+++ This bug was initially created as a clone of Bug #456874 +++ Upstream trac 0.10.5 fixes two non-critical security issues: http://trac.edgewall.org/wiki/ChangeLog#a0.10.5 CVE-2008-2951: Open redirect vulnerability in the search script in Trac before 0.10.5 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the q parameter. References: http://holisticinfosec.org/content/view/72/45/ http://www.osvdb.org/46513 Upstream patch: http://trac.edgewall.org/changeset/7224/branches/0.10-stable CVE-2008-3328: Cross-site scripting (XSS) vulnerability in the wiki engine in Trac before 0.10.5 allows remote attackers to inject arbitrary web script or HTML via unknown vectors. Upstream patch: http://trac.edgewall.org/changeset/7207/branches/0.10-stable Upstream bug: http://trac.edgewall.org/ticket/7332 --- Additional comment from thoger on 2009-11-03 02:48:55 EST --- EPEL4 still has 0.9.3-2.el4. According to comment #1, it seemed affected by one of the issues. I don't remember the details though. Feel free to close this if EPEL4 does not need fixing. --- Additional comment from vdanen on 2010-04-15 16:50:44 EDT --- Is trac in EPEL4 no longer maintained? That is the only package holding this up from being closed. --- Additional comment from jkeating on 2010-04-15 17:16:53 EDT --- Ah, I think I just forgot about doing EL4, I'll look into it. Creating this tracking bug for EPEL4 so it doesn't get lost anymore. 0.9.3-2.el4 is still the latest version there.
Looking at these two issues, I don't see similar code patterns in the Trac code for RHEL4. I believe that RHEL4 is not effected by these CVEs.