-
moin (1.5.2-1ubuntu2.7) dapper-security; urgency=low
* SECURITY UPDATE: arbitrary script injection via multiple cross-site
scripting issues.
- debian/patches/103_CVE-2010-2487,2969,2970.patch: properly escape
strings in MoinMoin/{Page,PageEditor,PageGraphicalEditor}.py,
MoinMoin/action/*.py.
- CVE-2010-2487
- CVE-2010-2969
-- Marc Deslauriers <email address hidden> Fri, 20 Aug 2010 13:47:29 -0400
-
moin (1.5.2-1ubuntu2.6) dapper-security; urgency=low
* SECURITY UPDATE: fix XSS in Despam action
- debian/patches/102_CVE-2010-0828.patch: use wikiutil.escape()
in revert_pages()
- CVE-2010-0828
-- Jamie Strandboge <email address hidden> Tue, 30 Mar 2010 13:47:10 -0500
-
moin (1.5.2-1ubuntu2.5) dapper-security; urgency=low
* SECURITY UPDATE: fix multiple CSRF vulnerabilities
- debian/patches/100_CVE-2010-0668.patch: add tickets to prevent CSRF
attacks in several components.
- CVE-2010-0668
* SECURITY UPDATE: properly sanitize user profiles
- debian/patches/101_CVE-2010-0669.patch: adjust userprefs/prefs.py,
user.py and wikiutil.py to sanitize input
- CVE-2010-0669
-- Jamie Strandboge <email address hidden> Thu, 11 Mar 2010 11:41:33 -0600
-
moin (1.5.2-1ubuntu2.4) dapper-security; urgency=low
* SECURITY UPDATE: cross-site scripting via rename parameter and
basename variable
- debian/patches/094_CVE-2009-0260.patch: use wikiutil.escape() in
MoinMoin/action/AttachFile.py
- CVE-2009-0260
* SECURITY UPDATE: cross-site scripting via content variable
- debian/pathes/095_antispam_xss_fix.patch: use wikiutil.escape()
in MoinMoin/util/antispam.py
- CVE-2009-XXXX
* SECURITY UPDATE: cross-site scripting in AttachFile
- debian/patches/096_CVE-2008-0781.patch: use wikiutil.escape() for
msg and target filenames in MoinMoin/action/AttachFile.py
- CVE-2008-0781
- LP: #200897
* SECURITY UPDATE: directory traversal vulnerability via MOIN_ID in userform
cookie action
- debian/patches/097_CVE-2008-0782.patch: update MoinMoin/user.py to
check USERID via the new id_sanitycheck() function
- CVE-2008-0782
* SECURITY UPDATE: cross-site scripting in PageEditor
- debian/patches/098_CVE-2008-1098.patch: use wikiutil.escape() in
MoinMoin/PageEditor.py
- CVE-2008-1098
* SECURITY UPDATE: _macro_Getval does not properly enforce ACLs
- debian/patches/099_CVE-2008-1099.patch: update wikimacro.py and
wikiutil.py to use request.user.may.read()
- CVE-2008-1099
-- Jamie Strandboge <email address hidden> Tue, 27 Jan 2009 16:54:42 -0600
-
moin (1.5.2-1ubuntu2.3) dapper-security; urgency=low
* SECURITY UPDATE: XSS via AttachFile actions, unchecked ACLs.
* Add 092_fix-attach-xss.patch: upstream patch.
* Add 093_fix-acl-checks.patch: upstream patches.
* References
http://hg.thinkmo.de/moin/1.5/rev/288694f8dfde
http://hg.thinkmo.de/moin/1.5/rev/4949ad88af4e
http://hg.thinkmo.de/moin/1.5/rev/0e41a0429ee1
CVE-2007-2423
-- Kees Cook <email address hidden> Mon, 07 May 2007 03:38:10 -0700
-
moin (1.5.2-1ubuntu2.2) dapper-security; urgency=low
* debian/patches/091_show-traceback-option.patch: allow for
'show_traceback=0' in Moin configurations.
* References
CVE-2007-0902
-- Kees Cook <email address hidden> Thu, 15 Feb 2007 14:00:14 -0800
-
moin (1.5.2-1ubuntu2.1) dapper-security; urgency=low
* SECURITY UPDATE: fix XSS in pagename displays.
* Add 'debian/patches/090_fix-pagename-xss.patch': based on patches from
upstream. Added fixes for "LikePages".
* References
http://hg.thinkmo.de/moin/1.5?fl=28eb59256911;file=docs/CHANGES
CVE-2007-0857
-- Kees Cook <email address hidden> Fri, 9 Feb 2007 13:35:32 -0800
-
moin (1.5.2-1ubuntu2) dapper; urgency=low
* debian/patches/001-attachment-xss-fix.patch:
+ SECURITY: Backported patch from latest upstream version:
- Fixed cross site scripting issue which could lead to cookie theft etc.
Thanks to the CAcert Security Team!
+ Thanks to Alexander Schremmer for pointing at this security problem
-- Sebastian Dröge <email address hidden> Sun, 14 May 2006 16:23:00 +0200
-
moin (1.5.2-1ubuntu1) dapper; urgency=low
* Drop python2.3 package.
-- Matthias Klose <email address hidden> Tue, 14 Feb 2006 16:09:24 +0000
-
moin (1.5.0-0ubuntu1) dapper; urgency=low
* New upstream release.
* Update packaging from Debian.
- Merge the current debian/rules file with the Ubuntu one to make a
hideous monster!
- Stop using ${python:Depends}, as dh_python seems to be adding a
python2.3 dependancy for some reason.
-- Steve Kowalik <email address hidden> Fri, 13 Jan 2006 18:55:15 +1100
-
moin (1.2.4-1ubuntu2) breezy; urgency=low
* Recommend: postfix | mail-transport-agent
-- LaMont Jones <email address hidden> Mon, 2 May 2005 19:28:08 -0600
