Debian Bug report logs -
#414134
CSS and remote exploitable security issues
Reported by: "Cort, Tom" <Tom.Cort@state.vt.us>
Date: Fri, 9 Mar 2007 12:30:01 UTC
Severity: important
Tags: security
Merged with 420219
Found in version trac/0.10.3-1
Fixed in versions trac/0.10.4-1, trac/0.10.3-1etch4
Done: Otavio Salvador <otavio@ossystems.com.br>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Jesus Climent <jesus.climent@hispalinux.es>:
Bug#414134; Package trac.
(full text, mbox, link).
Acknowledgement sent to "Cort, Tom" <Tom.Cort@state.vt.us>:
New Bug report received and forwarded. Copy sent to Jesus Climent <jesus.climent@hispalinux.es>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: trac
Version: 0.10.3-1
Tags: security
Please bump trac to 0.10.3.1 in 'testing' and 'unstable' because of these
two issues listed in the release announcement[1]:
* Always send "Content-Disposition: attachment" headers where
potentially unsafe (user provided) content is available for download.
This behaviour can be altered using the "render_unsafe_content"
option in the "attachment" and "browser" sections of trac.ini.
* Fixed XSS vulnerability in "download wiki page as text" in
combination with Microsoft IE. Reported by Yoshinori Oota, Business
Architects Inc.
[1] Release Announcement
http://groups.google.com/group/trac-announce/browse_thread/thread/a0179f00ab
b51972
[smime.p7s (application/x-pkcs7-signature, attachment)]
Information forwarded to debian-bugs-dist@lists.debian.org, Jesus Climent <jesus.climent@hispalinux.es>:
Bug#414134; Package trac.
(full text, mbox, link).
Acknowledgement sent to Luis Matos <gass@otiliamatos.ath.cx>:
Extra info received and forwarded to list. Copy sent to Jesus Climent <jesus.climent@hispalinux.es>.
(full text, mbox, link).
Message #10 received at 414134@bugs.debian.org (full text, mbox, reply):
Hello there!
0.10.4 will be out in a week ... let's hope that etch is not released
until then.
best regards
Luis Matos
Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#414134; Package trac.
(full text, mbox, link).
Acknowledgement sent to Jesus Climent <jesus.climent@hispalinux.es>:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #15 received at 414134@bugs.debian.org (full text, mbox, reply):
On Tue, Mar 13, 2007 at 08:26:01PM +0000, Luis Matos wrote:
> Hello there!
>
> 0.10.4 will be out in a week ... let's hope that etch is not released
> until then.
Etch will most likely NOT be released with 0.10.4, no matter when it is
released.
Cheers,
--
Jesus Climent info:pumuki.org dj:triplestereo.com
Unix SysAdm|Linux User #66350|Debian Developer|2.6.18|Helsinki Finland
GPG: 1024D/86946D69 BB64 2339 1CAA 7064 E429 7E18 66FC 1D7F 8694 6D69
Grool... I meant to say "cool" and then I started to say "great."
--Cady (Mean Girls)
Information forwarded to debian-bugs-dist@lists.debian.org, Jesus Climent <jesus.climent@hispalinux.es>:
Bug#414134; Package trac.
(full text, mbox, link).
Acknowledgement sent to Luis Matos <gass@otiliamatos.ath.cx>:
Extra info received and forwarded to list. Copy sent to Jesus Climent <jesus.climent@hispalinux.es>.
(full text, mbox, link).
Message #20 received at 414134@bugs.debian.org (full text, mbox, reply):
Severity: Critical
thanks.
the security issues related in this BR are still present in debian.
Severity set to `critical' from `normal'
Request was from Luis Matos <gass@otiliamatos.ath.cx>
to control@bugs.debian.org.
(Sun, 20 May 2007 14:54:05 GMT) (full text, mbox, link).
Merged 414134 420219.
Request was from Luis Matos <gass@otiliamatos.ath.cx>
to control@bugs.debian.org.
(Sun, 20 May 2007 14:54:08 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Jesus Climent <jesus.climent@hispalinux.es>:
Bug#414134; Package trac.
(full text, mbox, link).
Acknowledgement sent to Luis Matos <a26652@alunos.mec.ua.pt>:
Extra info received and forwarded to list. Copy sent to Jesus Climent <jesus.climent@hispalinux.es>.
(full text, mbox, link).
Message #29 received at 414134@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Followup-For: 414134
Tags: patch
link for diff's between 0.10.3 an 0.10.3.1:
http://trac.edgewall.org/changeset/4949
http://trac.edgewall.org/changeset/4949?format=diff&new=4949
stripped diff (only has the fixes) is attached.
[trac_0.10.3_0.10.3.1.patch (text/x-patch, attachment)]
Information forwarded to debian-bugs-dist@lists.debian.org, Jesus Climent <jesus.climent@hispalinux.es>:
Bug#414134; Package trac.
(full text, mbox, link).
Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Jesus Climent <jesus.climent@hispalinux.es>.
(full text, mbox, link).
Message #34 received at 414134@bugs.debian.org (full text, mbox, reply):
severity 414134 important
thanks
XSS vulns are not critical security bugs.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon@debian.org http://www.debian.org/
Severity set to `important' from `critical'
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org.
