Re: Moin update in testing

To: Steve McIntyre <steve@einval.com>
Cc: debian-release@lists.debian.org
Subject: Re: Moin update in testing
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Sun, 30 Dec 2012 00:22:55 +0000
Message-id: <[🔎] 1356826975.4281.28.camel@jacala.jungle.funky-badger.org>
In-reply-to: <[🔎] 20121229193357.GT4901@einval.com>
References: <[🔎] 20121229193357.GT4901@einval.com>

On Sat, 2012-12-29 at 19:33 +0000, Steve McIntyre wrote:
> There's been a set of security updates in moin in the last couple of
> weeks, with 2 very important ones today. I've already coordinated with
> the security team for fixes in Squeeze (1.9.3-1+squeeze4) and I've
> uploaded into sid (1.9.5-4). In Wheezy, we're currently on
> 1.9.4-8. What would you say to a TPU upload with the attached debdiff?

+moin (1.9.4-8+deb7u1) testing-proposed-updates; urgency=high
+
+  * Stack of security fixes from upstream:
+    + make taintfilename more secure
+    + escape user- or admin-defined css url
+    + use a constant time str comparison function to prevent timing
+      attacks
+    + fix remote code execution vulnerability in twikidraw/anywikidraw
+      actions (CVE-2012-XXXX).
+    + fix path traversal vulnerability in AttachFile action
+      (CVE-2012-XXXX).

Looks okay to me; thanks. (fwiw, even for tpu unblock bugs are generally
easier to track and less likely to get lost in the list.)

Regards,

Adam

Reply to:

Follow-Ups:
- Re: Moin update in testing
  - From: Salvatore Bonaccorso <carnil@debian.org>

References:
- Moin update in testing
  - From: Steve McIntyre <steve@einval.com>

Prev by Date: Bug#696918: marked as done (unblock: freetype/2.4.9-1.1)
Next by Date: Processed: Re: Bug#654341: inkscape reads .eps files from /tmp instead of the
Previous by thread: Moin update in testing
Next by thread: Re: Moin update in testing
Index(es):
- Date
- Thread