Hi all, We have been using and appreciating Trac 0.11.5 for a few years now. Our project is hosted at a large university. The Powers That Be on our network run an automated 3rd party vulnerability scanner, and our Trac instance gets a red flag because it fails to use the HttpOnly flag when setting cookies.
A patch for HttpOnly was offered in ticket 10453 <http:// trac.edgewall.org/ticket/10453>, but the patch has not yet been integrated. The ticket has a milestone of Trac 0.13. I'm aware that 0.13dev exists, but there is no officially stable 0.13. I scanned trac- dev and didn't see any conversation about an imminent 0.13 release. We would like to get the Powers that Be off our backs. Right now, it seems like our options are -- 1) Install & monkey patch Trac 0.12.3 2) Follow these somewhat intimidating instructions to get Apache to automatically add the HttpOnly flag to all cookie settings: http://blog.modsecurity.org/2008/12/helping-protect-cookies-with-httponly-flag.html Obviously an upgrade to Trac 0.13 stable is our favorite solution, but the less elegant solutions have the advantage of being available right now. Does anyone have a sense of when Trac 0.13 (with the 10453 patch applied) might be out? That will help us to decide whether to wait or act. Thanks Philip -- You received this message because you are subscribed to the Google Groups "Trac Users" group. To post to this group, send email to trac-users@googlegroups.com. To unsubscribe from this group, send email to trac-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/trac-users?hl=en.
