moinmoin-1.8.8 released on 2010-06-06 contains numerous security fixes.
A simple rename from the very vulnerable 1.8.4 seems sufficient.
And since the 1.9 branch of moin isn't in portage yet, updating to 1.8.8 could also close bugs #305663 and #334697, both of describe the vulnerabilities mentioned above.
I've added 1.8.8 to CVS and 1.9.3 is on the way.
(In reply to comment #1)
> I've added 1.8.8 to CVS and 1.9.3 is on the way.
Thanks! 1.8.8 installed without trouble and seems to be working. I'll try out 1.9.3 when it hits ~arch.
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-1058 to
the following vulnerability:
Cross-site scripting (XSS) vulnerability in the rst parser in
parser/text_rst.py in MoinMoin before 1.9.3, when docutils is
installed or when "format rst" is set, allows remote attackers to
According to http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1058 mojnmoin-1.8.8 *is* affected. Please bump to 1.9.3.
Any news on 1.9.3 hitting portage? I'll be happy to help in any way.
Cross-site scripting (XSS) vulnerability in the reStructuredText (rst)
parser in parser/text_rst.py in MoinMoin before 1.9.3, when docutils is
installed or when "format rst" is set, allows remote attackers to inject
NOTE: some of these details are obtained from third party information.
@webapps: It's been 6 months, so please provide an updated ebuild or we will punt the package.
(In reply to comment #6)
> @webapps: It's been 6 months, so please provide an updated ebuild or we will
> punt the package.
I created an updated ebuild in bug #374389, but there's been no response there either.
@web-apps: Please add the updated ebuild or hardmask the package because of its currently unfixed security vulnerabilites.
(In reply to comment #9)
> Anyone alive?
Barely, but 1.9.4 is now in CVS. ;)
Feel free to stabilize it.
Note that arm, ppc, and sparc will have to re-keyword 1.9.4 along with a few python deps (bug #433978) that are used instead of the bundled ones now.
Arches, please test and mark stable:
Target keywords : "amd64 ppc sparc x86"
sparc keywords dropped
ppc will continue in bug 433898
This is already on an existing GLSA draft.
This issue was resolved and addressed in
GLSA 201210-02 at http://security.gentoo.org/glsa/glsa-201210-02.xml
by GLSA coordinator Stefan Behte (craig).