[Pkg-trac-devel] trac issues
Steffen Joeris
steffen.joeris at skolelinux.de
Fri Mar 6 13:10:18 UTC 2009
Hi Luis
Sorry for the delay.
On Tue, 24 Feb 2009 08:27:43 am Luis Matos wrote:
> I think these security advisories are only for the 0.11.x versions, and
> not for the 0.10.x versions (from etch).
>
> the fix for the first SA was responsible for the second SA.
>
> if you compare html.py from 0.11.x[0] and 0.10.x[1], they are a lot
> different and use a diferent rendering (as in html syntax render) engine
> (0.11.x uses genshi).
The first issue CVE-2008-5646[0] definitely seems to be unfixed. Have a look
at this changeset[1] and then at trac/wiki/formatter.py in oldstable. Not
sure how important it is though.
For the second issue, one would need to check the HTMLSanitizer() function and
compare it with the one, which is used in stable (imported there as a
module).
My gut feeling at the moment is that the issues are not utterly important and
could be fixed via oldstable-proposed-updates, if at all.
What is your stand on that? Maybe you have more information available?
Cheers
Steffen
[0]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5646
[1]: http://trac.edgewall.org/changeset/7657/branches/0.11-stable
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
Url : http://lists.alioth.debian.org/pipermail/pkg-trac-devel/attachments/20090307/72b8ea69/attachment.pgp
More information about the Pkg-trac-devel
mailing list