Debian Bug report logs - #584809
CVE-2010-2487: multiple XSS vulnerabilities in moin

version graph

Package: moin; Maintainer for moin is Steve McIntyre <93sam@debian.org>;

Reported by: Frank Lin PIAT <fpiat@klabs.be>

Date: Sun, 6 Jun 2010 19:27:01 UTC

Severity: grave

Tags: security

Found in versions 1.7.1-2, 1.7.1-3+lenny2

Fixed in versions 1.9.3-1, moin/1.7.1-3+lenny5

Done: Frank Lin PIAT <fpiat@klabs.be>

Bug is archived. No further changes may be made.

Forwarded to http://moinmo.in/MoinMoinBugs/1.9.2UnescapedInputForThemeAddMsg

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Jonas Smedegaard <dr@jones.dk>:
Bug#584809; Package moin. (Sun, 06 Jun 2010 19:27:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Frank Lin PIAT <fpiat@klabs.be>:
New Bug report received and forwarded. Copy sent to Jonas Smedegaard <dr@jones.dk>. (Sun, 06 Jun 2010 19:27:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Frank Lin PIAT <fpiat@klabs.be>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: moin: Xss due to unescaped theme.add_msg to be fixed
Date: Sun, 06 Jun 2010 21:21:39 +0200
Package: moin
Version: 1.7.1-3+lenny2
Severity: important
Tags: security

An XSS have been reported upstream:
> There is a possible reflected Cross-Site Scripting attack. An attacker
> able to cause a user to follow a specially crafted malicious link may be
> able to recover session identifiers or exploit browser vulnerabilities.

Moin 1.9.2 (unstable) and 1.7 (lenny) are supposed to be affected.

See:
 http://moinmo.in/MoinMoinBugs/1.9.2UnescapedInputForThemeAddMsg




Set Bug forwarded-to-address to 'http://moinmo.in/MoinMoinBugs/1.9.2UnescapedInputForThemeAddMsg'. Request was from Frank Lin PIAT <fpiat@klabs.be> to control@bugs.debian.org. (Mon, 07 Jun 2010 04:57:03 GMT) Full text and rfc822 format available.

Bug Marked as found in versions 1.7.1-2. Request was from Frank Lin PIAT <fpiat@klabs.be> to control@bugs.debian.org. (Mon, 07 Jun 2010 04:57:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Jonas Smedegaard <dr@jones.dk>:
Bug#584809; Package moin. (Mon, 07 Jun 2010 05:27:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Frank Lin PIAT <fpiat@klabs.be>:
Extra info received and forwarded to list. Copy sent to Jonas Smedegaard <dr@jones.dk>. (Mon, 07 Jun 2010 05:27:03 GMT) Full text and rfc822 format available.

Message #14 received at 584809@bugs.debian.org (full text, mbox):

From: Frank Lin PIAT <fpiat@klabs.be>
To: 584809@bugs.debian.org
Cc: team <team@security.debian.org>
Subject: Re: moin: Xss due to unescaped theme.add_msg to be fixed
Date: Mon, 07 Jun 2010 07:25:08 +0200
[Message part 1 (text/plain, inline)]
Hi,

Find attached a patch for moin 1.7 (lenny).

Jonas, are you available to upload it?

Regards,

Franklin
[moin-1.7_theme.patch (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#584809; Package moin. (Mon, 07 Jun 2010 06:33:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jonas Smedegaard <dr@jones.dk>:
Extra info received and forwarded to list. (Mon, 07 Jun 2010 06:33:07 GMT) Full text and rfc822 format available.

