Package: moin Severity: important Tags: patch, security Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for moin.
CVE-2009-1482[0]: | Multiple cross-site scripting (XSS) vulnerabilities in | action/AttachFile.py in MoinMoin 1.8.2 and earlier allow remote | attackers to inject arbitrary web script or HTML via (1) an AttachFile | sub-action in the error_msg function or (2) multiple vectors related | to package file errors in the upload_form function, different vectors | than CVE-2009-0260. Please have a look at upstream's announcement[1]. Upstream's patch is here[2]. While I agree that it is a good idea to move the escaping to a more centralised place, I don't see yet, where it would be exploitable. There is escaping in several places, so before we worry too much about this, I'd like to see a successful XSS exploit. Could you as the maintainer please also have a look? It might also be worth to include this patch[3] as well, although I don't think it is exploitable. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. Cheers Steffen For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1482 http://security-tracker.debian.net/tracker/CVE-2009-1482 [1] http://moinmo.in/SecurityFixes [2] http://hg.moinmo.in/moin/1.8/rev/5f51246a4df1 [3] http://hg.moinmo.in/moin/1.8/rev/269a1fbc3ed7 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org