Subject: pkg/33367: www/trac 0.9.3 have XSS vulnerability, should update
To: None <pkg-manager@netbsd.org, gnats-admin@netbsd.org,>
From: None <obata@lins.jp>
List: pkgsrc-bugs
Date: 04/26/2006 09:15:00
>Number:         33367
>Category:       pkg
>Synopsis:       www/trac 0.9.3 have XSS vulnerability, should update
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    pkg-manager
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Wed Apr 26 09:15:00 +0000 2006
>Originator:     OBATA Akio
>Release:        NetBSD 3.0.0_STABLE
>Organization:
	LINS, Japan.
>Environment:
System: NetBSD miki.lins.jp 3.0.0_STABLE NetBSD 3.0.0_STABLE (MIKI) #16: Sun Mar 12 21:01:46 JST 2006 obata@miki.lins.jp:/usr/src/sys/arch/i386/compile/MIKI i386
Architecture: i386
Machine: i386
>Description:
	XSS vulnerability in trac version prior to 0.9.5.

	Here is a ChangeLog from 0.9.3 to 0.9.5:

	Trac 0.9.5  (Apr 18, 2006)
	http://svn.edgewall.com/repos/trac/tags/trac-0.9.5

 	* Fixed wiki macro XSS vulnerability found by Mr. Kazuhiro Nishiyama
	   at InterAct. http://jvn.jp/jp/JVN%2384091359/index.html
	 * Smaller memory usage when accessing subversion history.
	 * Fixed issue with incorrectly generated urls when installed behind a web
	   proxy (#2531).
	 * Fixed bugs: #2531, #2777, #3020.

	Trac 0.9.4  (Feb 15, 2006)
	http://svn.edgewall.com/repos/trac/tags/trac-0.9.4

	 * Deletion of reports has been fixed.
	 * Various encoding issues with the timeline RSS feed have been fixed.
	 * Fixed a memory leak when syncing with the repository.
	 * Milestones in the roadmap are now ordered more intelligently.
	 * Fixed bugs: #1064, #1150, #2006, #2253, #2324, #2330, #2408, #2430,
	   #2431, #2459, #2544, #2459, #2481, #2485, #2536, #2544, #2553,
	   #2580, #2583, #2606, #2613, #2621, #2664, #2666, #2680, #2706,
	   #2707, #2735

>How-To-Repeat:
	http://jvn.jp/jp/JVN%2384091359/index.html (Jpanaese)
>Fix:
	Here is a patch for update:


Index: www/trac/Makefile
===================================================================
RCS file: /home/cvsroot/NetBSD/pkgsrc/www/trac/Makefile,v
retrieving revision 1.18
diff -u -r1.18 Makefile
--- www/trac/Makefile	5 Feb 2006 23:11:29 -0000	1.18
+++ www/trac/Makefile	26 Apr 2006 08:43:46 -0000
@@ -1,8 +1,7 @@
 # $NetBSD: Makefile,v 1.18 2006/02/05 23:11:29 joerg Exp $
 #
 
-DISTNAME=	trac-0.9.3
-PKGREVISION=	2
+DISTNAME=	trac-0.9.5
 CATEGORIES=	devel www
 MASTER_SITES=	http://ftp.edgewall.com/pub/trac/ \
 		ftp://ftp.edgewall.com/pub/trac/
Index: www/trac/distinfo
===================================================================
RCS file: /home/cvsroot/NetBSD/pkgsrc/www/trac/distinfo,v
retrieving revision 1.13
diff -u -r1.13 distinfo
--- www/trac/distinfo	12 Jan 2006 22:42:58 -0000	1.13
+++ www/trac/distinfo	26 Apr 2006 08:44:09 -0000
@@ -1,6 +1,6 @@
 $NetBSD: distinfo,v 1.13 2006/01/12 22:42:58 wiz Exp $
 
-SHA1 (trac-0.9.3.tar.gz) = 20b18e6a6180869baafa982eede5b1f8889822aa
-RMD160 (trac-0.9.3.tar.gz) = 122cc18b4d20dbf7d6bcb09e28d8f179f66d885d
-Size (trac-0.9.3.tar.gz) = 337714 bytes
+SHA1 (trac-0.9.5.tar.gz) = c96b9c8a123699330c33ad6985713edde5a997ff
+RMD160 (trac-0.9.5.tar.gz) = b63931da6341783af8e221d3dad962462dc5f286
+Size (trac-0.9.5.tar.gz) = 339170 bytes
 SHA1 (patch-aa) = 5d8c1c3e5416e73d6cc24a5a45d4ec7afdc4a095