Hi Steve On Sun, Dec 30, 2012 at 12:22:55AM +0000, Adam D. Barratt wrote: > On Sat, 2012-12-29 at 19:33 +0000, Steve McIntyre wrote: > > There's been a set of security updates in moin in the last couple of > > weeks, with 2 very important ones today. I've already coordinated with > > the security team for fixes in Squeeze (1.9.3-1+squeeze4) and I've > > uploaded into sid (1.9.5-4). In Wheezy, we're currently on > > 1.9.4-8. What would you say to a TPU upload with the attached debdiff? > > +moin (1.9.4-8+deb7u1) testing-proposed-updates; urgency=high > + > + * Stack of security fixes from upstream: > + + make taintfilename more secure > + + escape user- or admin-defined css url > + + use a constant time str comparison function to prevent timing > + attacks > + + fix remote code execution vulnerability in twikidraw/anywikidraw > + actions (CVE-2012-XXXX). > + + fix path traversal vulnerability in AttachFile action > + (CVE-2012-XXXX). > > Looks okay to me; thanks. (fwiw, even for tpu unblock bugs are generally > easier to track and less likely to get lost in the list.) In meantime CVE's where assigned to moin for these issues. If not yet uploaded to t-p-u could you include these? They are CVE-2012-6080 (path traversal vulnerability) and CVE-2012-6081 (remote code execution vulnerability). Regards, Salvatore
Attachment:
signature.asc
Description: Digital signature