This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 542394 - (CVE-2009-4405) trac: please update to the latest stable version (0.11.4 -> 0.11.6)
trac: please update to the latest stable version (0.11.4 -> 0.11.6)
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: trac (Show other bugs)
12
All Linux
low Severity medium
: ---
: ---
Assigned To: Jon Ciesla
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-11-29 11:20 EST by Jose Pedro Oliveira
Modified: 2013-01-10 00:37 EST (History)
4 users (show)

See Also:
Fixed In Version: 0.11.6-1.fc11
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-01-12 18:33:10 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jose Pedro Oliveira 2009-11-29 11:20:21 EST
Description of problem:
The latest upstream version is 0.11.6 (released yesterday). The current Fedora 12 (and rawhide version) is 0.11.4. 

Version-Release number of selected component (if applicable):
trac-0.11.4-2.fc12.src.rpm

Expected results:
To have trac 0.11.6 available for F-12 and rawhide.

Additional info:

Release notes from versions 0.11.5 and 0.11.6:
----------
http://trac.edgewall.org/browser/tags/trac-0.11.5/RELEASE
----------
Changes in 0.11.5

 * Implemented pre-upgrade backup support for PostgreSQL and MySQL (#2304)
 * Fixed PostgreSQL upgrade issue (#8378)
 * More robust diff parsing (#2672)
 * Avoid intermittent hangs by not calling apr_terminate explicitly (#7785)
 * Fixed display of merge properties for scoped repositories #7715.
----------
http://trac.edgewall.org/browser/tags/trac-0.11.6/RELEASE
----------
Changes in 0.11.6

 * Fixed the policy checks in report results when using alternate formats.
 * Added a check for the "raw" role that is missing in docutils < 0.6.
 * Re-enabled connection pooling with SQLite (#3446).
 * Added caching of configuration options (#8510).
 * Fixed the "database is locked" issue with SQLite (#3446, #8468).
 * Deprecated SQLite 2.x support (#8625).
 * Fixed hanlding of times in timezones with DST (#8240).
 * Avoid corruption of trac.ini during write (#8623).
 * Improved support for revision ranges in the revision log view (#8349)
----------
Comment 1 Felix Schwarz 2009-11-29 15:11:38 EST
Jon, Jesse: Ok, if I go ahead and update the package?
Comment 2 Jon Ciesla 2009-11-30 09:33:12 EST
Well, I'm not sure where Jesse is in his work on this, so I'm hesitant to say yes at this point.  Jesse?
Comment 3 Jesse Keating 2009-11-30 11:58:49 EST
Feel free to get this update out into rawhide and updates-testing where appropriate.  I can rebase my work forward.
Comment 4 Jon Ciesla 2009-11-30 12:39:39 EST
Ok.  Felix, if you've got this ready, feel free, otherwise I can do it.
Comment 5 Jose Pedro Oliveira 2009-12-04 15:06:38 EST
Ping! Felix: does you offer still stands?
Comment 6 Fedora Update System 2009-12-05 11:50:06 EST
trac-0.11.6-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/trac-0.11.6-1.fc12
Comment 7 Fedora Update System 2009-12-09 23:16:16 EST
trac-0.11.6-1.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update trac'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12975
Comment 8 Fedora Update System 2009-12-21 23:54:19 EST
trac-0.11.6-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Vincent Danen 2009-12-23 16:39:47 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-4405 to
the following vulnerability:

Name: CVE-2009-4405
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4405
Assigned: 20091223
Reference: MISC: https://bugzilla.redhat.com/show_bug.cgi?id=542394
Reference: CONFIRM: http://trac.edgewall.org/browser/tags/trac-0.11.6/RELEASE
Reference: FEDORA:FEDORA-2009-12975
Reference: URL: https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01169.html
Reference: SECUNIA:37807
Reference: URL: http://secunia.com/advisories/37807
Reference: SECUNIA:37901
Reference: URL: http://secunia.com/advisories/37901
Reference: VUPEN:ADV-2009-3615
Reference: URL: http://www.vupen.com/english/advisories/2009/3615
Reference: XF:trac-alternate-security-bypass(54983)
Reference: URL: http://xforce.iss.net/xforce/xfdb/54983

Multiple unspecified vulnerabilities in Trac before 0.11.6 have
unknown impact and attack vectors, possibly related to (1) "policy
checks in report results when using alternate formats" or (2) a "check
for the 'raw' role that is missing in docutils < 0.6."


Fedora 11 still requires this fix as it is providing 0.11.4.
Comment 10 Felix Schwarz 2009-12-24 08:28:46 EST
I'm aware of the F11 problem and will fix it tomorrow.
Comment 11 Fedora Update System 2009-12-25 06:56:44 EST
trac-0.11.6-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/trac-0.11.6-1.fc11
Comment 12 Fedora Update System 2010-01-01 22:28:45 EST
trac-0.11.6-1.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update trac'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2010-0007
Comment 13 Fedora Update System 2010-01-12 18:33:05 EST
trac-0.11.6-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.