Message #19 received at 584809@bugs.debian.org (full text, mbox):

From: Jonas Smedegaard <dr@jones.dk>
To: 584809@bugs.debian.org
Cc: team <team@security.debian.org>
Subject: Re: Bug#584809: moin: Xss due to unescaped theme.add_msg to be fixed
Date: Mon, 7 Jun 2010 08:30:42 +0200
[Message part 1 (text/plain, inline)]
On Mon, Jun 07, 2010 at 07:25:08AM +0200, Frank Lin PIAT wrote:
>Hi,
>
>Find attached a patch for moin 1.7 (lenny).
>
>Jonas, are you available to upload it?

Sorry, not today and maybe not tomorrow either.

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Jonas Smedegaard <dr@jones.dk>:
Bug#584809; Package moin. (Fri, 02 Jul 2010 19:51:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Raphael Geissert <geissert@debian.org>:
Extra info received and forwarded to list. Copy sent to Jonas Smedegaard <dr@jones.dk>. (Fri, 02 Jul 2010 19:51:06 GMT) Full text and rfc822 format available.

Message #24 received at 584809@bugs.debian.org (full text, mbox):

From: Raphael Geissert <geissert@debian.org>
To: 584809@bugs.debian.org, team@security.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#584809: moin: Xss due to unescaped theme.add_msg to be fixed
Date: Fri, 2 Jul 2010 14:49:24 -0500
retitle 584809 CVE-2010-2487: multiple XSS vulnerabilities in moin
severity 584809 grave
thanks

Hi,

This issue has been assigned CVE-2010-2487, please mention it in the uploads 
fixing the issues.

Jonas, Franklin, does any of you have time to prepare the package for lenny?

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net




Changed Bug title to 'CVE-2010-2487: multiple XSS vulnerabilities in moin' from 'moin: Xss due to unescaped theme.add_msg to be fixed' Request was from Raphael Geissert <geissert@debian.org> to control@bugs.debian.org. (Fri, 02 Jul 2010 19:51:07 GMT) Full text and rfc822 format available.

Severity set to 'grave' from 'important' Request was from Raphael Geissert <geissert@debian.org> to control@bugs.debian.org. (Fri, 02 Jul 2010 19:51:08 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Jonas Smedegaard <dr@jones.dk>:
Bug#584809; Package moin. (Sun, 04 Jul 2010 15:48:16 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Frank Lin PIAT" <fpiat@klabs.be>:
Extra info received and forwarded to list. Copy sent to Jonas Smedegaard <dr@jones.dk>. (Sun, 04 Jul 2010 15:48:16 GMT) Full text and rfc822 format available.

Message #33 received at 584809@bugs.debian.org (full text, mbox):

From: "Frank Lin PIAT" <fpiat@klabs.be>
To: "Raphael Geissert" <geissert@debian.org>, 584809@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#584809: moin: Xss due to unescaped theme.add_msg to be fixed
Date: Sun, 4 Jul 2010 17:28:59 +0200 (CEST)
Raphael Geissert wrote:
>
> This issue has been assigned CVE-2010-2487, please mention it in the
> uploads
> fixing the issues.
>
> Jonas, Franklin, does any of you have time to prepare the package for
> lenny?

Hi Raphael,

A patch is included in this BR, it just needs to be uploaded
(well, one needs to add the CVE to the changelog, as you requested).

I have no upload right, so I can't do the actual upload myself.

Regards,

Franklin

P.S. I am working on the new upstream release for unstable, which fix this
CVE.





Information forwarded to debian-bugs-dist@lists.debian.org, Jonas Smedegaard <dr@jones.dk>:
Bug#584809; Package moin. (Sun, 04 Jul 2010 19:27:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to 584809@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to Jonas Smedegaard <dr@jones.dk>. (Sun, 04 Jul 2010 19:27:06 GMT) Full text and rfc822 format available.

