FFe: Please merge moin 1.9.4-8 (main) from Debian unstable

Bug #1046616 reported by Jeremy Bicha on 2012-09-06
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
moin (Ubuntu)
Wishlist
Unassigned

Bug Description

Please merge moin 1.9.4-8 (main) from Debian unstable

Explanation of the remaining Ubuntu delta:
   - Remove python-xml from Suggests field, the package isn't anymore in
     sys.path.
   - Demote fckeditor from Recommends to Suggests; the code was previously
     embedded in moin, but it was also disabled, so there's no reason
     for us to pull this in by default currently. Note: fckeditor has a
     number of security problems and so this change probably needs to be
     carried indefinitely.

Explanation of the Ubuntu delta and why it can be dropped:
  * Build using dh_python2 (applied in 1.9.3-2)

Explanation of FeatureFreeze exception:
* Two security bug fixes
* A whole bunch of other bug fixes.
* The new upstream release has been in Debian since March
* Upstream NEWS: http://hg.moinmo.in/moin/1.9/file/56eaf32027f4/docs/CHANGES

Changelog entries since current quantal version 1.9.3-1ubuntu2:

moin (1.9.4-8) unstable; urgency=high

  * High urgency for a security fix
  * Add patch from upstream to fix a virtual group bug in ACL evaluation
    (CVE-2012-XXXX).

 -- Steve McIntyre <email address hidden> Wed, 05 Sep 2012 01:57:30 +0100

moin (1.9.4-7) unstable; urgency=low

  * subprocess.check_output only appeared in python 2.7. Use
    subprocess.Popen and .communicate() instead to get the same effect but
    working on older python versions too.

 -- Steve McIntyre <email address hidden> Fri, 10 Aug 2012 14:20:26 +0100

moin (1.9.4-6) unstable; urgency=low

  * Fix the error message displayed when external_creation_check fails

 -- Steve McIntyre <email address hidden> Mon, 30 Jul 2012 19:52:39 +0100

moin (1.9.4-5) unstable; urgency=low

  * Store date and host when a new account is created
  * Add the option to call an external helper program at account creation
    time to help with local account control policy (e.g. anti-spam)
  * Make sending of email verification messages slightly more verbose.

 -- Steve McIntyre <email address hidden> Sun, 29 Jul 2012 11:40:28 +0100

moin (1.9.4-4) unstable; urgency=low

  * Fix stupid typo in the mail verification patch. Closes: #671211

 -- Steve McIntyre <email address hidden> Thu, 03 May 2012 12:55:49 +0100

moin (1.9.4-3) unstable; urgency=low

  * Update the subscriber lookup patch to add locking.
  * Add a new patch to add support for verifying email addresses during
    account creation.

 -- Steve McIntyre <email address hidden> Mon, 30 Apr 2012 17:22:27 +0100

moin (1.9.4-2) unstable; urgency=low

  * Add a cache for subscriber lookup to boost performance on page save.
    Patch from Vitaliy Shchupak. Closes: #668000

 -- Steve McIntyre <email address hidden> Mon, 16 Apr 2012 20:18:27 +0100

moin (1.9.4-1) unstable; urgency=low

  * New upstream release.
    Closes: bug#663340.
  * Bump debhelper compatibility level to 7.
  * Stop providing/replacing/conflicting with moinmoin-common:
    Transitional quirk unneeded since Lenny.
  * Drop preinst/postrm conffile renaming hack, unneeded since MoinMoin
    1.5.2.
  * Update package relations:
    + Stop needlessly build-depend versioned on cdbs: shadowed by even
      tighter versioning due to use of default Python install helper.
    + Use unversioned suggest for python-docutils: Needed version
      satisfied even in oldstable.
  * Drop dpkg-source local-options hint: Declared options are default
    since dpkg-source 1.16.1.
  * Drop patch implementing CVE-2011-1058: Applied upstream.
  * Unfuzz patch disabling GUI editor.
  * Update copyright file:
    + Extend/bump some copyright years.
    + Introduce new copyright holder.
    + Fix list more specific Files section after general one.
    + Bump format to 1.0.
    + Fix double-indent in Copyright fields as per Policy §5.6.13.
  * Bump standards-version to 3.9.3.

