[SECURITY] [DSA 1152-1] New trac packages fix information disclosure

Debian Security Advisory DSA 1152-1 [email protected]
http://www.debian.org/security/ Martin Schulze
August 18th, 2006 http://www.debian.org/security/faq

Package : trac
Vulnerability : missing input sanitising
Problem type : remote
Debian-specific: no
CVE ID : CVE-2006-3695

Felix Wiemann discovered that trac, an enhanced Wiki and issue
tracking system for software development projects, can be used to
disclose arbitrary local files. To fix this problem, python-docutils
needs to be updated as well.

For the stable distribution (sarge) this problem has been fixed in
version 0.8.1-3sarge5 of trac and version 0.3.7-2sarge1 of
python-docutils.

For the unstable distribution (sid) this problem has been fixed in
version 0.9.6-1.

We recommend that you upgrade your trac and python-docutils packages.

Upgrade Instructions

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given at the end of this advisory:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge

Source archives:

http://security.debian.org/pool/updates/main/p/python-docutils/python-docutils_0.3.7-2sarge1.dsc
  Size/MD5 checksum:      777 34aa13e1031f1aa26b9dee81a589c5ea
http://security.debian.org/pool/updates/main/p/python-docutils/python-docutils_0.3.7-2sarge1.diff.gz
  Size/MD5 checksum:    30438 52144273352f410be37bcedf90241a54
http://security.debian.org/pool/updates/main/p/python-docutils/python-docutils_0.3.7.orig.tar.gz
  Size/MD5 checksum:   679649 e0713c07d766cec04b7a36047dac558c

http://security.debian.org/pool/updates/main/t/trac/trac_0.8.1-3sarge5.dsc
  Size/MD5 checksum:      656 9294e113a8875efb049442aac4a0f378
http://security.debian.org/pool/updates/main/t/trac/trac_0.8.1-3sarge5.diff.gz
  Size/MD5 checksum:    13250 e00671c1f4203a5c93fba3f686a7dc1b
http://security.debian.org/pool/updates/main/t/trac/trac_0.8.1.orig.tar.gz
  Size/MD5 checksum:   236791 1b6c44fae90c760074762b73cdc88c8d

Architecture independent components:

http://security.debian.org/pool/updates/main/p/python-docutils/python-docutils_0.3.7-2sarge1_all.deb
  Size/MD5 checksum:   614676 859beee07adfd84da242a5c47f1209fe
http://security.debian.org/pool/updates/main/p/python-docutils/python-roman_0.3.7-2sarge1_all.deb
  Size/MD5 checksum:     9942 3547f270109d5827073ba964f32863b8
http://security.debian.org/pool/updates/main/p/python-docutils/python2.1-difflib_0.3.7-2sarge1_all.deb
  Size/MD5 checksum:    21000 8e265bcf42aa1a01c694bacc62010692
http://security.debian.org/pool/updates/main/p/python-docutils/python2.1-textwrap_0.3.7-2sarge1_all.deb
  Size/MD5 checksum:     9616 0a2c510802b0f97fc0289e1b968e3da1
http://security.debian.org/pool/updates/main/p/python-docutils/python2.2-docutils_0.3.7-2sarge1_all.deb
  Size/MD5 checksum:     4120 2ffb02ad0c4f8640a85f61182cd2a4d5
http://security.debian.org/pool/updates/main/p/python-docutils/python2.2-textwrap_0.3.7-2sarge1_all.deb
  Size/MD5 checksum:     9614 d4f027f3eb69b465518ecc332fd1a0b6
http://security.debian.org/pool/updates/main/p/python-docutils/python2.3-docutils_0.3.7-2sarge1_all.deb
  Size/MD5 checksum:     4096 2824761a0ee91eee5bd6b09046962f01
http://security.debian.org/pool/updates/main/p/python-docutils/python2.4-docutils_0.3.7-2sarge1_all.deb
  Size/MD5 checksum:     4096 101eff5703e7627f83e2548ba0c9f1cb

http://security.debian.org/pool/updates/main/t/trac/trac_0.8.1-3sarge5_all.deb
  Size/MD5 checksum:   198722 243326446e719c452efdda55bd976159

These files will probably be moved into the stable distribution on
its next update.

For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: [email protected]
Package info: `apt-cache show <pkg>' and http://packages.debian.org/&lt;pkg&gt;