Message #38 received at 584809@bugs.debian.org (full text, mbox):

From: Jonas Smedegaard <dr@jones.dk>
To: Frank Lin PIAT <fpiat@klabs.be>, 584809@bugs.debian.org
Cc: Raphael Geissert <geissert@debian.org>, team@security.debian.org
Subject: Re: Bug#584809: moin: Xss due to unescaped theme.add_msg to be fixed
Date: Sun, 4 Jul 2010 21:23:15 +0200
[Message part 1 (text/plain, inline)]
On Sun, Jul 04, 2010 at 05:28:59PM +0200, Frank Lin PIAT wrote:
>Raphael Geissert wrote:
>>
>> This issue has been assigned CVE-2010-2487, please mention it in the 
>> uploads fixing the issues.
>>
>> Jonas, Franklin, does any of you have time to prepare the package for 
>> lenny?
>
>Hi Raphael,
>
>A patch is included in this BR, it just needs to be uploaded (well, one 
>needs to add the CVE to the changelog, as you requested).
>
>I have no upload right, so I can't do the actual upload myself.

I have very little time next 2 weeks, but if you prepare it and ping me, 
I will try take time enough to double-check and upload.


>P.S. I am working on the new upstream release for unstable, which fix 
>this CVE.

Same here.


Regards,

  - Jonas

-- 
  * Jonas Smedegaard - idealist & Internet-arkitekt
  * Tlf.: +45 40843136  Website: http://dr.jones.dk/

  [x] quote me freely  [ ] ask before reusing  [ ] keep private
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Jonas Smedegaard <dr@jones.dk>:
Bug#584809; Package moin. (Sun, 04 Jul 2010 23:30:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to 584809@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to Jonas Smedegaard <dr@jones.dk>. (Sun, 04 Jul 2010 23:30:03 GMT) Full text and rfc822 format available.

Message #43 received at 584809@bugs.debian.org (full text, mbox):

From: Jonas Smedegaard <dr@jones.dk>
To: 584809@bugs.debian.org
Subject: Re: Bug#584809: moin: Xss due to unescaped theme.add_msg to be fixed
Date: Mon, 5 Jul 2010 01:27:58 +0200
[Message part 1 (text/plain, inline)]
On Sun, Jul 04, 2010 at 09:23:15PM +0200, Jonas Smedegaard wrote:
>On Sun, Jul 04, 2010 at 05:28:59PM +0200, Frank Lin PIAT wrote:

>>P.S. I am working on the new upstream release for unstable, which fix 
>>this CVE.
>
>Same here.

I already prepared that update last week - just forgot to push it.

Done now.  Needs investigating copyright_hints and generally check if 
any upstream changes needs some adaptions to our packaging.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Jonas Smedegaard <dr@jones.dk>:
Bug#584809; Package moin. (Sun, 25 Jul 2010 18:12:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nc Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Jonas Smedegaard <dr@jones.dk>. (Sun, 25 Jul 2010 18:12:03 GMT) Full text and rfc822 format available.

Message #48 received at 584809@bugs.debian.org (full text, mbox):

From: Nc Golde <nion@debian.org>
To: 584809@bugs.debian.org
Subject: Re: Bug#584809: moin: Xss due to unescaped theme.add_msg to be fixed
Date: Sun, 25 Jul 2010 20:13:08 +0200
[Message part 1 (text/plain, inline)]
Hi,
any news on this bug report? It's a bit sad to see a fix but nothing 
happening. Frank, if you need sponsoring I can sponsor your upload or Jonas 
please pick this up and upload. I don't want to hijack this, hence the mail 
but it would be nice to get this fixed.

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Jonas Smedegaard <dr@jones.dk>:
Bug#584809; Package moin. (Thu, 29 Jul 2010 20:09:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Frank Lin PIAT" <fpiat@klabs.be>:
Extra info received and forwarded to list. Copy sent to Jonas Smedegaard <dr@jones.dk>. (Thu, 29 Jul 2010 20:09:09 GMT) Full text and rfc822 format available.

