Debian Bug report logs -
#910776
moin: CVE-2017-5934: XSS in GUI editor related code
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 11 Oct 2018 05:21:02 UTC
Severity: serious
Tags: patch, security, upstream
Found in version moin/1.9.9-1
Fixed in version moin/1.9.9-1+deb9u1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Steve McIntyre <93sam@debian.org>:
Bug#910776; Package src:moin.
(Thu, 11 Oct 2018 05:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Steve McIntyre <93sam@debian.org>.
(Thu, 11 Oct 2018 05:21:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: moin
Version: 1.9.9-1
Severity: important
Tags: patch security upstream
Hi,
The following vulnerability was published for moin.
CVE-2017-5934[0]:
XSS in GUI editor related code
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-5934
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5934
[1] https://github.com/moinwiki/moin-1.9/commit/70955a8eae091cc88fd9a6e510177e70289ec024
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sat, 20 Oct 2018 09:48:50 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 20 Oct 2018 09:48:50 GMT) (full text, mbox, link).
Message #10 received at 910776-close@bugs.debian.org (full text, mbox, reply):
Source: moin
Source-Version: 1.9.9-1+deb9u1
We believe that the bug you reported is fixed in the latest version of
moin, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 910776@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated moin package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 11 Oct 2018 20:54:28 +0200
Source: moin
Binary: python-moinmoin
Architecture: source
Version: 1.9.9-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Steve McIntyre <93sam@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 910776
Description:
python-moinmoin - Python clone of WikiWiki - library
Changes:
moin (1.9.9-1+deb9u1) stretch-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* XSS in GUI editor related code (CVE-2017-5934) (Closes: #910776)
Checksums-Sha1:
dd9788886f7c828bb19516055bcb17d00ec6d585 2048 moin_1.9.9-1+deb9u1.dsc
d582126c443939cb09e650eeddd677ed7e8c3f99 37206341 moin_1.9.9.orig.tar.gz
0a1495a969b525dde95141361dc901e41e6cb78c 152456 moin_1.9.9-1+deb9u1.debian.tar.xz
Checksums-Sha256:
87a0f1875d73e8b7a756e26c606ae65dfe56b54096165d1356076940ab7b7d48 2048 moin_1.9.9-1+deb9u1.dsc
4397d7760b7ae324d7914ffeb1a9eeb15e09933b61468072acd3c3870351efa4 37206341 moin_1.9.9.orig.tar.gz
284b2b2cc50d6e2c0b75b3ff8fd4626194e773ffa696cbeffdc3a4c6912ad095 152456 moin_1.9.9-1+deb9u1.debian.tar.xz
Files:
02a417f0a8fa28e6582281fc4dc0095f 2048 net optional moin_1.9.9-1+deb9u1.dsc
32f02a5d0df06b80d889ca6cdc51593e 37206341 net optional moin_1.9.9.orig.tar.gz
101ca3d531e1a66cbe1faec6d26d4fa8 152456 net optional moin_1.9.9-1+deb9u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlu/nURfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EHrUP/1qsFT77Jie+su5HjWu8nX1Eaop099n2
I2ZtR/F/4YC3O1aG8siRIqu3z/XNEe5Ad92am945uUdVOu8kbezmOR9j8JogTJ4Y
/8RErNENE6grc1wYR+iCa24TOtpUIffEPNSg74fpljotIHeSIjugIxuN+VRHDySy
HvWFxXg4dPHyR9lXmsRggrSMFRi6LjHWG9QeU2XhsZUVaiA+Lc+ZRzuIInWOmLPd
TkqanMOEG6JuPONUUwmfhvM77mSuCQ00vVvdhue4h9yqpdKLvfH7tdQKzE44N4xL
Hr4DMGRshkRgF+caV97gpl671m59fjbo1Qy+UkI3H57IBKl2LhfO9MZ6HRMXdXZ1
XewpNAaGbGW2FVxfnUoTu7VITI7NuCb3C/7eDE3pgwY9Ms9se8TrzvJqx9pA2f/k
jVWdw1+OH5z3RqiqHWbJbDMGhqkWB1UWecJfrEtgRIc9ewW87ZSW3vsjYy5EWRIH
P/OOnF0/uJ5KvFs1xwWSptK+axJzZHC6/r/VUl5/gXYU/hjcc1Vwz12J4hvN+aVE
jk9fjlIDo0xCgHEvY1oKCEDpF2GLxjdRVEQKDoZZ4GVINS28BnvmT67iqzB43+t8
47aUJP6UQMTfJ+tK5nEWujow/eKhccLsoMgLdOmOUUesfXq7b82oPDzZTjOlUkNr
g2mgBMR2Y0zM
=hnoo
-----END PGP SIGNATURE-----
Severity set to 'serious' from 'important'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 25 Oct 2018 19:51:08 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 10 Dec 2018 07:28:21 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:48:20 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon