Debian Bug report logs -
#584809
CVE-2010-2487: multiple XSS vulnerabilities in moin
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Jonas Smedegaard <dr@jones.dk>:
Bug#584809; Package moin.
(Sun, 06 Jun 2010 19:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Frank Lin PIAT <fpiat@klabs.be>:
New Bug report received and forwarded. Copy sent to Jonas Smedegaard <dr@jones.dk>.
(Sun, 06 Jun 2010 19:27:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: moin
Version: 1.7.1-3+lenny2
Severity: important
Tags: security
An XSS have been reported upstream:
> There is a possible reflected Cross-Site Scripting attack. An attacker
> able to cause a user to follow a specially crafted malicious link may be
> able to recover session identifiers or exploit browser vulnerabilities.
Moin 1.9.2 (unstable) and 1.7 (lenny) are supposed to be affected.
See:
http://moinmo.in/MoinMoinBugs/1.9.2UnescapedInputForThemeAddMsg
Bug Marked as found in versions 1.7.1-2.
Request was from Frank Lin PIAT <fpiat@klabs.be>
to control@bugs.debian.org.
(Mon, 07 Jun 2010 04:57:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Jonas Smedegaard <dr@jones.dk>:
Bug#584809; Package moin.
(Mon, 07 Jun 2010 05:27:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Frank Lin PIAT <fpiat@klabs.be>:
Extra info received and forwarded to list. Copy sent to Jonas Smedegaard <dr@jones.dk>.
(Mon, 07 Jun 2010 05:27:03 GMT) (full text, mbox, link).
Message #14 received at 584809@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
Find attached a patch for moin 1.7 (lenny).
Jonas, are you available to upload it?
Regards,
Franklin
[moin-1.7_theme.patch (text/plain, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#584809; Package moin.
(Mon, 07 Jun 2010 06:33:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonas Smedegaard <dr@jones.dk>:
Extra info received and forwarded to list.
(Mon, 07 Jun 2010 06:33:07 GMT) (full text, mbox, link).
Message #19 received at 584809@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Mon, Jun 07, 2010 at 07:25:08AM +0200, Frank Lin PIAT wrote:
>Hi,
>
>Find attached a patch for moin 1.7 (lenny).
>
>Jonas, are you available to upload it?
Sorry, not today and maybe not tomorrow either.
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Jonas Smedegaard <dr@jones.dk>:
Bug#584809; Package moin.
(Fri, 02 Jul 2010 19:51:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Raphael Geissert <geissert@debian.org>:
Extra info received and forwarded to list. Copy sent to Jonas Smedegaard <dr@jones.dk>.
(Fri, 02 Jul 2010 19:51:06 GMT) (full text, mbox, link).
Message #24 received at 584809@bugs.debian.org (full text, mbox, reply):
retitle 584809 CVE-2010-2487: multiple XSS vulnerabilities in moin
severity 584809 grave
thanks
Hi,
This issue has been assigned CVE-2010-2487, please mention it in the uploads
fixing the issues.
Jonas, Franklin, does any of you have time to prepare the package for lenny?
Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
Changed Bug title to 'CVE-2010-2487: multiple XSS vulnerabilities in moin' from 'moin: Xss due to unescaped theme.add_msg to be fixed'
Request was from Raphael Geissert <geissert@debian.org>
to control@bugs.debian.org.
(Fri, 02 Jul 2010 19:51:07 GMT) (full text, mbox, link).
Severity set to 'grave' from 'important'
Request was from Raphael Geissert <geissert@debian.org>
to control@bugs.debian.org.
(Fri, 02 Jul 2010 19:51:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Jonas Smedegaard <dr@jones.dk>:
Bug#584809; Package moin.
(Sun, 04 Jul 2010 15:48:16 GMT) (full text, mbox, link).
Acknowledgement sent
to "Frank Lin PIAT" <fpiat@klabs.be>:
Extra info received and forwarded to list. Copy sent to Jonas Smedegaard <dr@jones.dk>.
(Sun, 04 Jul 2010 15:48:16 GMT) (full text, mbox, link).
Message #33 received at 584809@bugs.debian.org (full text, mbox, reply):
Raphael Geissert wrote:
>
> This issue has been assigned CVE-2010-2487, please mention it in the
> uploads
> fixing the issues.
>
> Jonas, Franklin, does any of you have time to prepare the package for
> lenny?
Hi Raphael,
A patch is included in this BR, it just needs to be uploaded
(well, one needs to add the CVE to the changelog, as you requested).
I have no upload right, so I can't do the actual upload myself.
Regards,
Franklin
P.S. I am working on the new upstream release for unstable, which fix this
CVE.
Information forwarded
to debian-bugs-dist@lists.debian.org, Jonas Smedegaard <dr@jones.dk>:
Bug#584809; Package moin.
(Sun, 04 Jul 2010 19:27:06 GMT) (full text, mbox, link).
Acknowledgement sent
to 584809@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to Jonas Smedegaard <dr@jones.dk>.
(Sun, 04 Jul 2010 19:27:06 GMT) (full text, mbox, link).
Message #38 received at 584809@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Sun, Jul 04, 2010 at 05:28:59PM +0200, Frank Lin PIAT wrote:
>Raphael Geissert wrote:
>>
>> This issue has been assigned CVE-2010-2487, please mention it in the
>> uploads fixing the issues.
>>
>> Jonas, Franklin, does any of you have time to prepare the package for
>> lenny?
>
>Hi Raphael,
>
>A patch is included in this BR, it just needs to be uploaded (well, one
>needs to add the CVE to the changelog, as you requested).
>
>I have no upload right, so I can't do the actual upload myself.
I have very little time next 2 weeks, but if you prepare it and ping me,
I will try take time enough to double-check and upload.
>P.S. I am working on the new upstream release for unstable, which fix
>this CVE.
Same here.
Regards,
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Jonas Smedegaard <dr@jones.dk>:
Bug#584809; Package moin.
(Sun, 04 Jul 2010 23:30:03 GMT) (full text, mbox, link).
Acknowledgement sent
to 584809@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to Jonas Smedegaard <dr@jones.dk>.
(Sun, 04 Jul 2010 23:30:03 GMT) (full text, mbox, link).
Message #43 received at 584809@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Sun, Jul 04, 2010 at 09:23:15PM +0200, Jonas Smedegaard wrote:
>On Sun, Jul 04, 2010 at 05:28:59PM +0200, Frank Lin PIAT wrote:
>>P.S. I am working on the new upstream release for unstable, which fix
>>this CVE.
>
>Same here.
I already prepared that update last week - just forgot to push it.
Done now. Needs investigating copyright_hints and generally check if
any upstream changes needs some adaptions to our packaging.
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Jonas Smedegaard <dr@jones.dk>:
Bug#584809; Package moin.
(Sun, 25 Jul 2010 18:12:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Nc Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Jonas Smedegaard <dr@jones.dk>.
(Sun, 25 Jul 2010 18:12:03 GMT) (full text, mbox, link).
Message #48 received at 584809@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
any news on this bug report? It's a bit sad to see a fix but nothing
happening. Frank, if you need sponsoring I can sponsor your upload or Jonas
please pick this up and upload. I don't want to hijack this, hence the mail
but it would be nice to get this fixed.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Jonas Smedegaard <dr@jones.dk>:
Bug#584809; Package moin.
(Thu, 29 Jul 2010 20:09:09 GMT) (full text, mbox, link).
Acknowledgement sent
to "Frank Lin PIAT" <fpiat@klabs.be>:
Extra info received and forwarded to list. Copy sent to Jonas Smedegaard <dr@jones.dk>.
(Thu, 29 Jul 2010 20:09:09 GMT) (full text, mbox, link).
Message #53 received at 584809@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Nicolas,
Could you upload that security update for Debian stable. I have updated
(and attached) that patch, to mention the CVE number as suggested by
Raphael.
Thanks,
Franklin
Nc Golde wrote:
> Hi,
> any news on this bug report? It's a bit sad to see a fix but nothing
> happening. Frank, if you need sponsoring I can sponsor your upload or
> Jonas please pick this up and upload. I don't want to hijack this,
> hence the mail but it would be nice to get this fixed.
