Summary: | <www-apps/moinmoin-1.9.4: XSS issue in rst parser (CVE-2011-1058) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Trace <bugzilla-gentoo> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | web-apps |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://moinmo.in/SecurityFixes | ||
Whiteboard: | B4 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 374389, 433898, 433978 | ||
Bug Blocks: |
Description
Robert Trace
2010-09-30 21:43:34 UTC
I've added 1.8.8 to CVS and 1.9.3 is on the way. (In reply to comment #1) > I've added 1.8.8 to CVS and 1.9.3 is on the way. Thanks! 1.8.8 installed without trouble and seems to be working. I'll try out 1.9.3 when it hits ~arch. https://bugzilla.redhat.com/show_bug.cgi?id=679523 Common Vulnerabilities and Exposures assigned an identifier CVE-2011-1058 to the following vulnerability: Cross-site scripting (XSS) vulnerability in the rst parser in parser/text_rst.py in MoinMoin before 1.9.3, when docutils is installed or when "format rst" is set, allows remote attackers to inject arbitrary web script or HTML via a javascript: URL. References: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1058 [2] http://moinmo.in/SecurityFixes Relevant changeset: [3] http://hg.moinmo.in/moin/1.9/rev/97208f67798f According to http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1058 mojnmoin-1.8.8 *is* affected. Please bump to 1.9.3. Any news on 1.9.3 hitting portage? I'll be happy to help in any way. CVE-2011-1058 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1058): Cross-site scripting (XSS) vulnerability in the reStructuredText (rst) parser in parser/text_rst.py in MoinMoin before 1.9.3, when docutils is installed or when "format rst" is set, allows remote attackers to inject arbitrary web script or HTML via a javascript: URL in the refuri attribute. NOTE: some of these details are obtained from third party information. @webapps: It's been 6 months, so please provide an updated ebuild or we will punt the package. (In reply to comment #6) > @webapps: It's been 6 months, so please provide an updated ebuild or we will > punt the package. I created an updated ebuild in bug #374389, but there's been no response there either. @web-apps: Please add the updated ebuild or hardmask the package because of its currently unfixed security vulnerabilites. Anyone alive? (In reply to comment #9) > Anyone alive? Barely, but 1.9.4 is now in CVS. ;) Feel free to stabilize it. Note that arm, ppc, and sparc will have to re-keyword 1.9.4 along with a few python deps (bug #433978) that are used instead of the bundled ones now. Thanks, Tim. Arches, please test and mark stable: =www-apps/moinmoin-1.9.4 Target keywords : "amd64 ppc sparc x86" amd64 stable sparc keywords dropped x86 stable ppc will continue in bug 433898 Thanks, everyone. This is already on an existing GLSA draft. This issue was resolved and addressed in GLSA 201210-02 at http://security.gentoo.org/glsa/glsa-201210-02.xml by GLSA coordinator Stefan Behte (craig). |