Debian Bug report logs -
#410338
CVE-2007-0857: pagename XSS
Reported by: Kees Cook <kees@outflux.net>
Date: Fri, 9 Feb 2007 21:48:02 UTC
Severity: critical
Tags: fixed-upstream, patch, security, upstream
Merged with 410552
Found in version 1.5.3-1.1
Fixed in versions moin/1.5.3-1.2, moin/1.5.7-1
Done: Jonas Smedegaard <dr@jones.dk>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Jonas Smedegaard <dr@jones.dk>
:
Bug#410338
; Package moin
.
(full text, mbox, link).
Acknowledgement sent to Kees Cook <kees@outflux.net>
:
New Bug report received and forwarded. Copy sent to Jonas Smedegaard <dr@jones.dk>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: moin
Version: 1.5.3-1.1
Severity: important
Tags: patch, security
"Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin before
1.5.7 allow remote attackers to inject arbitrary web script or HTML via
(1) the page info, or the page name in a (2) AttachFile, (3) RenamePage,
or (4) LocalSiteMap action."
The upstream changes are visible here:
http://hg.thinkmo.de/moin/1.5?fl=28eb59256911;file=docs/CHANGES
However, LikePages was missed, and the upstream LocalSiteMap fix appears
to be incomplete. Attached is the patch I'm using in Ubuntu.
--
Kees Cook @outflux.net
[090_fix-pagename-xss.patch (text/x-diff, attachment)]
Information forwarded to debian-bugs-dist@lists.debian.org, Jonas Smedegaard <dr@jones.dk>
:
Bug#410338
; Package moin
.
(full text, mbox, link).
Acknowledgement sent to Kees Cook <kees@outflux.net>
:
Extra info received and forwarded to list. Copy sent to Jonas Smedegaard <dr@jones.dk>
.
(full text, mbox, link).
Message #10 received at 410338@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Attached is a more complete patch, based on some auditing. I've
forwarded the missed fixes upstream.
--
Kees Cook @outflux.net
[090_fix-pagename-xss.patch (text/x-diff, attachment)]
Severity set to `critical' from `important'
Request was from Kees Cook <kees@outflux.net>
to control@bugs.debian.org
.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Jonas Smedegaard <dr@jones.dk>
:
Bug#410338
; Package moin
.
(full text, mbox, link).
Acknowledgement sent to Martin Zobel-Helas <zobel@debian.org>
:
Extra info received and forwarded to list. Copy sent to Jonas Smedegaard <dr@jones.dk>
.
(full text, mbox, link).
Message #19 received at 410338@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 410338 + patch
thanks
Hi,
Attached is the diff for my moin 1.5.3-1.2 NMU.
Greetings
Martin
[moin-1.5.3-1.2-nmu.diff (text/x-diff, attachment)]
Tags added: patch
Request was from Martin Zobel-Helas <zobel@debian.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Reply sent to Martin Zobel-Helas <zobel@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Kees Cook <kees@outflux.net>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #26 received at 410338-close@bugs.debian.org (full text, mbox, reply):
Source: moin
Source-Version: 1.5.3-1.2
We believe that the bug you reported is fixed in the latest version of
moin, which is due to be installed in the Debian FTP archive:
moin_1.5.3-1.2.diff.gz
to pool/main/m/moin/moin_1.5.3-1.2.diff.gz
moin_1.5.3-1.2.dsc
to pool/main/m/moin/moin_1.5.3-1.2.dsc
moinmoin-common_1.5.3-1.2_all.deb
to pool/main/m/moin/moinmoin-common_1.5.3-1.2_all.deb
python-moinmoin_1.5.3-1.2_all.deb
to pool/main/m/moin/python-moinmoin_1.5.3-1.2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 410338@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Martin Zobel-Helas <zobel@debian.org> (supplier of updated moin package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 27 Feb 2007 10:00:39 +0100
Source: moin
Binary: moinmoin-common python-moinmoin
Architecture: source all
Version: 1.5.3-1.2
Distribution: unstable
Urgency: low
Maintainer: Jonas Smedegaard <dr@jones.dk>
Changed-By: Martin Zobel-Helas <zobel@debian.org>
Description:
moinmoin-common - Python clone of WikiWiki - common data
python-moinmoin - Python clone of WikiWiki - library
Closes: 410338
Changes:
moin (1.5.3-1.2) unstable; urgency=low
.
* Non-maintainer upload.
* Adding patch from BTS to fix CVE-2007-0857 (Closes: #410338)
Files:
134e914144ce1bc4ff53f015341f0cf1 653 net optional moin_1.5.3-1.2.dsc
530ec8bccc7c44033fac68e42021e776 35750 net optional moin_1.5.3-1.2.diff.gz
c447de2045329dc06212e0f6b196c34c 1573858 net optional moinmoin-common_1.5.3-1.2_all.deb
8c8a51ba388f9d09f230e3c1e1e2bfe9 912502 python optional python-moinmoin_1.5.3-1.2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFF4/rqST77jl1k+HARAlHWAKC3HAFgvZ27CEpGESLFksgpKP9WiACeI2kN
6xUPoBEwLFYpM8SW+kv3LpU=
=g6QW
-----END PGP SIGNATURE-----
Reply sent to Martin Zobel-Helas <zobel@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Marcus Husar <edv@rose.uni-heidelberg.de>
:
Bug acknowledged by developer.
(full text, mbox, link).
Reply sent to Jonas Smedegaard <dr@jones.dk>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Kees Cook <kees@outflux.net>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #36 received at 410338-close@bugs.debian.org (full text, mbox, reply):
Source: moin
Source-Version: 1.5.7-1
We believe that the bug you reported is fixed in the latest version of
moin, which is due to be installed in the Debian FTP archive:
moin_1.5.7-1.diff.gz
to pool/main/m/moin/moin_1.5.7-1.diff.gz
moin_1.5.7-1.dsc
to pool/main/m/moin/moin_1.5.7-1.dsc
moin_1.5.7.orig.tar.gz
to pool/main/m/moin/moin_1.5.7.orig.tar.gz
moinmoin-common_1.5.7-1_all.deb
to pool/main/m/moin/moinmoin-common_1.5.7-1_all.deb
python-moinmoin_1.5.7-1_all.deb
to pool/main/m/moin/python-moinmoin_1.5.7-1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 410338@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonas Smedegaard <dr@jones.dk> (supplier of updated moin package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 16 Mar 2007 18:07:48 +0100
Source: moin
Binary: moinmoin-common python-moinmoin
Architecture: source all
Version: 1.5.7-1
Distribution: unstable
Urgency: low
Maintainer: Jonas Smedegaard <dr@jones.dk>
Changed-By: Jonas Smedegaard <dr@jones.dk>
Description:
moinmoin-common - Python clone of WikiWiki - common data
python-moinmoin - Python clone of WikiWiki - library
Closes: 373464 373464 383841 383909 384349 410338
Changes:
moin (1.5.7-1) unstable; urgency=low
.
* New upstream release. Closes: Bug#384349.
Highlights:
+ XSS Fixes (already fixed in Debian NMU).
+ Improved LDAP authentication.
+ Various GUI editor improvements (but still buggy!).
+ Attachments can be overwritten, moved to a different page, and
referenced.
+ Various performance improvements.
+ Rendering fixes (especially workarounds for IE6 bugs).
+ Simplified migration routine. Please read
/usr/share/doc/moinmoin-common/README.Migration(.gz).
+ Fix for forgotten password email login URL.
+ Google sitemap support: ?action=sitemap.
+ Updated translations: i18n strings, system and help pages.
+ Hyphens are now allowed in usernames. Closes: Bug#383909.
+ Improved docutils and ReST support.
* Acknowledge NMUs. Closes: Bug#373464, #383841, #410338, thanks to
Josselin Mouette, Pierre Habouzit, Martin Zobel-Helas and Toni
Mueller.
* Reorganize patches.
