed a package to stable.

Comment 9 Tomas Hoger 2009-11-03 07:48:55 UTC
EPEL4 still has 0.9.3-2.el4.  According to comment #1, it seemed affected by one of the issues.  I don't remember the details though.  Feel free to close this if EPEL4 does not need fixing.

Comment 10 Vincent Danen 2010-04-15 20:50:44 UTC
Is trac in EPEL4 no longer maintained?  That is the only package holding this up from being closed.

Comment 11 Jesse Keating 2010-04-15 21:16:53 UTC
Ah, I think I just forgot about doing EL4, I'll look into it.

Comment 12 Vincent Danen 2010-12-23 22:25:08 UTC
EPEL4 still hasn't been updated, so just created a tracking bug for it (bug #665462) and will close this one.

Note You need to log in before you can comment on or make changes to this bug.