 -- Jonas Smedegaard <email address hidden> Tue, 13 Mar 2012 11:20:33 +0100

moin (1.9.3-3) unstable; urgency=high

  [ Steve McIntyre ]
  * Add myself to Uploaders
  * Add patch from upstream to fix a cross-site scripting vulnerability in
    the rst parser (CVE-2011-1058). Closes: #643904

 -- Steve McIntyre <email address hidden> Tue, 04 Oct 2011 13:14:09 +0100

moin (1.9.3-2) unstable; urgency=low

  * Ease building with git-buildpackage:
    + Git-ignore quilt .pc dir.
    + Add source local-options.
  * Add patch to add simple support for using recaptcha.
    Closes: bug#637880. Thanks to Steve McIntyre.
  * Depend on python-recaptcha, required by recaptcha support.
  * Suggest cifs-utils (not smbfs).
    Closes: bug#638156. Thanks to Luk Claes.
  * Update copyright file:
    + Rewrite using draft 174 of DEP-5 format.
    + Add recaptcha patch, licensed GPL-2+.
  * Use Python helper python2 (not python-support).
  * Bump Policy compliance to Standards-Version 3.9.2.

 -- Jonas Smedegaard <email address hidden> Mon, 22 Aug 2011 19:13:00 +0200

CVE References

Jeremy Bicha (jbicha) on 2012-09-06
Changed in moin (Ubuntu):
importance: Undecided → Wishlist
security vulnerability: no → yes
Stefano Rivera (stefanor) wrote :

I'm ok with this. FFe granted.

Changed in moin (Ubuntu):
status: New → Triaged
Launchpad Janitor (janitor) wrote :
Download full text (3.9 KiB)

This bug was fixed in the package moin - 1.9.5-1ubuntu1

---------------
moin (1.9.5-1ubuntu1) raring; urgency=low

  * Merge from Debian unstable (LP: #1046616). Remaining changes:
   - Remove python-xml from Suggests field, the package isn't anymore in
     sys.path.
   - Demote fckeditor from Recommends to Suggests; the code was previously
     embedded in moin, but it was also disabled, so there's no reason
     for us to pull this in by default currently. Note: fckeditor has a
     number of security problems and so this change probably needs to be
     carried indefinitely.

moin (1.9.5-1) unstable; urgency=low

  * New upstream release.
  * New maintainer: Steve McIntyre. Thanks to Jonas for all his previous
    hard work.

moin (1.9.4-8) unstable; urgency=high

  * High urgency for a security fix
  * Add patch from upstream to fix a virtual group bug in ACL evaluation
    (CVE-2012-4404).

moin (1.9.4-7) unstable; urgency=low

  * subprocess.check_output only appeared in python 2.7. Use
    subprocess.Popen and .communicate() instead to get the same effect but
    working on older python versions too.

moin (1.9.4-6) unstable; urgency=low

  * Fix the error message displayed when external_creation_check fails

moin (1.9.4-5) unstable; urgency=low

  * Store date and host when a new account is created
  * Add the option to call an external helper program at account creation
    time to help with local account control policy (e.g. anti-spam)
  * Make sending of email verification messages slightly more verbose.

moin (1.9.4-4) unstable; urgency=low

  * Fix stupid typo in the mail verification patch. Closes: #671211

moin (1.9.4-3) unstable; urgency=low

  * Update the subscriber lookup patch to add locking.
  * Add a new patch to add support for verifying email addresses during
    account creation.

moin (1.9.4-2) unstable; urgency=low

  * Add a cache for subscriber lookup to boost performance on page save.
    Patch from Vitaliy Shchupak. Closes: #668000

moin (1.9.4-1) unstable; urgency=low

  * New upstream release.
    Closes: bug#663340.
  * Bump debhelper compatibility level to 7.
  * Stop providing/replacing/conflicting with moinmoin-common:
    Transitional quirk unneeded since Lenny.
  * Drop preinst/postrm conffile renaming hack, unneeded since MoinMoin
    1.5.2.
  * Update package relations:
    + Stop needlessly build-depend versioned on cdbs: shadowed by even
      tighter versioning due to use of default Python install helper.
    + Use unversioned suggest for python-docutils: Needed version
      satisfied even in oldstable.
  * Drop dpkg-source local-options hint: Declared options are default
    since dpkg-source 1.16.1.
  * Drop patch implementing CVE-2011-1058: Applied upstream.
  * Unfuzz patch disabling GUI editor.
  * Update copyright file:
    + Extend/bump some copyright years.
    + Introduce new copyright holder.
    + Fix list more specific Files section after general one.
    + Bump format to 1.0.
    + Fix double-indent in Copyright fields as per Policy §5.6.13.
  * Bump standards-version to 3.9.3.

moin (1.9.3-3) unstable; urgency=high

  [ Steve McIntyre ]
  * Add myself to Uploaders
  * Add patch from...

Read more...

Changed in moin (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers