[Bug 200897] Re: [moin] [DSA-1514-1] multiple vulnerabilities

Thu, 29 Jan 2009 18:35:16 -0800 

This bug was fixed in the package moin - 1.5.7-3ubuntu2.1

---------------
moin (1.5.7-3ubuntu2.1) gutsy-security; urgency=low

  * SECURITY UPDATE: cross-site scripting via rename parameter and
    basename variable
    - debian/patches/30001_CVE-2009-0260.patch: use wikiutil.escape() in
      MoinMoin/action/AttachFile.py
    - CVE-2009-0260
  * SECURITY UPDATE: cross-site scripting via content variable
    - debian/pathes/30002_antispam_xss_fix.patch: use wikiutil.escape()
      in MoinMoin/util/antispam.py
    - CVE-2009-XXXX
  * SECURITY UPDATE: cross-site scripting in login
    - debian/patches/30003_CVE-2008-0780.patch: update action/login.py to use
      wikiutil.escape() for name
    - CVE-2008-0780
    - LP: #200897
  * SECURITY UPDATE: cross-site scripting in AttachFile
    - debian/patches/30004_CVE-2008-0781.patch: use wikiutil.escape() for
      msg, pagename and target filenames in MoinMoin/action/AttachFile.py
    - CVE-2008-0781
  * SECURITY UPDATE: directory traversal vulnerability via MOIN_ID in userform
      cookie action
    - debian/patches/30005_CVE-2008-0782.patch: update MoinMoin/user.py to
      check USERID via the new id_sanitycheck() function
    - CVE-2008-0782
  * SECURITY UPDATE: cross-site scripting in PageEditor
    - debian/patches/30006_CVE-2008-1098.patch: use wikiutil.escape() in
      MoinMoin/PageEditor.py
    - CVE-2008-1098
  * SECURITY UPDATE: _macro_Getval does not properly enforce ACLs
    - debian/patches/30007_CVE-2008-1099.patch: update wikimacro.py and
      wikiutil.py to use request.user.may.read()
    - CVE-2008-1099

 -- Jamie Strandboge <ja...@ubuntu.com>   Tue, 27 Jan 2009 16:15:53
-0600

** Changed in: moin (Ubuntu Gutsy)
       Status: Fix Committed => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2009-0260

** Changed in: moin (Ubuntu Hardy)
       Status: Invalid => Fix Released

-- 
[moin] [DSA-1514-1] multiple vulnerabilities
https://bugs.launchpad.net/bugs/200897
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to