-
moin (1.5.8-5.1ubuntu2.5) hardy-security; urgency=low
* SECURITY UPDATE: arbitrary script injection via multiple cross-site
scripting issues.
- debian/patches/30009_CVE-2010-2487,2969,2970.patch: properly escape
strings in MoinMoin/{Page,PageEditor,PageGraphicalEditor}.py,
MoinMoin/action/*.py.
- CVE-2010-2487
- CVE-2010-2969
-- Marc Deslauriers <email address hidden> Fri, 20 Aug 2010 13:37:52 -0400
-
moin (1.5.8-5.1ubuntu2.4) hardy-security; urgency=low
* SECURITY UPDATE: fix XSS in Despam action
- debian/patches/30008_CVE-2010-0828.patch: use wikiutil.escape()
in revert_pages()
- CVE-2010-0828
-- Jamie Strandboge <email address hidden> Tue, 30 Mar 2010 13:51:01 -0500
-
moin (1.5.8-5.1ubuntu2.3) hardy-security; urgency=low
* SECURITY UPDATE: fix multiple CSRF vulnerabilities
- debian/patches/30006_CVE-2010-0668.patch: add tickets to prevent CSRF
attacks in several components.
- CVE-2010-0668
* SECURITY UPDATE: properly sanitize user profiles
- debian/patches/30007_CVE-2010-0669.patch: adjust userprefs/prefs.py,
user.py and wikiutil.py to sanitize input
- CVE-2010-0669
-- Jamie Strandboge <email address hidden> Tue, 09 Mar 2010 15:22:12 -0600
-
moin (1.5.8-5.1ubuntu2.2) hardy-security; urgency=low
* SECURITY UPDATE: cross-site scripting via rename parameter and
basename variable
- debian/patches/30001_CVE-2009-0260.patch: use wikiutil.escape() in
MoinMoin/action/AttachFile.py
- CVE-2009-0260
* SECURITY UPDATE: cross-site scripting via content variable
- debian/pathes/30002_antispam_xss_fix.patch: use wikiutil.escape()
in MoinMoin/util/antispam.py
- CVE-2009-XXXX
* SECURITY UPDATE: cross-site scripting in login
- debian/patches/30003_CVE-2008-0780.patch: update action/login.py to use
wikiutil.escape() for name
- CVE-2008-0780
- LP: #200897
* SECURITY UPDATE: cross-site scripting in AttachFile
- debian/patches/30004_CVE-2008-0781.patch: use wikiutil.escape() for
msg, pagename and target filenames in MoinMoin/action/AttachFile.py
- CVE-2008-0781
* SECURITY UPDATE: directory traversal vulnerability via MOIN_ID in userform
cookie action
- debian/patches/30005_CVE-2008-0782.patch: update MoinMoin/user.py to
check USERID via the new id_sanitycheck() function
- CVE-2008-0782
-- Jamie Strandboge <email address hidden> Thu, 29 Jan 2009 17:37:53 -0600
-
moin (1.5.8-5.1ubuntu2) hardy; urgency=low
* Do not suggest python-xml, but python-4suite-xml.
-- Matthias Klose <email address hidden> Wed, 27 Feb 2008 16:06:05 +0000
-
moin (1.5.8-5.1ubuntu1) hardy; urgency=low
* Merge with Debian (LP: #193869); remaining changes:
- Suggest python-xml (needed for DocBook rendering). LP: #31728.
-- Emanuele Gentili <email address hidden> Thu, 21 Feb 2008 02:22:30 +0100
-
moin (1.5.8-5ubuntu1) hardy; urgency=low
* Merge with Debian; remaining changes:
- Suggest python-xml (needed for DocBook rendering). LP: #31728.
moin (1.5.8-5) unstable; urgency=high
* Acknowledge NMU.
+ Rename patch to 10011 (to match documented naming scheme).
+ Unfuzz patch.
* Use Vcs-* fields (not XS-Vcs-* fields) in debian/control.
moin (1.5.8-4.1) unstable; urgency=high
* Non-maintainer upload by the testing-security team
* Include upstream patch to enable whitelisting, instead of
insufficient blacklisting for file uploads (Closes: #429205)
Fixes: CVE-2007-5156, CVE-2007-3163, CVE-2007-2630, CVE-2006-0658
moin (1.5.8-4) unstable; urgency=low
* Sync with upstream HG development source as of today (patchset 851):
+ Avoid out-of-space file corruption of "current" page.
+ Fix translation of "Toggle line numbers" link.
* Move Homepage to own field (from pseudo-field in long description).
moin (1.5.8-3) unstable; urgency=high
* Acutally apply the added patch in 1.5.8-2.
* Raise to urgency=high as these are only security-related bugfixes.
moin (1.5.8-2) unstable; urgency=low
* Sync with upstream HG development source as of today (patchset 849):
+ XSS fix with RenamePage and and DeletePage
+ ACL fix: only send <link rel=Appendix... when there's read access
moin (1.5.8-1) unstable; urgency=low
* New upstream release.
* Drop all earlier patches from upstream Mercurial: applied upstream.
* Sync with upstream HG development source as of today (patchset 845).
* Add XS-Vcs-Svn and XS-Vcs-Browser fields to debian/control.
* Update cdbs tweaks:
+ Various improvements to update-tarball.
* Better duplicate build-dependency cleanup in debian/rules, and semi-
auto-update debian/control:
DEB_BUILD_OPTIONS=cdbs-autoupdate fakeroot debian/rules pre-build
* Replace deprecated ${Source-Version} with Use binNMU-safe
${source:Version} in debian/control. Thanks to Lintian.
* Remove MoinMoin/i18n/meta.py in clean target.
-- Matthias Klose <email address hidden> Thu, 06 Dec 2007 17:44:41 +0000
-
moin (1.5.7-3ubuntu2) gutsy; urgency=low
* Suggest python-xml (needed for DocBook rendering). LP: #31728.
-- Matthias Klose <email address hidden> Sun, 09 Sep 2007 01:36:23 +0200