Subject: pkg/32320: www/trac 0.9 have two SQL injection vulnerabilities, should update.
To: None <pkg-manager@netbsd.org, gnats-admin@netbsd.org,>
From: None <obata@lins.jp>
List: pkgsrc-bugs
Date: 12/17/2005 03:10:00
>Number:         32320
>Category:       pkg
>Synopsis:       www/trac 0.9 have two SQL injection vulnerabilities, should update.
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    pkg-manager
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Sat Dec 17 03:10:00 +0000 2005
>Originator:     OBATA Akio
>Release:        NetBSD 2.1.0_STABLE
>Organization:
	LINS, Japan.
>Environment:
System: NetBSD miki.lins.jp 2.1.0_STABLE NetBSD 2.1.0_STABLE (MIKI) #5: Thu Nov 3 11:46:27 JST 2005 obata@miki.lins.jp:/usr/src/sys/arch/i386/compile/MIKI i386
Architecture: i386
Machine: i386
>Description:
	Trac 0.9 have two SQL injection vulnerabulities.

	Here is a ChangeLog from 0.9 to 0.9.2

	======================================================================
	Trac 0.9.2  (Dec 5, 2005)
	http://svn.edgewall.com/repos/trac/tags/trac-0.9.2

	 * Fixed SQL injection vulnerability in ticket search module.
	 * Fixed broken ticket email notifications.

	Trac 0.9.1  (Dec 1, 2005)
	http://svn.edgewall.com/repos/trac/tags/trac-0.9.1

	 * Fixed SQL injection vulnerability in ticket query module.
	 * Fixed bugs: #1633, #2167, #2283, #2284, #2285, #2291, #2292, #2300,
	   #2318, #2329, #2366, #2369, #2373, #2383, #2416, #2457
	======================================================================

	And HTTP master site is down now, so failed to download.
	FTP master site is avaiable.

>How-To-Repeat:
	N/A
>Fix:
	Here is a patch for update from 0.9 to 0.9.2 and add ftp master site.

Index: www/trac/Makefile
===================================================================
RCS file: /home/cvsroot/NetBSD/pkgsrc/www/trac/Makefile,v
retrieving revision 1.13
diff -u -r1.13 Makefile
--- www/trac/Makefile	3 Nov 2005 23:04:29 -0000	1.13
+++ www/trac/Makefile	17 Dec 2005 02:42:17 -0000
@@ -1,9 +1,10 @@
 # $NetBSD: Makefile,v 1.13 2005/11/03 23:04:29 epg Exp $
 #
 
-DISTNAME=	trac-0.9
+DISTNAME=	trac-0.9.2
 CATEGORIES=	devel www
-MASTER_SITES=	http://ftp.edgewall.com/pub/trac/
+MASTER_SITES=	http://ftp.edgewall.com/pub/trac/ \
+		ftp://ftp.edgewall.com/pub/trac/
 
 MAINTAINER=	epg@NetBSD.org
 HOMEPAGE=	http://www.edgewall.com/products/trac/
Index: www/trac/distinfo
===================================================================
RCS file: /home/cvsroot/NetBSD/pkgsrc/www/trac/distinfo,v
retrieving revision 1.11
diff -u -r1.11 distinfo
--- www/trac/distinfo	3 Nov 2005 23:04:29 -0000	1.11
+++ www/trac/distinfo	17 Dec 2005 02:42:57 -0000
@@ -1,6 +1,6 @@
 $NetBSD: distinfo,v 1.11 2005/11/03 23:04:29 epg Exp $
 
-SHA1 (trac-0.9.tar.gz) = 61ee8db9d3aba7dd1e63ac4c4c852cf62d013323
-RMD160 (trac-0.9.tar.gz) = 44932caa9d68738b768b2b1de58364fb572eb270
-Size (trac-0.9.tar.gz) = 333250 bytes
+SHA1 (trac-0.9.2.tar.gz) = 31d0c4cbc1df9531ecc8ae6ed1698b8e7b9849c4
+RMD160 (trac-0.9.2.tar.gz) = b2bc5407fa53ad44c9f6bc5d33315b0aff0e41ff
+Size (trac-0.9.2.tar.gz) = 332266 bytes
 SHA1 (patch-aa) = 5d8c1c3e5416e73d6cc24a5a45d4ec7afdc4a095

>Unformatted:
 		pkgsrc-current 2005-12-16