Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 268565 - <www-apps/moinmoin-1.8.4 XSS (CVE-2009-1482)
Summary: <www-apps/moinmoin-1.8.4 XSS (CVE-2009-1482)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://moinmo.in/SecurityFixes
Whiteboard: B4 [noglsa]
Keywords:
: 262441 (view as bug list)
Depends on:
Blocks: CVE-2009-0312 CVE-2009-4762
  Show dependency tree
 
Reported: 2009-05-04 08:58 UTC by Alex Legler (RETIRED)
Modified: 2009-06-21 18:15 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-05-04 08:58:39 UTC 
CVE-2009-1482 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1482):
  Multiple cross-site scripting (XSS) vulnerabilities in
  action/AttachFile.py in MoinMoin 1.8.2 and earlier allow remote
  attackers to inject arbitrary web script or HTML via (1) an
  AttachFile sub-action in the error_msg function or (2) multiple
  vectors related to package file errors in the upload_form function,
  different vectors than CVE-2009-0260.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-05-04 09:02:57 UTC 
This is fixed in 1.8.3 and there are patches for 1.7 in the upstream Hg at http://hg.moinmo.in/moin/1.7/ (in case you want to keep the 1.7 branch).
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-05-04 09:04:14 UTC 
*** Bug 262441 has been marked as a duplicate of this bug. ***
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-06-11 19:42:03 UTC 
Arches, please test and mark stable:
=www-apps/moinmoin-1.8.4
Target keywords : "amd64 ppc sparc x86"

Removed 1.7* as it is EOL.
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2009-06-12 00:49:56 UTC 
x86 stable
Comment 5 Tony Vroon (RETIRED) gentoo-dev 2009-06-12 13:11:38 UTC 
+  12 Jun 2009; <chainsaw@gentoo.org> moinmoin-1.8.4.ebuild:
+  Marked stable on AMD64. Tested on a dual dual-core Opteron 2218 system
+  using Apache 2.2.11 and mod_fcgid 2.2. For security bugs #268565 and
+  #273858.
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2009-06-14 10:20:05 UTC 
sparc stable
Comment 7 Brent Baude (RETIRED) gentoo-dev 2009-06-21 14:07:55 UTC 
ppc done
Comment 8 Tobias Heinlein (RETIRED) gentoo-dev 2009-06-21 14:19:19 UTC 
XSS in webapps = NO.
Comment 9 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-06-21 18:15:22 UTC 
NO. Closing.