Trac needs security fixes

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

@Artur: the patch for karmic looks okay. Could you please describe the testing you've performed to make sure it works properly after patching?

I'm unsubscribing ubuntu-security-sponsors for now. Once you've described the testing you've performed, please subscribed ubuntu-security-sponsors again.

Tested OK.

ACK karmic

Uploaded Karmic to the security PPA.

This bug was fixed in the package trac - 0.11.5-2ubuntu1.1

---------------
trac (0.11.5-2ubuntu1.1) karmic-security; urgency=low

  * SECURITY UPDATE: Multiple unspecified vulnerabilities in Trac
    before 0.11.6 have unknown impact and attack vectors, possibly
    related to (1) "policy checks in report results when using alternate
    formats" or (2) a "check for the 'raw' role that is missing
    in docutils < 0.6." (LP: #394290)
    - debian/patches/21_CVE-2009-4405.dpatch
    - CVE-2009-4405
 -- Artur Rona <email address hidden> Sat, 24 Apr 2010 02:53:57 +0200

Artur,

I can't get the jaunty update to build. How did you get this to build on jaunty?

Oh, I've supose that I've built a correct dsc file. I've reworked and retested diff which is available on bzr branch.

Thanks for the jaunty update. The packages are being built now, and will be released today or tomorrow.

This bug was fixed in the package trac - 0.11.1-2.1ubuntu0.1

---------------
trac (0.11.1-2.1ubuntu0.1) jaunty-security; urgency=low

  * SECURITY UPDATE (LP: #394290)
  * debian/patches/20_CVE-2009-4405.dpatch:
    - Multiple unspecified vulnerabilities in Trac before 0.11.6 have
      unknown impact and attack vectors, possibly related to (1) "policy
      checks in report results when using alternate formats" or (2)
      a "check for the 'raw' role that is missing in docutils < 0.6."
    - CVE-2009-4405
  * debian/rules:
    - Include /usr/share/python/python.mk
    - Pass $(py_setup_install_args) to setup.py
    - Use $(py_libdir_sh) for matching distutils installation paths
    - Fixes FTBFS
 -- Artur Rona <email address hidden> Wed, 19 May 2010 17:48:56 +0200

Thank you for reporting this bug to Ubuntu. dapper has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against dapper is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Thank you for reporting this bug to Ubuntu. hardy has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against hardy is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.