Subject: pkg/33367: www/trac 0.9.3 have XSS vulnerability, should update
To: None <pkg-manager@netbsd.org, gnats-admin@netbsd.org,>
From: None <obata@lins.jp>
List: pkgsrc-bugs
Date: 04/26/2006 09:15:00
>Number: 33367
>Category: pkg
>Synopsis: www/trac 0.9.3 have XSS vulnerability, should update
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: pkg-manager
>State: open
>Class: change-request
>Submitter-Id: net
>Arrival-Date: Wed Apr 26 09:15:00 +0000 2006
>Originator: OBATA Akio
>Release: NetBSD 3.0.0_STABLE
>Organization:
LINS, Japan.
>Environment:
System: NetBSD miki.lins.jp 3.0.0_STABLE NetBSD 3.0.0_STABLE (MIKI) #16: Sun Mar 12 21:01:46 JST 2006 obata@miki.lins.jp:/usr/src/sys/arch/i386/compile/MIKI i386
Architecture: i386
Machine: i386
>Description:
XSS vulnerability in trac version prior to 0.9.5.
Here is a ChangeLog from 0.9.3 to 0.9.5:
Trac 0.9.5 (Apr 18, 2006)
http://svn.edgewall.com/repos/trac/tags/trac-0.9.5
* Fixed wiki macro XSS vulnerability found by Mr. Kazuhiro Nishiyama
at InterAct. http://jvn.jp/jp/JVN%2384091359/index.html
* Smaller memory usage when accessing subversion history.
* Fixed issue with incorrectly generated urls when installed behind a web
proxy (#2531).
* Fixed bugs: #2531, #2777, #3020.
Trac 0.9.4 (Feb 15, 2006)
http://svn.edgewall.com/repos/trac/tags/trac-0.9.4
* Deletion of reports has been fixed.
* Various encoding issues with the timeline RSS feed have been fixed.
* Fixed a memory leak when syncing with the repository.
* Milestones in the roadmap are now ordered more intelligently.
* Fixed bugs: #1064, #1150, #2006, #2253, #2324, #2330, #2408, #2430,
#2431, #2459, #2544, #2459, #2481, #2485, #2536, #2544, #2553,
#2580, #2583, #2606, #2613, #2621, #2664, #2666, #2680, #2706,
#2707, #2735
>How-To-Repeat:
http://jvn.jp/jp/JVN%2384091359/index.html (Jpanaese)
>Fix:
Here is a patch for update:
Index: www/trac/Makefile
===================================================================
RCS file: /home/cvsroot/NetBSD/pkgsrc/www/trac/Makefile,v
retrieving revision 1.18
diff -u -r1.18 Makefile
--- www/trac/Makefile 5 Feb 2006 23:11:29 -0000 1.18
+++ www/trac/Makefile 26 Apr 2006 08:43:46 -0000
@@ -1,8 +1,7 @@
# $NetBSD: Makefile,v 1.18 2006/02/05 23:11:29 joerg Exp $
#
-DISTNAME= trac-0.9.3
-PKGREVISION= 2
+DISTNAME= trac-0.9.5
CATEGORIES= devel www
MASTER_SITES= http://ftp.edgewall.com/pub/trac/ \
ftp://ftp.edgewall.com/pub/trac/
Index: www/trac/distinfo
===================================================================
RCS file: /home/cvsroot/NetBSD/pkgsrc/www/trac/distinfo,v
retrieving revision 1.13
diff -u -r1.13 distinfo
--- www/trac/distinfo 12 Jan 2006 22:42:58 -0000 1.13
+++ www/trac/distinfo 26 Apr 2006 08:44:09 -0000
@@ -1,6 +1,6 @@
$NetBSD: distinfo,v 1.13 2006/01/12 22:42:58 wiz Exp $
-SHA1 (trac-0.9.3.tar.gz) = 20b18e6a6180869baafa982eede5b1f8889822aa
-RMD160 (trac-0.9.3.tar.gz) = 122cc18b4d20dbf7d6bcb09e28d8f179f66d885d
-Size (trac-0.9.3.tar.gz) = 337714 bytes
+SHA1 (trac-0.9.5.tar.gz) = c96b9c8a123699330c33ad6985713edde5a997ff
+RMD160 (trac-0.9.5.tar.gz) = b63931da6341783af8e221d3dad962462dc5f286
+Size (trac-0.9.5.tar.gz) = 339170 bytes
SHA1 (patch-aa) = 5d8c1c3e5416e73d6cc24a5a45d4ec7afdc4a095