Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2006.0593 -- [Win][UNIX/Linux][Debian]
New trac packages fix information disclosure
21 August 2006
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: trac
Publisher: Debian
Operating System: Debian GNU/Linux 3.1
UNIX variants (UNIX, Linux, OSX)
Windows
Impact: Read-only Data Access
Access: Remote/Unauthenticated
CVE Names: CVE-2006-3695
Original Bulletin: http://www.debian.org/security/2006/dsa-1152
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running Trac check for an updated version of the software for
their operating system at:
http://trac.edgewall.org/
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - --------------------------------------------------------------------------
Debian Security Advisory DSA 1152-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
August 18th, 2006 http://www.debian.org/security/faq
- - --------------------------------------------------------------------------
Package : trac
Vulnerability : missing input sanitising
Problem type : remote
Debian-specific: no
CVE ID : CVE-2006-3695
Felix Wiemann discovered that trac, an enhanced Wiki and issue
tracking system for software development projects, can be used to
disclose arbitrary local files. To fix this problem, python-docutils
needs to be updated as well.
For the stable distribution (sarge) this problem has been fixed in
version 0.8.1-3sarge5 of trac and version 0.3.7-2sarge1 of
python-docutils.
For the unstable distribution (sid) this problem has been fixed in
version 0.9.6-1.
We recommend that you upgrade your trac and python-docutils packages.
Upgrade Instructions
- - --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given at the end of this advisory:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.1 alias sarge
- - --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/p/python-docutils/python-docutils_0.3.7-2sarge1.dsc
Size/MD5 checksum: 777 34aa13e1031f1aa26b9dee81a589c5ea
http://security.debian.org/pool/updates/main/p/python-docutils/python-docutils_0.3.7-2sarge1.diff.gz
Size/MD5 checksum: 30438 52144273352f410be37bcedf90241a54
http://security.debian.org/pool/updates/main/p/python-docutils/python-docutils_0.3.7.orig.tar.gz
Size/MD5 checksum: 679649 e0713c07d766cec04b7a36047dac558c
http://security.debian.org/pool/updates/main/t/trac/trac_0.8.1-3sarge5.dsc
Size/MD5 checksum: 656 9294e113a8875efb049442aac4a0f378
http://security.debian.org/pool/updates/main/t/trac/trac_0.8.1-3sarge5.diff.gz
Size/MD5 checksum: 13250 e00671c1f4203a5c93fba3f686a7dc1b
http://security.debian.org/pool/updates/main/t/trac/trac_0.8.1.orig.tar.gz
Size/MD5 checksum: 236791 1b6c44fae90c760074762b73cdc88c8d
Architecture independent components:
http://security.debian.org/pool/updates/main/p/python-docutils/python-docutils_0.3.7-2sarge1_all.deb
Size/MD5 checksum: 614676 859beee07adfd84da242a5c47f1209fe
http://security.debian.org/pool/updates/main/p/python-docutils/python-roman_0.3.7-2sarge1_all.deb
Size/MD5 checksum: 9942 3547f270109d5827073ba964f32863b8
http://security.debian.org/pool/updates/main/p/python-docutils/python2.1-difflib_0.3.7-2sarge1_all.deb
Size/MD5 checksum: 21000 8e265bcf42aa1a01c694bacc62010692
http://security.debian.org/pool/updates/main/p/python-docutils/python2.1-textwrap_0.3.7-2sarge1_all.deb
Size/MD5 checksum: 9616 0a2c510802b0f97fc0289e1b968e3da1
http://security.debian.org/pool/updates/main/p/python-docutils/python2.2-docutils_0.3.7-2sarge1_all.deb
Size/MD5 checksum: 4120 2ffb02ad0c4f8640a85f61182cd2a4d5
http://security.debian.org/pool/updates/main/p/python-docutils/python2.2-textwrap_0.3.7-2sarge1_all.deb
Size/MD5 checksum: 9614 d4f027f3eb69b465518ecc332fd1a0b6
http://security.debian.org/pool/updates/main/p/python-docutils/python2.3-docutils_0.3.7-2sarge1_all.deb
Size/MD5 checksum: 4096 2824761a0ee91eee5bd6b09046962f01
http://security.debian.org/pool/updates/main/p/python-docutils/python2.4-docutils_0.3.7-2sarge1_all.deb
Size/MD5 checksum: 4096 101eff5703e7627f83e2548ba0c9f1cb
http://security.debian.org/pool/updates/main/t/trac/trac_0.8.1-3sarge5_all.deb
Size/MD5 checksum: 198722 243326446e719c452efdda55bd976159
These files will probably be moved into the stable distribution on
its next update.
- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFE5YYgW5ql+IAeqTIRAoYTAJ9gSb3/x841JW8r2BD+t70N+mIIgwCgmnLP
bn0JOQ+noKe90oOHXeiILFE=
=0yxZ
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBROlAtCh9+71yA2DNAQINVQP/Z4kdHoIW1864IYAx14fSn4yob7LpioVH
xwGxZ+8FMhzaISFT/T2o3gwGSfpM6IaPRHZpgeY3mmFSUvXYF2cs9fBVd4bhBJ1s
FpD5EXHHEDQ5WAzlzgAPkwLrQXxuAw5NoGOZe1lJgGXyf8OsNr00+yMmCSmRVGDN
IzbqRXuxeO4=
=itMc
-----END PGP SIGNATURE-----