[Pkg-trac-devel] trac issues
Steffen Joeris
steffen.joeris at skolelinux.de
Sat Mar 28 05:41:50 UTC 2009
Hi Luis
> > I think these security advisories are only for the 0.11.x versions, and
> > not for the 0.10.x versions (from etch).
> >
> > the fix for the first SA was responsible for the second SA.
> >
> > if you compare html.py from 0.11.x[0] and 0.10.x[1], they are a lot
> > different and use a diferent rendering (as in html syntax render) engine
> > (0.11.x uses genshi).
>
> The first issue CVE-2008-5646[0] definitely seems to be unfixed. Have a
> look at this changeset[1] and then at trac/wiki/formatter.py in oldstable.
> Not sure how important it is though.
> For the second issue, one would need to check the HTMLSanitizer() function
> and compare it with the one, which is used in stable (imported there as a
> module).
> My gut feeling at the moment is that the issues are not utterly important
> and could be fixed via oldstable-proposed-updates, if at all.
> What is your stand on that? Maybe you have more information available?
>
> Cheers
> Steffen
>
> [0]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5646
>
> [1]: http://trac.edgewall.org/changeset/7657/branches/0.11-stable
Any update on this?
Cheers
Steffen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
Url : http://lists.alioth.debian.org/pipermail/pkg-trac-devel/attachments/20090328/e63ce2c4/attachment.pgp
More information about the Pkg-trac-devel
mailing list