Debian Bug report logs - #348791
trac: XSS vulnerability in WikiProcessor

version graph

Package: trac; Maintainer for trac is Python Applications Packaging Team <>; Source for trac is src:trac.

Reported by: Geoff Crompton <>

Date: Thu, 19 Jan 2006 00:18:39 UTC

Severity: normal

Found in version trac/0.8.1-3sarge2

Fixed in version trac/0.8.1-3sarge3

Done: Otavio Salvador <>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to, Jesus Climent <>:
Bug#348791; Package trac. Full text and rfc822 format available.

Acknowledgement sent to Geoff Crompton <>:
New Bug report received and forwarded. Copy sent to Jesus Climent <>. Full text and rfc822 format available.

Message #5 received at (full text, mbox):

From: Geoff Crompton <>
To: Debian Bug Tracking System <>
Subject: trac: XSS vulnerability in WikiProcessor
Date: Thu, 19 Jan 2006 10:57:35 +1100
Package: trac
Version: 0.8.1-3sarge2
Severity: normal discusses an XSS vulnerability in trac.
It's fixed in 0.9.3, and is discussed in more detail at

I've tested this against my sarge version 0.8.1-3sarge2 and an IE browser, and
it is vulnerable.
Unfortunately securityfocus don't have a CVE number up for this yet.


-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686-smp
Locale: LANG=en_AU, LC_CTYPE=en_AU (charmap=ISO-8859-1)

Versions of packages trac depends on:
ii  python                        2.3.5-2    An interactive high-level object-o
ii  python-clearsilver            0.9.13-3.2 python bindings for clearsilver
ii  python-sqlite                 1.0.1-2    python interface to SQLite
ii  python2.3-subversion          1.1.4-2    python modules for interfacing wit
ii  subversion                    1.1.4-2    advanced version control system (a

-- no debconf information

Reply sent to Otavio Salvador <>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Geoff Crompton <>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #10 received at (full text, mbox):

From: Otavio Salvador <>
Subject: Bug#348791: fixed in trac 0.8.1-3sarge3
Date: Mon, 23 Jan 2006 01:17:06 -0800
Source: trac
Source-Version: 0.8.1-3sarge3

We believe that the bug you reported is fixed in the latest version of
trac, which is due to be installed in the Debian FTP archive:

  to pool/main/t/trac/trac_0.8.1-3sarge3.diff.gz
  to pool/main/t/trac/trac_0.8.1-3sarge3.dsc
  to pool/main/t/trac/trac_0.8.1-3sarge3_all.deb

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Otavio Salvador <> (supplier of updated trac package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing

Hash: SHA1

Format: 1.7
Date: Wed, 18 Jan 2006 23:38:36 -0200
Source: trac
Binary: trac
Architecture: source all
Version: 0.8.1-3sarge3
Distribution: stable-security
Urgency: high
Maintainer: Martin Schulze <>
Changed-By: Otavio Salvador <>
 trac       - Enhanced wiki and issue tracking system for software development 
Closes: 348791
 trac (0.8.1-3sarge3) stable-security; urgency=high
   * debian/patches/10_securityfixes.diff (Closes: #348791):
     Fix CVE-2005-4065 and CVE-2005-4644 vulnerabilities.
 cb4d61028dc622d02d3b8c0ff858416e 656 web optional trac_0.8.1-3sarge3.dsc
 6dfb5852433afe58057848058005497e 12672 web optional trac_0.8.1-3sarge3.diff.gz
 c8953db99c9532a6971163c91facedbc 198526 web optional trac_0.8.1-3sarge3_all.deb

Version: GnuPG v1.4.2 (GNU/Linux)


Bug archived. Request was from Debbugs Internal Request <> to (Wed, 27 Jun 2007 02:53:27 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.

Debian bug tracking system administrator <>. Last modified: Thu Apr 24 07:29:19 2014; Machine Name:

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.