UPDATE: trac 0.10.4 (security: MSIE XSS)

Mon, 21 May 2007 10:52:00 -0700 

Here's an update for www/trac, I've tested wiki+ticketing but not
repository (due to lack of cvs support of course ;-)

Apart from other things, it fixes an XSS vulnerability for MSIE users.

The db schema changed slightly, but the upgrade is simple; the first
access by http causes instructions to be displayed; basically just
'trac-admin /path/to/data upgrade' for each data directory.

The maintainer isn't in a position to test but didn't notice any
problems with this, and is happy for me to send it here. Any comments?
Please commit if OK.


Trac 0.10.4 is a bug fix release. The following list contains only a
few highlights:

    * Repository cache improvements. The new syncing scheme is
incompatible with the previous one and requires a database schema
upgrade in order to prevent the old and the new codebase to be mixed. A
repository resync is not needed, though. The 0.10.4 scheme is compatible
with the 0.11 one. (#3837, #4043 and #4586)
    * Fix a possible freeze under heavy load (#4465) 

Trac 0.10.3.1 is a security release:

    * Always send "Content-Disposition: attachment" headers where
potentially unsafe (user provided) content is available for download.
This behaviour can be altered using the "render_unsafe_content" option
in the "attachment" and "browser" sections of trac.ini.
    * Fixed XSS vulnerability in "download wiki page as text" in
combination with Microsoft IE. Reported by Yoshinori Oota, Business
Architects Inc. 

Trac 0.10.3 is a bug fix release. The following list contains only a few
highlights:

    * Timeline fail to load with a "NoSuchChangeset" error message
(#4132).
    * Timed out MySQL connections not handled properly (#3645).
    * Subversion repository resync broken. (#4204). 



Index: Makefile
===================================================================
RCS file: /cvs/ports/www/trac/Makefile,v
retrieving revision 1.8
diff -u -p -r1.8 Makefile
--- Makefile    21 Nov 2006 04:05:18 -0000      1.8
+++ Makefile    16 May 2007 10:58:32 -0000
@@ -2,7 +2,7 @@
 
 COMMENT=       "enhanced wiki and bug tracking system for software projects"
 
-DISTNAME=      trac-0.10.2
+DISTNAME=      trac-0.10.4
 CATEGORIES=    www devel
 
 MAINTAINER=    Ben Lovett <[EMAIL PROTECTED]>
Index: distinfo
===================================================================
RCS file: /cvs/ports/www/trac/distinfo,v
retrieving revision 1.6
diff -u -p -r1.6 distinfo
--- distinfo    5 Apr 2007 17:26:26 -0000       1.6
+++ distinfo    16 May 2007 10:58:55 -0000
@@ -1,5 +1,5 @@
-MD5 (trac-0.10.2.tar.gz) = GN87tslpkpfG9BpaGkSP+Q==
-RMD160 (trac-0.10.2.tar.gz) = x9rHuT2PBvo60i3jXJojAxVKICM=
-SHA1 (trac-0.10.2.tar.gz) = JR6mXW3OV9vnjvNr+0/VeeqiSiU=
-SHA256 (trac-0.10.2.tar.gz) = CShq0k/81PG90NDLU0IXcoBDZF1gWsZxGhkr68YiQIo=
-SIZE (trac-0.10.2.tar.gz) = 440277
+MD5 (trac-0.10.4.tar.gz) = UqOiGtn6r8O1nL64fVpp0g==
+RMD160 (trac-0.10.4.tar.gz) = nrhD6r9fmGs9CM0ggfAv6QM6vR4=
+SHA1 (trac-0.10.4.tar.gz) = K225ZmXLd1PQLeT391vu+aHZevw=
+SHA256 (trac-0.10.4.tar.gz) = AGHPEdbSWVBf9kJSxAuvU+hFCVQ361b5jTST+tlwEQA=
+SIZE (trac-0.10.4.tar.gz) = 449116
Index: patches/patch-setup_py
===================================================================
RCS file: /cvs/ports/www/trac/patches/patch-setup_py,v
retrieving revision 1.1.1.1
diff -u -p -r1.1.1.1 patch-setup_py
--- patches/patch-setup_py      21 Mar 2006 21:17:10 -0000      1.1.1.1
+++ patches/patch-setup_py      16 May 2007 10:59:08 -0000
@@ -1,7 +1,7 @@
 $OpenBSD: patch-setup_py,v 1.1.1.1 2006/03/21 21:17:10 msf Exp $
---- setup.py.orig      Mon Dec  5 10:23:47 2005
-+++ setup.py   Mon Dec  5 10:24:36 2005
-@@ -225,7 +225,7 @@ facilities.
+--- setup.py.orig      Fri Apr 20 14:41:52 2007
++++ setup.py   Wed May 16 11:59:03 2007
+@@ -230,7 +230,7 @@ facilities.
                    (_p('share/trac/htdocs'), glob(_p('htdocs/*.*')) + 
[_p('htdocs/README')]),
                    (_p('share/trac/htdocs/css'), glob(_p('htdocs/css/*'))),
                    (_p('share/trac/htdocs/js'), glob(_p('htdocs/js/*'))),
Index: pkg/PLIST
===================================================================
RCS file: /cvs/ports/www/trac/pkg/PLIST,v
retrieving revision 1.3
diff -u -p -r1.3 PLIST
--- pkg/PLIST   10 Nov 2006 07:46:25 -0000      1.3
+++ pkg/PLIST   16 May 2007 10:59:21 -0000
@@ -70,7 +70,6 @@ lib/python${MODPY_VERSION}/site-packages
 lib/python${MODPY_VERSION}/site-packages/trac/scripts/admin.py
 lib/python${MODPY_VERSION}/site-packages/trac/scripts/admin.pyc
 lib/python${MODPY_VERSION}/site-packages/trac/siteconfig.py
-lib/python${MODPY_VERSION}/site-packages/trac/siteconfig.pyc
 lib/python${MODPY_VERSION}/site-packages/trac/test.py
 lib/python${MODPY_VERSION}/site-packages/trac/test.pyc
 lib/python${MODPY_VERSION}/site-packages/trac/ticket/
@@ -113,6 +112,8 @@ lib/python${MODPY_VERSION}/site-packages
 lib/python${MODPY_VERSION}/site-packages/trac/upgrades/db18.pyc
 lib/python${MODPY_VERSION}/site-packages/trac/upgrades/db19.py
 lib/python${MODPY_VERSION}/site-packages/trac/upgrades/db19.pyc
+lib/python${MODPY_VERSION}/site-packages/trac/upgrades/db20.py
+lib/python${MODPY_VERSION}/site-packages/trac/upgrades/db20.pyc
 lib/python${MODPY_VERSION}/site-packages/trac/upgrades/db3.py
 lib/python${MODPY_VERSION}/site-packages/trac/upgrades/db3.pyc
 lib/python${MODPY_VERSION}/site-packages/trac/upgrades/db4.py

Reply via email to