On Sat, 2009-05-02 at 12:40 +1000, Steffen Joeris wrote: > > the following CVE (Common Vulnerabilities & Exposures) id was > published for moin. > > CVE-2009-1482[0]: > | Multiple cross-site scripting (XSS) vulnerabilities in > | action/AttachFile.py in MoinMoin 1.8.2 and earlier allow remote > | attackers to inject arbitrary web script or HTML via (1) an AttachFile > | sub-action in the error_msg function or (2) multiple vectors related > | to package file errors in the upload_form function, different vectors > | than CVE-2009-0260.
regardin oldstable (moin 1.5.3-1.2etch2) Most of the patch http://hg.moinmo.in/moin/1.8/rev/5f51246a4df1 was already applied by the patch 019_CVE-2007-0781_attach_file_XSS.patch. The remaining of the patch (escaping error_msg) can't be exploited because the calling functions either escape strings, or send intrinsically clean strings, like fixed strings or attachments names that are escaped during upload) The patch http://hg.moinmo.in/moin/1.8/rev/269a1fbc3ed7 isn't needed, because it fix a bug in a feature that was introduced in later release of moinmoin (1.6 or 1.7) So our moin 1.5.3-1.2etch2 isn't affected by this CVE. Thanks, Franklin P.S. can "you" upload moin 1.7, I can't since I am not DD/DM. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org