* SECURITY UPDATE: cross-site scripting via rename parameter and
basename variable
- debian/patches/30001_CVE-2009-0260.patch: use wikiutil.escape() in
MoinMoin/action/AttachFile.py
- CVE-2009-0260
* SECURITY UPDATE: cross-site scripting via content variable
- debian/pathes/30002_antispam_xss_fix.patch: use wikiutil.escape()
in MoinMoin/util/antispam.py
- CVE-2009-XXXX
* SECURITY UPDATE: cross-site scripting in login
- debian/patches/30003_CVE-2008-0780.patch: update action/login.py to use
wikiutil.escape() for name
- CVE-2008-0780
- LP: #200897
* SECURITY UPDATE: cross-site scripting in AttachFile
- debian/patches/30004_CVE-2008-0781.patch: use wikiutil.escape() for
msg, pagename and target filenames in MoinMoin/action/AttachFile.py
- CVE-2008-0781
* SECURITY UPDATE: directory traversal vulnerability via MOIN_ID in userform
cookie action
- debian/patches/30005_CVE-2008-0782.patch: update MoinMoin/user.py to
check USERID via the new id_sanitycheck() function
- CVE-2008-0782
* SECURITY UPDATE: cross-site scripting in PageEditor
- debian/patches/30006_CVE-2008-1098.patch: use wikiutil.escape() in
MoinMoin/PageEditor.py
- CVE-2008-1098
* SECURITY UPDATE: _macro_Getval does not properly enforce ACLs
- debian/patches/30007_CVE-2008-1099.patch: update wikimacro.py and
wikiutil.py to use request.user.may.read()
- CVE-2008-1099
This bug was fixed in the package moin - 1.5.7-3ubuntu2.1
---------------
moin (1.5.7-3ubuntu2.1) gutsy-security; urgency=low
* SECURITY UPDATE: cross-site scripting via rename parameter and patches/ 30001_CVE- 2009-0260. patch: use wikiutil.escape() in action/ AttachFile. py pathes/ 30002_antispam_ xss_fix. patch: use wikiutil.escape() util/antispam. py patches/ 30003_CVE- 2008-0780. patch: update action/login.py to use escape( ) for name patches/ 30004_CVE- 2008-0781. patch: use wikiutil.escape() for action/ AttachFile. py patches/ 30005_CVE- 2008-0782. patch: update MoinMoin/user.py to patches/ 30006_CVE- 2008-1098. patch: use wikiutil.escape() in PageEditor. py patches/ 30007_CVE- 2008-1099. patch: update wikimacro.py and user.may. read()
basename variable
- debian/
MoinMoin/
- CVE-2009-0260
* SECURITY UPDATE: cross-site scripting via content variable
- debian/
in MoinMoin/
- CVE-2009-XXXX
* SECURITY UPDATE: cross-site scripting in login
- debian/
wikiutil.
- CVE-2008-0780
- LP: #200897
* SECURITY UPDATE: cross-site scripting in AttachFile
- debian/
msg, pagename and target filenames in MoinMoin/
- CVE-2008-0781
* SECURITY UPDATE: directory traversal vulnerability via MOIN_ID in userform
cookie action
- debian/
check USERID via the new id_sanitycheck() function
- CVE-2008-0782
* SECURITY UPDATE: cross-site scripting in PageEditor
- debian/
MoinMoin/
- CVE-2008-1098
* SECURITY UPDATE: _macro_Getval does not properly enforce ACLs
- debian/
wikiutil.py to use request.
- CVE-2008-1099
-- Jamie Strandboge <email address hidden> Tue, 27 Jan 2009 16:15:53 -0600