Login
Newsletter
Werbung

Sicherheit: Preisgabe von Informationen in trac
Aktuelle Meldungen Distributionen
Name: Preisgabe von Informationen in trac
ID: DSA-1152-1
Distribution: Debian
Plattformen: Debian sarge
Datum: Fr, 18. August 2006, 11:35
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3695
Applikationen: Trac

Originalnachricht

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1152-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
August 18th, 2006 http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package : trac
Vulnerability : missing input sanitising
Problem type : remote
Debian-specific: no
CVE ID : CVE-2006-3695

Felix Wiemann discovered that trac, an enhanced Wiki and issue
tracking system for software development projects, can be used to
disclose arbitrary local files. To fix this problem, python-docutils
needs to be updated as well.

For the stable distribution (sarge) this problem has been fixed in
version 0.8.1-3sarge5 of trac and version 0.3.7-2sarge1 of
python-docutils.

For the unstable distribution (sid) this problem has been fixed in
version 0.9.6-1.

We recommend that you upgrade your trac and python-docutils packages.


Upgrade Instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given at the end of this advisory:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

Source archives:

python-docutils_0.3.7-2sarge1.dsc
Size/MD5 checksum: 777 34aa13e1031f1aa26b9dee81a589c5ea
python-docutils_0.3.7-2sarge1.diff.gz
Size/MD5 checksum: 30438 52144273352f410be37bcedf90241a54
python-docutils_0.3.7.orig.tar.gz
Size/MD5 checksum: 679649 e0713c07d766cec04b7a36047dac558c

http://security.debian.org/pool/updates/main/t/trac/trac_0.8.1-3sarge5.dsc
Size/MD5 checksum: 656 9294e113a8875efb049442aac4a0f378
trac_0.8.1-3sarge5.diff.gz
Size/MD5 checksum: 13250 e00671c1f4203a5c93fba3f686a7dc1b
http://security.debian.org/pool/updates/main/t/trac/trac_0.8.1.orig.tar.gz
Size/MD5 checksum: 236791 1b6c44fae90c760074762b73cdc88c8d

Architecture independent components:

python-docutils_0.3.7-2sarge1_all.deb
Size/MD5 checksum: 614676 859beee07adfd84da242a5c47f1209fe
python-roman_0.3.7-2sarge1_all.deb
Size/MD5 checksum: 9942 3547f270109d5827073ba964f32863b8
python2.1-difflib_0.3.7-2sarge1_all.deb
Size/MD5 checksum: 21000 8e265bcf42aa1a01c694bacc62010692
python2.1-textwrap_0.3.7-2sarge1_all.deb
Size/MD5 checksum: 9616 0a2c510802b0f97fc0289e1b968e3da1
python2.2-docutils_0.3.7-2sarge1_all.deb
Size/MD5 checksum: 4120 2ffb02ad0c4f8640a85f61182cd2a4d5
python2.2-textwrap_0.3.7-2sarge1_all.deb
Size/MD5 checksum: 9614 d4f027f3eb69b465518ecc332fd1a0b6
python2.3-docutils_0.3.7-2sarge1_all.deb
Size/MD5 checksum: 4096 2824761a0ee91eee5bd6b09046962f01
python2.4-docutils_0.3.7-2sarge1_all.deb
Size/MD5 checksum: 4096 101eff5703e7627f83e2548ba0c9f1cb

trac_0.8.1-3sarge5_all.deb
Size/MD5 checksum: 198722 243326446e719c452efdda55bd976159


These files will probably be moved into the stable distribution on
its next update.

-
---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-securitydists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFE5YYgW5ql+IAeqTIRAoYTAJ9gSb3/x841JW8r2BD+t70N+mIIgwCgmnLP
bn0JOQ+noKe90oOHXeiILFE=
=0yxZ
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
Pro-Linux
Gewinnspiel
Neue Nachrichten
Werbung