Subject: pkg/33368: www/ja-trac 0.9.4.1 have XSS vulnerability, should update
To: None <pkg-manager@netbsd.org, gnats-admin@netbsd.org,>
From: None <obata@lins.jp>
List: pkgsrc-bugs
Date: 04/26/2006 09:20:00
>Number: 33368
>Category: pkg
>Synopsis: www/ja-trac 0.9.4.1 have XSS vulnerability, should update
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: pkg-manager
>State: open
>Class: change-request
>Submitter-Id: net
>Arrival-Date: Wed Apr 26 09:20:00 +0000 2006
>Originator: OBATA Akio
>Release: NetBSD 3.0.0_STABLE
>Organization:
LINS, Japan.
>Environment:
System: NetBSD miki.lins.jp 3.0.0_STABLE NetBSD 3.0.0_STABLE (MIKI) #16: Sun Mar 12 21:01:46 JST 2006 obata@miki.lins.jp:/usr/src/sys/arch/i386/compile/MIKI i386
Architecture: i386
Machine: i386
>Description:
XSS vulnerability in trac version prior to 0.9.5.
Here is a ChangeLog from 0.9.4 to 0.9.5:
Trac-0.9.5-ja-1 (Apr 19, 2006)
* Merge trac-0.9.5
* Update to current statement.
* README.trac-ja
* wiki-default/TracJa
Trac 0.9.5 (Apr 18, 2006)
http://svn.edgewall.com/repos/trac/tags/trac-0.9.5
* Fixed wiki macro XSS vulnerability found by Mr. Kazuhiro Nishiyama
at InterAct. http://jvn.jp/jp/JVN%2384091359/index.html
* Smaller memory usage when accessing subversion history.
* Fixed issue with incorrectly generated urls when installed behind a web
proxy (#2531).
* Fixed bugs: #2531, #2777, #3020.
>How-To-Repeat:
http://jvn.jp/jp/JVN%2384091359/index.html (Jpanaese)
>Fix:
Here is a patch for update:
Index: www/ja-trac/Makefile
===================================================================
RCS file: /home/cvsroot/NetBSD/pkgsrc/www/ja-trac/Makefile,v
retrieving revision 1.2
diff -u -r1.2 Makefile
--- www/ja-trac/Makefile 11 Mar 2006 14:20:48 -0000 1.2
+++ www/ja-trac/Makefile 26 Apr 2006 08:35:55 -0000
@@ -1,8 +1,8 @@
# $NetBSD: Makefile,v 1.2 2006/03/11 14:20:48 wiz Exp $
#
-DISTNAME= trac-0.9.4-ja-1
-PKGNAME= ja-trac-0.9.4.1
+DISTNAME= trac-0.9.5-ja-1
+PKGNAME= ja-trac-0.9.5.1
CATEGORIES= www devel
MASTER_SITES= http://www.i-act.co.jp/project/products/downloads/
EXTRACT_SUFX= .zip
Index: www/ja-trac/distinfo
===================================================================
RCS file: /home/cvsroot/NetBSD/pkgsrc/www/ja-trac/distinfo,v
retrieving revision 1.2
diff -u -r1.2 distinfo
--- www/ja-trac/distinfo 11 Mar 2006 14:20:48 -0000 1.2
+++ www/ja-trac/distinfo 26 Apr 2006 08:36:16 -0000
@@ -1,6 +1,6 @@
$NetBSD: distinfo,v 1.2 2006/03/11 14:20:48 wiz Exp $
-SHA1 (trac-0.9.4-ja-1.zip) = fa5b530e938016d26fa33a4526c60d1e9ba61dbd
-RMD160 (trac-0.9.4-ja-1.zip) = 2e9956a2c026667c78d849879b39a9c9ad66bac9
-Size (trac-0.9.4-ja-1.zip) = 491505 bytes
+SHA1 (trac-0.9.5-ja-1.zip) = 940108934a6c56d6617c4551ab756410623d6e38
+RMD160 (trac-0.9.5-ja-1.zip) = 4ff0792c721f27309843ff442e18082cf428ed3f
+Size (trac-0.9.5-ja-1.zip) = 502764 bytes
SHA1 (patch-aa) = 577475956c91ae995bbffb03ac5f8e8752912475