(Sun, 20 May 2007 22:45:07 GMT) (full text, mbox, link).
Reply sent to Luis Matos <gass@otiliamatos.ath.cx>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to "Cort, Tom" <Tom.Cort@state.vt.us>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #41 received at 414134-close@bugs.debian.org (full text, mbox, reply):
Source: trac
Source-Version: 0.10.4-1
We believe that the bug you reported is fixed in the latest version of
trac, which is due to be installed in the Debian FTP archive:
trac_0.10.4-1.diff.gz
to pool/main/t/trac/trac_0.10.4-1.diff.gz
trac_0.10.4-1.dsc
to pool/main/t/trac/trac_0.10.4-1.dsc
trac_0.10.4-1_all.deb
to pool/main/t/trac/trac_0.10.4-1_all.deb
trac_0.10.4.orig.tar.gz
to pool/main/t/trac/trac_0.10.4.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 414134@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Luis Matos <gass@otiliamatos.ath.cx> (supplier of updated trac package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 20 May 2007 22:46:56 +0100
Source: trac
Binary: trac
Architecture: source all
Version: 0.10.4-1
Distribution: unstable
Urgency: low
Maintainer: Jesus Climent <jesus.climent@hispalinux.es>
Changed-By: Luis Matos <gass@otiliamatos.ath.cx>
Description:
trac - Enhanced wiki and issue tracking system for software development
Closes: 414134 420219 422409
Changes:
trac (0.10.4-1) unstable; urgency=low
.
* New upstream release (Closes: #414134, #420219)
* Fixed typo in debian/copyright file (Closes: #422409)
Files:
4e5ead21be4462caf9057acfc1a56dab 714 web optional trac_0.10.4-1.dsc
52a3a21ad9faafc3b59cbeb87d5a69d2 449116 web optional trac_0.10.4.orig.tar.gz
2009747a16096be31dc3555c7da8a68a 8793 web optional trac_0.10.4-1.diff.gz
da54e1801833494d78b7562c8ad29e59 386598 web optional trac_0.10.4-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGVFSfLqiZQEml+FURAiTXAJ9iq0VERRu2aDuG4bpUJz0U3+1NyACeKNxi
c9lGd396BhnGaOsW4ghXj78=
=BW5B
-----END PGP SIGNATURE-----
Reply sent to Luis Matos <gass@otiliamatos.ath.cx>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net>:
Bug acknowledged by developer.
(full text, mbox, link).
Changed Bug title to `CSS and remote exploitable security issues' from `trac version bump request'.
Request was from Luk Claes <luk@debian.org>
to control@bugs.debian.org.
(Thu, 24 May 2007 10:03:03 GMT) (full text, mbox, link).
Reply sent to Otavio Salvador <otavio@ossystems.com.br>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to "Cort, Tom" <Tom.Cort@state.vt.us>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #53 received at 414134-close@bugs.debian.org (full text, mbox, reply):
Source: trac
Source-Version: 0.10.3-1etch4
We believe that the bug you reported is fixed in the latest version of
trac, which is due to be installed in the Debian FTP archive:
trac_0.10.3-1etch4.diff.gz
to pool/main/t/trac/trac_0.10.3-1etch4.diff.gz
trac_0.10.3-1etch4.dsc
to pool/main/t/trac/trac_0.10.3-1etch4.dsc
trac_0.10.3-1etch4_all.deb
to pool/main/t/trac/trac_0.10.3-1etch4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 414134@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Otavio Salvador <otavio@ossystems.com.br> (supplier of updated trac package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 23 May 2007 21:18:41 -0300
Source: trac
Binary: trac
Architecture: source all
Version: 0.10.3-1etch4
Distribution: stable
Urgency: low
Maintainer: Jesus Climent <jesus.climent@hispalinux.es>
Changed-By: Otavio Salvador <otavio@ossystems.com.br>
Description:
trac - Enhanced wiki and issue tracking system for software development
Closes: 414134 420219 422409
Changes:
trac (0.10.3-1etch4) stable; urgency=low
.
* Add 02_CVE-2007-1405_CVE-2007-1406.dpatch patch to fix CVE-2007-1405
and CVE-2007-1406 security issues. (Closes: #414134, #420219)
* Fixed typo in debian/copyright. (Closes: #422409)
Files:
e307d0bcb9bfe2dd6d326dec68c3b520 725 web optional trac_0.10.3-1etch4.dsc
79c108b904b301fafd1283dad65cf30c 10279 web optional trac_0.10.3-1etch4.diff.gz
b2415efa3ef11cfd2209923daad7627b 384720 web optional trac_0.10.3-1etch4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGVNvBLqiZQEml+FURAl87AKCVvezr5KccAw2yzn8mBK26RMMueACdFfOQ
SGn1xJqLsG5yThgu09kr0zs=
=ofM2
-----END PGP SIGNATURE-----
Reply sent to Otavio Salvador <otavio@ossystems.com.br>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net>:
Bug acknowledged by developer.
(full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 02 Jul 2007 07:27:36 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:27:42 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon