Debian Local Security Checks : Debian Security Advisory DSA 951-1 (trac)

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.56214

Category: Debian Local Security Checks

Title: Debian Security Advisory DSA 951-1 (trac)

Summary: The remote host is missing an update to trac announced via advisory DSA 951-1. Several vulnerabilities have been discovered in trac, an enhanced wiki and issue tracking system for software development projects. The Common Vulnerabilities and Exposures project identifie the following problems: CVE-2005-4065 Due to missing input sanitising it is possible to inject arbitrary SQL code into the SQL statements. CVE-2005-4644 A cross-site scripting vulnerability has been discovered that allows remote attackers to inject arbitrary web script or HTML. The old stable distribution (woody) does not contain trac packages.;; This VT has been deprecated and merged into the VT 'Debian: Security Advisory (DSA-951)' (OID: 1.3.6.1.4.1.25623.1.0.56215).

Description: Summary:
The remote host is missing an update to trac announced via advisory DSA 951-1. Several vulnerabilities have been discovered in trac, an enhanced wiki and issue tracking system for software development projects. The Common Vulnerabilities and Exposures project identifie the following problems: CVE-2005-4065 Due to missing input sanitising it is possible to inject arbitrary SQL code into the SQL statements. CVE-2005-4644 A cross-site scripting vulnerability has been discovered that allows remote attackers to inject arbitrary web script or HTML. The old stable distribution (woody) does not contain trac packages.

This VT has been deprecated and merged into the VT 'Debian: Security Advisory (DSA-951)' (OID: 1.3.6.1.4.1.25623.1.0.56215).

Solution:
For the stable distribution (sarge) these problems have been fixed in
version 0.8.1-3sarge3.

For the unstable distribution (sid) these problems have been fixed in
version 0.9.3-1.

We recommend that you upgrade your trac package.

CVSS Score:
7.5

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2005-4065
BugTraq ID: 15720
http://www.securityfocus.com/bid/15720
Debian Security Information: DSA-951 (Google Search)
http://www.debian.org/security/2006/dsa-951
http://lists.edgewall.com/archive/trac/2005-December/005777.html
http://www.osvdb.org/21459
http://secunia.com/advisories/17894
http://secunia.com/advisories/18555
http://securityreason.com/securityalert/222
http://www.vupen.com/english/advisories/2005/2766
Common Vulnerability Exposure (CVE) ID: CVE-2005-4644
BugTraq ID: 16198
http://www.securityfocus.com/bid/16198
http://secunia.com/advisories/18465
http://www.vupen.com/english/advisories/2006/0226
XForce ISS Database: trac-html-xss(24183)
https://exchange.xforce.ibmcloud.com/vulnerabilities/24183

Copyright Copyright (C) 2008 E-Soft Inc.

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.0.56214
Category:	Debian Local Security Checks
Title:	Debian Security Advisory DSA 951-1 (trac)
Summary:	The remote host is missing an update to trac announced via advisory DSA 951-1. Several vulnerabilities have been discovered in trac, an enhanced wiki and issue tracking system for software development projects. The Common Vulnerabilities and Exposures project identifie the following problems: CVE-2005-4065 Due to missing input sanitising it is possible to inject arbitrary SQL code into the SQL statements. CVE-2005-4644 A cross-site scripting vulnerability has been discovered that allows remote attackers to inject arbitrary web script or HTML. The old stable distribution (woody) does not contain trac packages.;; This VT has been deprecated and merged into the VT 'Debian: Security Advisory (DSA-951)' (OID: 1.3.6.1.4.1.25623.1.0.56215).
Description:	Summary: The remote host is missing an update to trac announced via advisory DSA 951-1. Several vulnerabilities have been discovered in trac, an enhanced wiki and issue tracking system for software development projects. The Common Vulnerabilities and Exposures project identifie the following problems: CVE-2005-4065 Due to missing input sanitising it is possible to inject arbitrary SQL code into the SQL statements. CVE-2005-4644 A cross-site scripting vulnerability has been discovered that allows remote attackers to inject arbitrary web script or HTML. The old stable distribution (woody) does not contain trac packages. This VT has been deprecated and merged into the VT 'Debian: Security Advisory (DSA-951)' (OID: 1.3.6.1.4.1.25623.1.0.56215). Solution: For the stable distribution (sarge) these problems have been fixed in version 0.8.1-3sarge3. For the unstable distribution (sid) these problems have been fixed in version 0.9.3-1. We recommend that you upgrade your trac package. CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2005-4065 BugTraq ID: 15720 http://www.securityfocus.com/bid/15720 Debian Security Information: DSA-951 (Google Search) http://www.debian.org/security/2006/dsa-951 http://lists.edgewall.com/archive/trac/2005-December/005777.html http://www.osvdb.org/21459 http://secunia.com/advisories/17894 http://secunia.com/advisories/18555 http://securityreason.com/securityalert/222 http://www.vupen.com/english/advisories/2005/2766 Common Vulnerability Exposure (CVE) ID: CVE-2005-4644 BugTraq ID: 16198 http://www.securityfocus.com/bid/16198 http://secunia.com/advisories/18465 http://www.vupen.com/english/advisories/2006/0226 XForce ISS Database: trac-html-xss(24183) https://exchange.xforce.ibmcloud.com/vulnerabilities/24183
Copyright	Copyright (C) 2008 E-Soft Inc.