Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 12 Feb 2013 17:13:53 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Henri Salo <henri@...v.fi>
Subject: Re: CVE request: Trac Ticket Modification Workflow
 Permission Restriction Bypass

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/11/2013 04:12 AM, Henri Salo wrote:
> Hello,
> 
> From Secunia: A security issue has been reported in Trac, which can
> be exploited by malicious users to bypass certain security
> restrictions. The security issue is caused due to the application
> not properly checking workflow permissions before modifying a
> ticket, which can be exploited to change the status and resolution
> of tickets without having proper permissions.
> 
> http://secunia.com/advisories/39123/ 
> http://osvdb.org/show/osvdb/63317
> 
> The security issue is reported in versions prior to 0.11.7. 
> http://trac.edgewall.org/wiki/ChangeLog#a0.11.7
> 
> Could you assign CVE-2010-XXXX, thank you. Please double verify
> this hasn't been assigned. I tried my best to avoid duplicates :)
> 
> -- Henri Salo

Please use CVE-2010-5108 for this issue.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRGtrBAAoJEBYNRVNeJnmTIgAP/1XW61JAB9uYh1yK7Dytpdd+
mPA4vQRTyx4nylnlPQbrw/Pig+tkl8C8i627Oh/8pPkfAhGQynWIcSFiR8SFvJpa
zTrsvJghXXHtiDoYV+Ot7fIH/L0HH3IbZJxRIOd0t/trRgOVymkEutEQcIzEeLWB
mLg15oumIMO4CNf4f4OFXXoFiIz2z0D2PlAWo6hP35kaKaKla+FU0IgfrFMljFeE
jHj6fQuQKYf9ryHjuMJDd12qBVV3pi2RwCLdHPkkvbb7LxKzAa0umEHTxnLMBKUu
KRbrTNEYDd5CKMaZu7tnlE6iIiuv+ov6Atrj8eI0E8zhjDXAbnHooIaUQ9nYzu/o
egbHXADFEMgLii99bSZcNu0NBelwX8k+dCYtS+FB9i1zPD7KoIMjq86Wde6dqIQS
TLO/TKo/TJCMqmrz4xxMlTSkBuMRbIImJj8QGYQkQu7XkjlxdNicFvyjheNDdMBV
mCiYJ4GGn+j2LUYm/AhfwfNO38ZZ79djYwiCujeVsdJcNSowrU81FHPAcgf0KZFZ
MF8Np2wX09mVbrhbNQ2SQTnPKI8iGov0vGaKGvrz6nBOWtHCWxl5B7dmKSy/e3kH
8s7Sm1oSoGtBywUkhkjPIwbqIvCzGvqvxggchaTGU294NwPS0cAm4z19A/Or2HTI
r+ftIYjQBVAFKBd4phkx
=80fD
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.