moinmoin-1.8.8 released on 2010-06-06 contains numerous security fixes. A simple rename from the very vulnerable 1.8.4 seems sufficient. And since the 1.9 branch of moin isn't in portage yet, updating to 1.8.8 could also close bugs #305663 and #334697, both of describe the vulnerabilities mentioned above. Reproducible: Always
I've added 1.8.8 to CVS and 1.9.3 is on the way.
(In reply to comment #1) > I've added 1.8.8 to CVS and 1.9.3 is on the way. Thanks! 1.8.8 installed without trouble and seems to be working. I'll try out 1.9.3 when it hits ~arch.
https://bugzilla.redhat.com/show_bug.cgi?id=679523 Common Vulnerabilities and Exposures assigned an identifier CVE-2011-1058 to the following vulnerability: Cross-site scripting (XSS) vulnerability in the rst parser in parser/text_rst.py in MoinMoin before 1.9.3, when docutils is installed or when "format rst" is set, allows remote attackers to inject arbitrary web script or HTML via a javascript: URL. References: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1058 [2] http://moinmo.in/SecurityFixes Relevant changeset: [3] http://hg.moinmo.in/moin/1.9/rev/97208f67798f According to http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1058 mojnmoin-1.8.8 *is* affected. Please bump to 1.9.3.
Any news on 1.9.3 hitting portage? I'll be happy to help in any way.
CVE-2011-1058 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1058): Cross-site scripting (XSS) vulnerability in the reStructuredText (rst) parser in parser/text_rst.py in MoinMoin before 1.9.3, when docutils is installed or when "format rst" is set, allows remote attackers to inject arbitrary web script or HTML via a javascript: URL in the refuri attribute. NOTE: some of these details are obtained from third party information.
@webapps: It's been 6 months, so please provide an updated ebuild or we will punt the package.
(In reply to comment #6) > @webapps: It's been 6 months, so please provide an updated ebuild or we will > punt the package. I created an updated ebuild in bug #374389, but there's been no response there either.
@web-apps: Please add the updated ebuild or hardmask the package because of its currently unfixed security vulnerabilites.
Anyone alive?
(In reply to comment #9) > Anyone alive? Barely, but 1.9.4 is now in CVS. ;) Feel free to stabilize it. Note that arm, ppc, and sparc will have to re-keyword 1.9.4 along with a few python deps (bug #433978) that are used instead of the bundled ones now.
Thanks, Tim. Arches, please test and mark stable: =www-apps/moinmoin-1.9.4 Target keywords : "amd64 ppc sparc x86"
amd64 stable
sparc keywords dropped
x86 stable
ppc will continue in bug 433898
Thanks, everyone. This is already on an existing GLSA draft.
This issue was resolved and addressed in GLSA 201210-02 at http://security.gentoo.org/glsa/glsa-201210-02.xml by GLSA coordinator Stefan Behte (craig).