Package: trac-mastertickets
Severity: critical
The dependency graph view of a ticket does not do any permission checks.
This is a security problem on private trac sites since it creates a
channel through which sensitive information about tickets (existence,
dependencies and ticket titles) is revealed.
This has been reported upstream as well: both in the github issue
tracker (see https://github.com/coderanger/trac-mastertickets/issues/4 )
and in the trac-hacks issue tracker (see
https://trac-hacks.org/ticket/9944 ). I have also submitted this to
Ubuntu since they carry the same package:
https://bugs.launchpad.net/ubuntu/+source/trac-mastertickets/+bug/974909
Regards,
Wichert.
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
