Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 256128 (CVE-2009-0260) - www-apps/moinmoin <1.8.1 XSS (CVE-2009-0260)
Summary: www-apps/moinmoin <1.8.1 XSS (CVE-2009-0260)
Status: RESOLVED FIXED
Alias: CVE-2009-0260
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://hg.moinmo.in/moin/1.8/rev/8cb4...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-01-23 21:45 UTC by Stefan Behte (RETIRED)
Modified: 2009-02-03 13:19 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2009-01-23 21:45:57 UTC 
CVE-2009-0260 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0260):
  Multiple cross-site scripting (XSS) vulnerabilities in
  action/AttachFile.py in MoinMoin before 1.8.1 allow remote attackers
  to inject arbitrary web script or HTML via an AttachFile action to
  the WikiSandBox component with (1) the rename parameter or (2) the
  drawing parameter (aka the basename variable).
Comment 1 Tony Vroon (RETIRED) gentoo-dev 2009-01-26 11:18:09 UTC 
+*moinmoin-1.8.1 (26 Jan 2009)
+
+  26 Jan 2009; <chainsaw@gentoo.org> +moinmoin-1.8.1.ebuild:
+  Version bump for security bug #256128.

Arches please test & mark stable.
Target keywords: amd64 ppc sparc x86
Comment 2 Dawid Węgliński (RETIRED) gentoo-dev 2009-01-26 13:26:07 UTC 
amd64 stable
Comment 3 Ferris McCormick (RETIRED) gentoo-dev 2009-01-26 14:24:24 UTC 
Sparc stable (you don't see security problems in something that's pure python everyday. :) )
Comment 4 Raúl Porcel (RETIRED) gentoo-dev 2009-01-27 10:49:15 UTC 
x86 stable
Comment 5 Tobias Scherbaum (RETIRED) gentoo-dev 2009-02-01 21:05:36 UTC 
ppc stable
Comment 6 Tobias Heinlein (RETIRED) gentoo-dev 2009-02-02 23:56:21 UTC 
web app, XSS: I vote NO.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2009-02-03 13:19:28 UTC 
NO as well, closing.