There is a new version of moinmoin wiki engine available. Would be very nice to have the 1.9 branch in Portage. Reproducible: Always
Version 1.9.1: Bug fixes: * Fixed sys.argv security issue.
web-apps, please bump. Is it okay to mark it stable after that?
CVE-2010-0667 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0667): MoinMoin 1.9 before 1.9.1 does not perform the expected clearing of the sys.argv array in situations where the GATEWAY_INTERFACE environment variable is set, which allows remote attackers to obtain sensitive information via unspecified vectors. CVE-2010-0668 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0668): Unspecified vulnerability in MoinMoin 1.5.x through 1.7.x, 1.8.x before 1.8.7, and 1.9.x before 1.9.2 has unknown impact and attack vectors, related to configurations that have a non-empty superuser list, the xmlrpc action enabled, the SyncPages action enabled, or OpenID configured. CVE-2010-0669 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0669): MoinMoin before 1.8.7 and 1.9.x before 1.9.2 does not properly sanitize user profiles, which has unspecified impact and attack vectors. CVE-2010-0717 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0717): The default configuration of cfg.packagepages_actions_excluded in MoinMoin before 1.8.7 does not prevent unsafe package actions, which has unspecified impact and attack vectors.
We need 1.9.2.
CVE-2010-0828 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0828): Cross-site scripting (XSS) vulnerability in action/Despam.py in the Despam action module in MoinMoin 1.8.7 and 1.9.2 allows remote authenticated users to inject arbitrary web script or HTML by creating a page with a crafted URI. CVE-2010-1238 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1238): MoinMoin 1.7.1 allows remote attackers to bypass the textcha protection mechanism by modifying the textcha-question and textcha-answer fields to have empty values.
CVE-2010-0828 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0828): Cross-site scripting (XSS) vulnerability in action/Despam.py in the Despam action module in MoinMoin 1.8.7 and 1.9.2 allows remote authenticated users to inject arbitrary web script or HTML by creating a page with a crafted URI.
CVE-2010-2487 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2487): Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin 1.7.3 and earlier, 1.8.x before 1.8.8, and 1.9.x before 1.9.3 allow remote attackers to inject arbitrary web script or HTML via crafted content, related to (1) Page.py, (2) PageEditor.py, (3) PageGraphicalEditor.py, (4) action/CopyPage.py, (5) action/Load.py, (6) action/RenamePage.py, (7) action/backup.py, (8) action/login.py, (9) action/newaccount.py, and (10) action/recoverpass.py. CVE-2010-2969 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2969): Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin 1.7.3 and earlier, and 1.9.x before 1.9.3, allow remote attackers to inject arbitrary web script or HTML via crafted content, related to (1) action/LikePages.py, (2) action/chart.py, and (3) action/userprofile.py, a similar issue to CVE-2010-2487. CVE-2010-2970 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2970): Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin 1.9.x before 1.9.3 allow remote attackers to inject arbitrary web script or HTML via crafted content, related to (1) action/SlideShow.py, (2) action/anywikidraw.py, and (3) action/language_setup.py, a similar issue to CVE-2010-2487.
I've added 1.8.8 to the tree which should have fixes for these security issues. 1.9.3 will be following soon.
*** Bug 334697 has been marked as a duplicate of this bug. ***
Arches please test and mark stable =www-apps/moinmoin-1.8.8. Target keywords: amd64, ppc, sparc, x86
amd64 done
x86 stable
ppc done
Dropping CVE-2010-0667, as it is 1.9.x-only.
sparc stable
GLSA Vote: Yes, there is a not of non-XSS impact.
GLSA request filed.
This issue was resolved and addressed in GLSA 201210-02 at http://security.gentoo.org/glsa/glsa-201210-02.xml by GLSA coordinator Stefan Behte (craig).