[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Moin update in testing

On Sun, Dec 30, 2012 at 08:04:23AM +0100, Salvatore Bonaccorso wrote:
>Hi Steve
>
>> +moin (1.9.4-8+deb7u1) testing-proposed-updates; urgency=high
>> +
>> +  * Stack of security fixes from upstream:
>> +    + make taintfilename more secure
>> +    + escape user- or admin-defined css url
>> +    + use a constant time str comparison function to prevent timing
>> +      attacks
>> +    + fix remote code execution vulnerability in twikidraw/anywikidraw
>> +      actions (CVE-2012-XXXX).
>> +    + fix path traversal vulnerability in AttachFile action
>> +      (CVE-2012-XXXX).
>> 
>> Looks okay to me; thanks. (fwiw, even for tpu unblock bugs are generally
>> easier to track and less likely to get lost in the list.)
>
>In meantime CVE's where assigned to moin for these issues. If not yet
>uploaded to t-p-u could you include these? They are CVE-2012-6080
>(path traversal vulnerability) and CVE-2012-6081 (remote code
>execution vulnerability).

Hi Salvatore,

It's already uploaded, but I'll update the changelog in git so that
it'll be updated for future uploads.

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
"It's actually quite entertaining to watch ag129 prop his foot up on
 the desk so he can get a better aim."          [ seen in ucam.chat ]
Reply to: