Trac 0.9.1 and 0.9.2 to fix SQL injection vulnerabilities, 0.9.3 – XSS vulnerabilities

Bug #5297 reported by chastell
12
Affects Status Importance Assigned to Milestone
Ubuntu
Invalid
Medium
Unassigned
trac (Ubuntu)
Fix Released
High
MOTU
Hoary
Invalid
Medium
Unassigned
Breezy
Invalid
Medium
Unassigned

Bug Description

Debian’s trac changelog:

trac (0.9.3-1) unstable; urgency=high

  * New upstream release.
  * Security update (thus urgengy high), fixing:
    - Fixed XSS vulnerabilities.
  * Also, fixes:
    - Timeline RSS feed validity issue resolved.
    - "trac-admin initenv" now handles empty repositories.
    - Textile unicode support.

trac (0.9.2-1) unstable; urgency=high

  * New upstream release.
  * Security update (urgency high), fixing:
    - an SQL injection vulnerability in the search module.
    - broken email ticket notifications.

trac (0.9.1-1) unstable; urgency=HIGH

  * New upstream release
    - Fix a SQL injection security bug.

Changed in trac:
assignee: nobody → motu
Revision history for this message
chastell (chastell) wrote : Trac 0.9.2 to fix a security hole

Trac 0.9.2 fixes another SQL injection and has just been packaged in Debian.

description: updated
Revision history for this message
chastell (chastell) wrote : trac 0.9.2-1ubuntu1 in Dapper

For those who would like to secure their Hoary/Breezy installs before the patches are properly backported: trac 0.9.2-1ubuntu1 made it into Dapper, so it should be possible to either `dpkg -i` the Dapper’s deb or rebuild it.

Revision history for this message
chastell (chastell) wrote : Trac 0.9.3 to fix XSS vulnerabilities

Trac 0.9.3 fixes XSS vulnerabilities and has just been packaged in Debian.

description: updated
Revision history for this message
chastell (chastell) wrote : trac 0.9.3-1ubuntu1 in Dapper

trac 0.9.3-1ubuntu1 reached Dapper and rebuilds cleanly in Breezy (most probably it’s also possible to simply `dpkg -i` the Dapper’s .deb).

Revision history for this message
Dennis Kaarsemaker (dennis) wrote :

Hoary uses neither 0.9.1 nor 0.9.2

Changed in trac:
status: Unconfirmed → Fix Released
status: Unconfirmed → Rejected
Revision history for this message
Dennis Kaarsemaker (dennis) wrote :

Breezy uses neither 0.9.1 nor 0.9.2

Changed in trac:
status: Unconfirmed → Rejected
Revision history for this message
chastell (chastell) wrote : Trac 0.9.1-5 to fix security holes

> Breezy uses neither 0.9.1 nor 0.9.2

So what?! All of the new trac versions (0.9.1, 0.9.2, 0.9.3, 0.9.4 and now 0.9.5) fix security bugs that are present in the Hoary, Breezy and Dapper versions of Trac, so these versions should be patched. Currently there’s no secure Ubuntu Trac package in any of the releases.

Revision history for this message
Dennis Kaarsemaker (dennis) wrote : Re: [Bug 5297] Trac 0.9.1-5 to fix security holes

Then I must have misread your report, it read like "0.9.1 and 0.9.2 are
vulnerable, please upgrade to 0.9.3"

Revision history for this message
chastell (chastell) wrote :

Ah. The gist of the report should be ‘Tracs up to 0.9.5 fix security holes, so please backport the fixes to Hoary and Breezy, and either backport the fixes to Dapper or – IMHO, better – make a freeze exception for Trac 0.9.5’. :)

Revision history for this message
Dennis Kaarsemaker (dennis) wrote : Re: [Bug 5297] Re: Trac 0.9.1 and 0.9.2 to fix SQL injection vulnerabilities, 0.9.3 – XSS vulnerabilities

Can you please provide the info requested on
http://wiki.ubuntu.com/MOTU/UVFStatus?

 subscribe <email address hidden>

Martin, so you think we should backport the fixes or simply update the
package in hoary and breezy?

