DSA 1152-1: New trac packages fix information disclosure
Posted on: 08/18/2006 03:42 AM

The Debian Security Team published a new security update for Debian GNU/Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1152-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
August 18th, 2006 http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package : trac
Vulnerability : missing input sanitising
Problem type : remote
Debian-specific: no
CVE ID : CVE-2006-3695

Felix Wiemann discovered that trac, an enhanced Wiki and issue
tracking system for software development projects, can be used to
disclose arbitrary local files. To fix this problem, python-docutils
needs to be updated as well.

For the stable distribution (sarge) this problem has been fixed in
version 0.8.1-3sarge5 of trac and version 0.3.7-2sarge1 of
python-docutils.

For the unstable distribution (sid) this problem has been fixed in
version 0.9.6-1.

We recommend that you upgrade your trac and python-docutils packages.


Upgrade Instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given at the end of this advisory:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

Source archives:

http://security.debian.org/pool/updates/main/p/python-docutils/python-docutils_0.3.7-2sarge1.dsc
Size/MD5 checksum: 777 34aa13e1031f1aa26b9dee81a589c5ea
http://security.debian.org/pool/updates/main/p/python-docutils/python-docutils_0.3.7-2sarge1.diff.gz
Size/MD5 checksum: 30438 52144273352f410be37bcedf90241a54
http://security.debian.org/pool/updates/main/p/python-docutils/python-docutils_0.3.7.orig.tar.gz
Size/MD5 checksum: 679649 e0713c07d766cec04b7a36047dac558c

http://security.debian.org/pool/updates/main/t/trac/trac_0.8.1-3sarge5.dsc
Size/MD5 checksum: 656 9294e113a8875efb049442aac4a0f378
http://security.debian.org/pool/updates/main/t/trac/trac_0.8.1-3sarge5.diff.gz
Size/MD5 checksum: 13250 e00671c1f4203a5c93fba3f686a7dc1b
http://security.debian.org/pool/updates/main/t/trac/trac_0.8.1.orig.tar.gz
Size/MD5 checksum: 236791 1b6c44fae90c760074762b73cdc88c8d

Architecture independent components:

http://security.debian.org/pool/updates/main/p/python-docutils/python-docutils_0.3.7-2sarge1_all.deb
Size/MD5 checksum: 614676 859beee07adfd84da242a5c47f1209fe
http://security.debian.org/pool/updates/main/p/python-docutils/python-roman_0.3.7-2sarge1_all.deb
Size/MD5 checksum: 9942 3547f270109d5827073ba964f32863b8
http://security.debian.org/pool/updates/main/p/python-docutils/python2.1-difflib_0.3.7-2sarge1_all.deb
Size/MD5 checksum: 21000 8e265bcf42aa1a01c694bacc62010692
http://security.debian.org/pool/updates/main/p/python-docutils/python2.1-textwrap_0.3.7-2sarge1_all.deb
Size/MD5 checksum: 9616 0a2c510802b0f97fc0289e1b968e3da1
http://security.debian.org/pool/updates/main/p/python-docutils/python2.2-docutils_0.3.7-2sarge1_all.deb
Size/MD5 checksum: 4120 2ffb02ad0c4f8640a85f61182cd2a4d5
http://security.debian.org/pool/updates/main/p/python-docutils/python2.2-textwrap_0.3.7-2sarge1_all.deb
Size/MD5 checksum: 9614 d4f027f3eb69b465518ecc332fd1a0b6
http://security.debian.org/pool/updates/main/p/python-docutils/python2.3-docutils_0.3.7-2sarge1_all.deb
Size/MD5 checksum: 4096 2824761a0ee91eee5bd6b09046962f01
http://security.debian.org/pool/updates/main/p/python-docutils/python2.4-docutils_0.3.7-2sarge1_all.deb
Size/MD5 checksum: 4096 101eff5703e7627f83e2548ba0c9f1cb

http://security.debian.org/pool/updates/main/t/trac/trac_0.8.1-3sarge5_all.deb
Size/MD5 checksum: 198722 243326446e719c452efdda55bd976159


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show lt;pkggt;' and http://packages.debian.org/lt;pkggt;

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFE5YYgW5ql+IAeqTIRAoYTAJ9gSb3/x841JW8r2BD+t70N+mIIgwCgmnLP
bn0JOQ+noKe90oOHXeiILFE=
=0yxZ
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/dsa_1152_1_new_trac_packages_fix_information_disclosure.html)