Subject: pkg/33368: www/ja-trac 0.9.4.1 have XSS vulnerability, should update
To: None <pkg-manager@netbsd.org, gnats-admin@netbsd.org,>
From: None <obata@lins.jp>
List: pkgsrc-bugs
Date: 04/26/2006 09:20:00
>Number:         33368
>Category:       pkg
>Synopsis:       www/ja-trac 0.9.4.1 have XSS vulnerability, should update
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    pkg-manager
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Wed Apr 26 09:20:00 +0000 2006
>Originator:     OBATA Akio
>Release:        NetBSD 3.0.0_STABLE
>Organization:
	LINS, Japan.
>Environment:
System: NetBSD miki.lins.jp 3.0.0_STABLE NetBSD 3.0.0_STABLE (MIKI) #16: Sun Mar 12 21:01:46 JST 2006 obata@miki.lins.jp:/usr/src/sys/arch/i386/compile/MIKI i386
Architecture: i386
Machine: i386
>Description:
	XSS vulnerability in trac version prior to 0.9.5.

	Here is a ChangeLog from 0.9.4 to 0.9.5:

	Trac-0.9.5-ja-1 (Apr 19, 2006)

	 * Merge trac-0.9.5
	 * Update to current statement.
	 * README.trac-ja
	 * wiki-default/TracJa

	Trac 0.9.5  (Apr 18, 2006)
	http://svn.edgewall.com/repos/trac/tags/trac-0.9.5

 	 * Fixed wiki macro XSS vulnerability found by Mr. Kazuhiro Nishiyama
	   at InterAct. http://jvn.jp/jp/JVN%2384091359/index.html
	 * Smaller memory usage when accessing subversion history.
	 * Fixed issue with incorrectly generated urls when installed behind a web
	   proxy (#2531).
	 * Fixed bugs: #2531, #2777, #3020.

>How-To-Repeat:
	http://jvn.jp/jp/JVN%2384091359/index.html (Jpanaese)
>Fix:
	Here is a patch for update:


Index: www/ja-trac/Makefile
===================================================================
RCS file: /home/cvsroot/NetBSD/pkgsrc/www/ja-trac/Makefile,v
retrieving revision 1.2
diff -u -r1.2 Makefile
--- www/ja-trac/Makefile	11 Mar 2006 14:20:48 -0000	1.2
+++ www/ja-trac/Makefile	26 Apr 2006 08:35:55 -0000
@@ -1,8 +1,8 @@
 # $NetBSD: Makefile,v 1.2 2006/03/11 14:20:48 wiz Exp $
 #
 
-DISTNAME=	trac-0.9.4-ja-1
-PKGNAME=	ja-trac-0.9.4.1
+DISTNAME=	trac-0.9.5-ja-1
+PKGNAME=	ja-trac-0.9.5.1
 CATEGORIES=	www devel
 MASTER_SITES=	http://www.i-act.co.jp/project/products/downloads/
 EXTRACT_SUFX=	.zip
Index: www/ja-trac/distinfo
===================================================================
RCS file: /home/cvsroot/NetBSD/pkgsrc/www/ja-trac/distinfo,v
retrieving revision 1.2
diff -u -r1.2 distinfo
--- www/ja-trac/distinfo	11 Mar 2006 14:20:48 -0000	1.2
+++ www/ja-trac/distinfo	26 Apr 2006 08:36:16 -0000
@@ -1,6 +1,6 @@
 $NetBSD: distinfo,v 1.2 2006/03/11 14:20:48 wiz Exp $
 
-SHA1 (trac-0.9.4-ja-1.zip) = fa5b530e938016d26fa33a4526c60d1e9ba61dbd
-RMD160 (trac-0.9.4-ja-1.zip) = 2e9956a2c026667c78d849879b39a9c9ad66bac9
-Size (trac-0.9.4-ja-1.zip) = 491505 bytes
+SHA1 (trac-0.9.5-ja-1.zip) = 940108934a6c56d6617c4551ab756410623d6e38
+RMD160 (trac-0.9.5-ja-1.zip) = 4ff0792c721f27309843ff442e18082cf428ed3f
+Size (trac-0.9.5-ja-1.zip) = 502764 bytes
 SHA1 (patch-aa) = 577475956c91ae995bbffb03ac5f8e8752912475