[moin-lenny_CVE-2010-2487-XSS.diff (text/x-patch, attachment)]
Reply sent
to Nico Golde <nion@debian.org>:
You have taken responsibility.
(Mon, 02 Aug 2010 18:57:04 GMT) (full text, mbox, link).
Notification sent
to Frank Lin PIAT <fpiat@klabs.be>:
Bug acknowledged by developer.
(Mon, 02 Aug 2010 18:57:04 GMT) (full text, mbox, link).
Message #58 received at 584809-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Version: 1.9.3-1
looks like this was forgotten
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Reply sent
to Frank Lin PIAT <fpiat@klabs.be>:
You have taken responsibility.
(Tue, 03 Aug 2010 05:03:03 GMT) (full text, mbox, link).
Notification sent
to Frank Lin PIAT <fpiat@klabs.be>:
Bug acknowledged by developer.
(Tue, 03 Aug 2010 05:03:03 GMT) (full text, mbox, link).
Message #63 received at 584809-close@bugs.debian.org (full text, mbox, reply):
Source: moin
Source-Version: 1.7.1-3+lenny5
We believe that the bug you reported is fixed in the latest version of
moin, which is due to be installed in the Debian FTP archive:
moin_1.7.1-3+lenny5.diff.gz
to main/m/moin/moin_1.7.1-3+lenny5.diff.gz
moin_1.7.1-3+lenny5.dsc
to main/m/moin/moin_1.7.1-3+lenny5.dsc
python-moinmoin_1.7.1-3+lenny5_all.deb
to main/m/moin/python-moinmoin_1.7.1-3+lenny5_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 584809@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Frank Lin PIAT <fpiat@klabs.be> (supplier of updated moin package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 07 Jun 2010 06:48:00 +0200
Source: moin
Binary: python-moinmoin
Architecture: source all
Version: 1.7.1-3+lenny5
Distribution: stable-security
Urgency: high
Maintainer: Jonas Smedegaard <dr@jones.dk>
Changed-By: Frank Lin PIAT <fpiat@klabs.be>
Description:
python-moinmoin - Python clone of WikiWiki - library
Closes: 584809
Changes:
moin (1.7.1-3+lenny5) stable-security; urgency=high
.
* Non-maintainer upload.
* Fixed XSS in theme.add_msg, CVE-2010-2487
(Closes: #584809)
Checksums-Sha1:
f89a8e5082469363aeca2b7c02b18c322f0c676c 1259 moin_1.7.1-3+lenny5.dsc
3dc013eb71cd581a1a3804f27d7467d3dcc9d1c0 92369 moin_1.7.1-3+lenny5.diff.gz
41f2d4bcd86c631af1649440e5fc7bb21debebf1 4499604 python-moinmoin_1.7.1-3+lenny5_all.deb
Checksums-Sha256:
f9cc61d5ac4e561455b1108138c26b402b1c33401d3ae4ee16710034f95ba7f8 1259 moin_1.7.1-3+lenny5.dsc
8179472cadc1288895fa85706ced20a1e1dac387e48f472c7b5f4ff100ba1eef 92369 moin_1.7.1-3+lenny5.diff.gz
ee93b193f08aa86941af2750641caa89d4c4ec7d1360ac088b4c20d0ae1a3ad3 4499604 python-moinmoin_1.7.1-3+lenny5_all.deb
Files:
574199fc8e4c954cdd8b75e81eecdcf2 1259 net optional moin_1.7.1-3+lenny5.dsc
5363c01a34f85326113d767264edd42a 92369 net optional moin_1.7.1-3+lenny5.diff.gz
c17eeecc46d92ea6db6078884c777669 4499604 python optional python-moinmoin_1.7.1-3+lenny5_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkxVfT8ACgkQHYflSXNkfP/C0ACdFC2Bq6ASWi14ar8t2Fm3kvvo
lSIAnRCSmJUUhaWk597Nj3KdudqnVYwG
=7jEZ
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 08 Sep 2010 07:31:31 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:12:14 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon