Hello EPEL-DEVEL-LIST,
I don't know if this has been brought up on this list yet... I didn't see it in the archives for July '08. I am wondering when there will be a later version of trac (0.10.5 or later) in the EPEL repositories.
Thank you.
Jimmy Devenport Los Alamos National Lab
*Vulnerability : Trac quickjump Cross-Site Redirection - Medium http://trac.edgewall.org/wiki/ChangeLoga0.10.5 (http://trac.edgewall.org/wiki/ChangeLoga0.10.5) [Nessus]* *Description : * The remote host is running Trac, an enhanced wiki and issue tracking system for software development projects.
The version of Trac installed on the remote host fails to sanitize user input to the q parameter of the search script before using it in an unfiltered and unmanaged fashion in a redirect. An attacker may be able to use an open redirect such as this to trick people into visiting malicious sites, which could lead to phishing attacks, browser exploits, or drive-by malware downloads.
*Fix : * Upgrade to Trac version 0.11.0 / 0.10.5 or later.
On Thu, 31 Jul 2008, Jimmy G. Devenport wrote:
Hello EPEL-DEVEL-LIST,
I don't know if this has been brought up on this list yet... I didn't see it in the archives for July '08. I am wondering when there will be a later version of trac (0.10.5 or later) in the EPEL repositories.
Thank you.
Jimmy Devenport Los Alamos National Lab
Its sitting in needsign right now actually:
http://buildsys.fedoraproject.org/needsign/fedora-5-epel/trac/0.10.5-1.el5/
It'll probably get pushed after the testing -> stable push soon.
-Mike
epel-devel@lists.fedoraproject.org