Package: python-moinmoin Severity: grave Tags: security, patch Justification: user security hole
Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for moin. CVE-2009-0260[0]: | Multiple cross-site scripting (XSS) vulnerabilities in | action/AttachFile.py in MoinMoin before 1.8.1 allow remote attackers | to inject arbitrary web script or HTML via an AttachFile action to the | WikiSandBox component with (1) the rename parameter or (2) the drawing | parameter (aka the basename variable). The upstream patch can be found here[1]. Please note that despite the CVE description, version 1.8.1 in sid is still vulnerable. Also, I haven't looked at the attack vector yet, but if we end up fixing this for stable as well, we should adjust the wikiutil.escape function to also take care of single quotes "'". However, the patch should be trivial as well. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. Cheers Steffen For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0260 http://security-tracker.debian.net/tracker/CVE-2009-0260 [1] http://hg.moinmo.in/moin/1.8/rev/8cb4d34ccbc1 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
