Debian Security Advisory
DSA-739-1 trac -- missing input sanitising
- Date Reported:
- 06 Jul 2005
- Affected Packages:
- trac
- Vulnerable:
- Yes
- Security database references:
- In the Bugtraq database (at SecurityFocus): BugTraq ID 13990.
In Mitre's CVE dictionary: CVE-2005-2147. - More information:
-
Stefan Esser discovered an input validation flaw within Trac, a wiki and issue tracking system, that allows download/upload of files and therefore can lead to remote code execution in some configurations.
The old stable distribution (woody) does not contain the trac package.
For the stable distribution (sarge) this problem has been fixed in version 0.8.1-3sarge2.
For the unstable distribution (sid) this problem has been fixed in version 0.8.4-1.
We recommend that you upgrade your trac package.
- Fixed in:
-
Debian GNU/Linux 3.1 (sarge)
- Source:
- http://security.debian.org/pool/updates/main/t/trac/trac_0.8.1-3sarge2.dsc
- http://security.debian.org/pool/updates/main/t/trac/trac_0.8.1-3sarge2.diff.gz
- http://security.debian.org/pool/updates/main/t/trac/trac_0.8.1.orig.tar.gz
- http://security.debian.org/pool/updates/main/t/trac/trac_0.8.1-3sarge2.diff.gz
- Architecture-independent component:
- http://security.debian.org/pool/updates/main/t/trac/trac_0.8.1-3sarge2_all.deb
MD5 checksums of the listed files are available in the original advisory.