Revision history for this message
Wouter Hanegraaff (wouter-blub) wrote : Re: [Bug 5297] Re: [Bug 5297] Re: Trac 0.9.1 and 0.9.2 to fix SQL injection vulnerabilities, 0.9.3 – XSS vulnerabilities

One of the things to keep in mind, is that currently the packages in
hoary and breezy use a 0.8.x version. When upgrading to a 0.9 series,
the database schema has to be converted. For my own use, I backported a
0.9.x package to hoary some time ago, and after the upgrade I had to
maually convert the database schema for each project. This didn't cause
any further problems, but is makes the upgrade a bit more complicated
than one would expect when installing a security update. However,
backporting all security fixes is probably a lot of work for a
relatively small group of users.

Possibly, the database schema upgrade could be handled by the postinst
script, but that doesn't change the fact that the upgrade from 0.8.x to
0.9.x is an upgrade to a new upstream version and not just a security fix.

Maybe the latest 0.9.x version should be backported and placed in
-updates, since this would provide users with an upgrade path to a
secure version. That leaves the default versions in hoary and breezy
vulnerable, though.

Wouter

Revision history for this message
Martin Pitt (pitti) wrote :

Due to the data format incompatibility, putting the new version to -security or -updates doesn't sound very wise. The fixes should be ported to 0.8.x instead. However, I think it is a good idea to create a breezy-backport of trac, so that people who really need it can use it, but people who aren't aware of the data format change are not endangered to break their setups.

Putting 0.9.5 into dapper sounds sane, btw.

Revision history for this message
Dennis Kaarsemaker (dennis) wrote : Re: [Bug 5297] Re: Trac 0.9.1 and 0.9.2 to fix SQL injection vulnerabilities, 0.9.3 – XSS vulnerabilities

Shot: is there a debian package for 0.9.5 already?

Revision history for this message
chastell (chastell) wrote :

> Shot: is there a debian package for 0.9.5 already?

Yeah, 0.9.5-1 is at http://packages.debian.org/unstable/source/trac

Revision history for this message
Dennis Kaarsemaker (dennis) wrote :

So for Dapper we could just sync it - could you please provide the
information requested on http://wiki.ubuntu.com/MOTU/UVFStatus

Revision history for this message
chastell (chastell) wrote :

‘Please note that we expect requesters to have an updated package already prepared and tested! You will need this anyway to provide proper diffstats and buildlogs.’

I’m sorry (I really am!), but I won’t be able to put my hands on a Dapper box, nor a clean Breezy chroot anytime soon. :|

(Also, just an obvious reminder to anyone who would like to file an UFV exception: trac is an *ubuntu*-versioned package, so the Ubuntu-specific changes should be merged into Debian’s trac 0.9.5-1.)

Revision history for this message
Dennis Kaarsemaker (dennis) wrote :

> I’m sorry (I really am!), but I won’t be able to put my hands on a
> Dapper box, nor a clean Breezy chroot anytime soon. :|

NP, I'll have a look at it soon-ish. It would help if you poke me with a
large virtual stick if you don't hear from me about this in a week or
so.

Revision history for this message
chastell (chastell) wrote : Re: [Bug 5297] Re: [Bug 5297] Re: Trac 0.9.1 and 0.9.2 to fix SQL injection vulnerabilities, 0.9.3 – XSS vulnerabilities

> NP, I'll have a look at it soon-ish. It would help if you poke me with
> a large virtual stick if you don't hear from me about this in a week
> or so.

No problemo, sure, and thanks a lot!

-- Shot
--
I have discovered a truly remarkable solution to Fermat's
Last Theorem which this signature is too small to contain.

Changed in trac:
status: Fix Released → Confirmed
Revision history for this message
chastell (chastell) wrote :

DSA-1152-1 reports another vulnerability, this time fixed in Trac 0.9.6: http://www.debian.org/security/2006/dsa-1152

Revision history for this message
Marc (m4rccd) wrote :

When will there be a package uploaded to fix the security issues present in Dapper's trac?

Revision history for this message
Martin Pitt (pitti) wrote :

Marc: it's an universe package, thus there are no assertions about updates at all.

Revision history for this message
Dennis Kaarsemaker (dennis) wrote : Re: [Bug 5297] Re: Trac 0.9.1 and 0.9.2 to fix SQL injection vulnerabilities, 0.9.3 – XSS vulnerabilities

(Note: I'm not going to do this, I've tried but it takes too much time
for me)

Revision history for this message
Reinhard Tartler (siretart) wrote :

edgy ships with 0.9.6, closing old bug

Changed in trac:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.