Bug#667720: marked as done (Dependency graph does not check ticket view permissions)

[Debian Bug Tracking System]

Your message dated Sun, 03 Jun 2012 00:42:45 +0000
with message-id <e1sayu5-0004hb...@franck.debian.org>
and subject line Bug#667720: fixed in trac-mastertickets 3.0.2+20111224-2
has caused the Debian Bug report #667720,
regarding Dependency graph does not check ticket view permissions
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
667720: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=667720
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: trac-mastertickets
Severity: critical

The dependency graph view of a ticket does not do any permission checks. This is a security problem on private trac sites since it creates a channel through which sensitive information about tickets (existence, dependencies and ticket titles) is revealed.

This has been reported upstream as well: both in the github issue tracker (see https://github.com/coderanger/trac-mastertickets/issues/4 ) and in the trac-hacks issue tracker (see https://trac-hacks.org/ticket/9944 ). I have also submitted this to Ubuntu since they carry the same package: https://bugs.launchpad.net/ubuntu/+source/trac-mastertickets/+bug/974909

Regards,
Wichert.

--- End Message ---

--- Begin Message ---

Source: trac-mastertickets
Source-Version: 3.0.2+20111224-2

We believe that the bug you reported is fixed in the latest version of
trac-mastertickets, which is due to be installed in the Debian FTP archive:

trac-mastertickets_3.0.2+20111224-2.debian.tar.gz
  to main/t/trac-mastertickets/trac-mastertickets_3.0.2+20111224-2.debian.tar.gz
trac-mastertickets_3.0.2+20111224-2.dsc
  to main/t/trac-mastertickets/trac-mastertickets_3.0.2+20111224-2.dsc
trac-mastertickets_3.0.2+20111224-2_all.deb
  to main/t/trac-mastertickets/trac-mastertickets_3.0.2+20111224-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 667...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
W. Martin Borgert <deba...@debian.org> (supplier of updated trac-mastertickets 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 02 Jun 2012 23:30:50 +0000
Source: trac-mastertickets
Binary: trac-mastertickets
Architecture: source all
Version: 3.0.2+20111224-2
Distribution: unstable
Urgency: high
Maintainer: Python Applications Packaging Team 
<python-apps-t...@lists.alioth.debian.org>
Changed-By: W. Martin Borgert <deba...@debian.org>
Description: 
 trac-mastertickets - adds inter-ticket dependencies to Trac
Closes: 667720
Changes: 
 trac-mastertickets (3.0.2+20111224-2) unstable; urgency=high
 .
   * added patch to check for permission when showing dependency
     graph (Closes: #667720).
Checksums-Sha1: 
 ef3e1cad3da24614b7c99952bf1ab8066d8d8852 1541 
trac-mastertickets_3.0.2+20111224-2.dsc
 b36999da0d383493fe2c86aae4606be21b1396d6 2790 
trac-mastertickets_3.0.2+20111224-2.debian.tar.gz
 e9b37a6397befded36dd8ceb8e7763ff0732b53c 15810 
trac-mastertickets_3.0.2+20111224-2_all.deb
Checksums-Sha256: 
 664ae5224b096af7943bf148d06674594a71bd8e83381398619b508a3919f977 1541 
trac-mastertickets_3.0.2+20111224-2.dsc
 b069852c511e81673852e63304d229daad31d733556c3917e59406fcd88cd2f6 2790 
trac-mastertickets_3.0.2+20111224-2.debian.tar.gz
 7250138c74989554d1de34030136b2c363a60b412641b219409cdba77d9498ad 15810 
trac-mastertickets_3.0.2+20111224-2_all.deb
Files: 
 f2526aad58dcfe602f9615fabba09274 1541 web optional 
trac-mastertickets_3.0.2+20111224-2.dsc
 50fdab329b8166f7028961d2be7c4ca5 2790 web optional 
trac-mastertickets_3.0.2+20111224-2.debian.tar.gz
 44292b969decab38ba38a65095bfd56f 15810 web optional 
trac-mastertickets_3.0.2+20111224-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAk/KrP4ACgkQ+xM0OFfj6IhyxwCffYZNKye7aRGyagPaioDYVNMZ
7ewAoJy2pTUf+XBQeDtA+f29j/BfgmaP
=YSPf
-----END PGP SIGNATURE-----

--- End Message ---