[Secure-testing-commits] r4627 - data/CVE
Sean Finney
seanius at costa.debian.org
Thu Aug 24 19:17:28 UTC 2006
Author: seanius
Date: 2006-08-24 19:17:26 +0000 (Thu, 24 Aug 2006)
New Revision: 4627
Modified:
data/CVE/list
Log:
notes on CVE-2005-4305/trac
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2006-08-24 16:15:18 UTC (rev 4626)
+++ data/CVE/list 2006-08-24 19:17:26 UTC (rev 4627)
@@ -10831,6 +10831,13 @@
NOT-FOR-US: SiteNet BBS
CVE-2005-4305 (Cross-site scripting (XSS) vulnerability in Edgewall Trac 0.9, 0.9.1, ...)
- trac 0.9.3-1 (bug #344006)
+ [sarge] - trac <unfixed> (medium)
+ NOTE: upstream bts at http://trac.edgewall.org/ticket/2473 claims this is
+ NOTE: fixed in http://trac.edgewall.org/changeset/2724 but it's a fairly
+ NOTE: invasive set of patches to backport. basically most instances
+ NOTE: of input being escape()'d are no longer done so, and instead a
+ NOTE: Markup() function replaces them, and special checks are done
+ NOTE: on rendered HTML output to prevent XSS code from being displayed.
CVE-2005-4304 (index.php in ezDatabase 2.1.2 and earlier allows remote attackers to ...)
NOT-FOR-US: ezDatabase
CVE-2005-4303 (SQL injection vulnerability in index.php for ezDatabase 2.1.2 and ...)
More information about the Secure-testing-commits
mailing list