[moin] [DSA-1514-1] multiple vulnerabilities
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
moin (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Dapper |
Fix Released
|
Undecided
|
Jamie Strandboge | ||
Gutsy |
Fix Released
|
Undecided
|
Jamie Strandboge | ||
Hardy |
Fix Released
|
Undecided
|
Unassigned | ||
Intrepid |
Invalid
|
Undecided
|
Unassigned | ||
Jaunty |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: moin
References:
DSA-1514-1 (http://
Quoting:
"Several remote vulnerabilities have been discovered in MoinMoin, a
Python clone of WikiWiki. The Common Vulnerabilities and Exposures
project identifies the following problems:
CVE-2007-2423
A cross-site-
attachment handling.
CVE-2007-2637
Access control lists for calendars and includes were
insufficiently enforced, which could lead to information
disclosure.
CVE-2008-0780
A cross-site-
the login code.
CVE-2008-0781
A cross-site-
attachment handling.
CVE-2008-0782
A directory traversal vulnerability in cookie handling could
lead to local denial of service by overwriting files.
CVE-2008-1098
Cross-
the GUI editor formatter and the code to delete pages.
CVE-2008-1099
The macro code validates access control lists insufficiently,
which could lead to information disclosure."
Changed in moin: | |
status: | New → Confirmed |
Changed in moin: | |
status: | Confirmed → Fix Committed |
assignee: | nobody → jdstrand |
status: | Confirmed → Fix Committed |
assignee: | nobody → jdstrand |
I have not been able to independently confirm whether these bugs are fixed in the current moin package on hardy, but according to changelog. Debian. gz, the following CVEs listed above have been fixed in 1.5.8-5.1ubuntu2: 2008-0780 2008-0781 2008-0782. The other CVEs and the DSA aren't explicitly mentioned in the changelog.
It is frustrating as a mere user of moinmoin to be unsure whether these vulnerabilities (known before hardy was released!) are patched or not.