+ Extend patches to 5 digits to make room for Hg changesets.
+ Adjust debian/patches/README to mention Hg (not Arch).
+ Use quilt (not the simple cdbs-internal patch system).
* Add patches to bring in sync with upstream Hg (patchset 822).
* Remove parts of CVE-2007-0857 applied upstream (changesets 805-806).
Rename patch to follow new 5-digit scheme.
* Rewrite README.packaging to describe getting changesets from Hg (not
Arch).
* Update CDBS tweaks:
+ Update copyright-check.mk: Look for "(c)" too, avoid non-printable
characters, verbose error report.
+ Update buildinfo.mk: Fix touchfile to run only once.
+ Major overhaul of python-distutils.mk: Syncronize with main cdbs,
which adds support for new Python policy, and massive rewrite to
bring back functionality broken in the default implementation of
that new policy.
+ Replace auto-update.mk with (overload of) buildcore.mk.
+ Add README.cdbs-tweaks documenting the added tweaks.
+ Advertise README.cdbs-tweaks in debian/rules.
* Enable new Python policy, except when DEB_BUILD_OPTIONS contains
"sarge". Closes: Bug#373464 (thanks to Pierre Habouzit and ).
* Bump up Standards-Version to 3.7.2 for non-default distros.
* Adjust long description to not mention dropped pythonXX-moinmoin.
* As stated in README.Debian, CGI interface has had most testing:
+ Revert to suggesting apache in favor of libapache(2)-python.
+ Suggest httpd-cgi (not httpd) as fallback.
* Cleanup and improve debian/rules:
+ Use (newly improved!) tweaked cdbs again, to also support
distributions using the old python policy.
+ Restore rules aaplying only to old python policy.
+ Add switch to declare variables varying between python policies.
+ Stitch together README.Debian from parts, referring to build-
dependent default python version, and leaving out section on
multiple packages when using new python policy.
+ Stitch together README.Debian and moinmoin-common.postinst in
pre-build, and remove in clean. This avoids distributing changes
and then loosing it again automatically at next build.
+ Add more comments.
+ Move build targets to switch distribution down to the bottom.
* Update debian/copyright:
+ Add new copyright for Bubblehelp infoboxes (license: GPLv2).
+ Add new copyright for EXIF filter (license: BSD-like).
+ Fix non-unicode Character (copyright-holder Peter Åstrand).
* No longer install docs/CHANGES.config dropped upstream.
* Add note to README.Debian about risk of dict symlink breaking if
copying and using the data from a different location. This relates
only to the recent NMU changing (without documentaing!!!) from
static to shared symlink.
* Use Build-depends (not Build-depends-Indep) for non-default
distributions.
* Tightened pyversions to only include 2.3 and higher.
* Suppress lintian warnings about INSTALL.html in docs (contains
valuable info on further steps than automated in this packaging) and
non-executable scripts in underlay (they should never be executed
from there).
Files:
3af73028d18bbf049565ee975c3ccb5c 759 net optional moin_1.5.7-1.dsc
b304f1c2054c7f3bf0dc48c141b28b33 4411634 net optional moin_1.5.7.orig.tar.gz
5ee74fe0319d707c71c9c481f4a21b12 48877 net optional moin_1.5.7-1.diff.gz
3a2a526a20eaaa225cb237a666b8aee5 1660388 net optional moinmoin-common_1.5.7-1_all.deb
a89395b1e9ea7d4b4cb9ab32522bde80 1017220 python optional python-moinmoin_1.5.7-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFF+yqSn7DbMsAkQLgRAvECAJ9fbh7g5OMAhLy8xNSmlBdzVf6GsACfRK6H
QjmU9th+UdcQKyQDqERRCs0=
=742I
-----END PGP SIGNATURE-----
Reply sent to Jonas Smedegaard <dr@jones.dk>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Marcus Husar <edv@rose.uni-heidelberg.de>
:
Bug acknowledged by developer.
(full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 25 Jun 2007 07:05:53 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:26:52 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.