Message #53 received at 584809@bugs.debian.org (full text, mbox):

From: "Frank Lin PIAT" <fpiat@klabs.be>
To: "Nc Golde" <nion@debian.org>, 584809@bugs.debian.org
Subject: Re: Bug#584809: moin: Xss due to unescaped theme.add_msg to be fixed
Date: Thu, 29 Jul 2010 22:06:04 +0200 (CEST)
[Message part 1 (text/plain, inline)]
Hi Nicolas,

Could you upload that security update for Debian stable. I have updated
(and attached) that patch, to mention the CVE number as suggested by
Raphael.

Thanks,

Franklin

Nc Golde wrote:
> Hi,
> any news on this bug report? It's a bit sad to see a fix but nothing
> happening. Frank, if you need sponsoring I can sponsor your upload or
> Jonas please pick this up and upload. I don't want to hijack this,
> hence the mail but it would be nice to get this fixed.

[moin-lenny_CVE-2010-2487-XSS.diff (text/x-patch, attachment)]

Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. (Mon, 02 Aug 2010 18:57:04 GMT) Full text and rfc822 format available.

Notification sent to Frank Lin PIAT <fpiat@klabs.be>:
Bug acknowledged by developer. (Mon, 02 Aug 2010 18:57:04 GMT) Full text and rfc822 format available.

Message #58 received at 584809-done@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 584809-done@bugs.debian.org
Subject: closing
Date: Mon, 2 Aug 2010 20:58:10 +0200
[Message part 1 (text/plain, inline)]
Version: 1.9.3-1

looks like this was forgotten

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Frank Lin PIAT <fpiat@klabs.be>:
You have taken responsibility. (Tue, 03 Aug 2010 05:03:03 GMT) Full text and rfc822 format available.

Notification sent to Frank Lin PIAT <fpiat@klabs.be>:
Bug acknowledged by developer. (Tue, 03 Aug 2010 05:03:03 GMT) Full text and rfc822 format available.

Message #63 received at 584809-close@bugs.debian.org (full text, mbox):

From: Frank Lin PIAT <fpiat@klabs.be>
To: 584809-close@bugs.debian.org
Subject: Bug#584809: fixed in moin 1.7.1-3+lenny5
Date: Tue, 03 Aug 2010 05:00:04 +0000
Source: moin
Source-Version: 1.7.1-3+lenny5

We believe that the bug you reported is fixed in the latest version of
moin, which is due to be installed in the Debian FTP archive:

moin_1.7.1-3+lenny5.diff.gz
  to main/m/moin/moin_1.7.1-3+lenny5.diff.gz
moin_1.7.1-3+lenny5.dsc
  to main/m/moin/moin_1.7.1-3+lenny5.dsc
python-moinmoin_1.7.1-3+lenny5_all.deb
  to main/m/moin/python-moinmoin_1.7.1-3+lenny5_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 584809@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Frank Lin PIAT <fpiat@klabs.be> (supplier of updated moin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 07 Jun 2010 06:48:00 +0200
Source: moin
Binary: python-moinmoin
Architecture: source all
Version: 1.7.1-3+lenny5
Distribution: stable-security
Urgency: high
Maintainer: Jonas Smedegaard <dr@jones.dk>
Changed-By: Frank Lin PIAT <fpiat@klabs.be>
Description: 
 python-moinmoin - Python clone of WikiWiki - library
Closes: 584809
Changes: 
 moin (1.7.1-3+lenny5) stable-security; urgency=high
 .
   * Non-maintainer upload.
   * Fixed XSS in theme.add_msg, CVE-2010-2487
     (Closes: #584809)
Checksums-Sha1: 
 f89a8e5082469363aeca2b7c02b18c322f0c676c 1259 moin_1.7.1-3+lenny5.dsc
 3dc013eb71cd581a1a3804f27d7467d3dcc9d1c0 92369 moin_1.7.1-3+lenny5.diff.gz
 41f2d4bcd86c631af1649440e5fc7bb21debebf1 4499604 python-moinmoin_1.7.1-3+lenny5_all.deb
Checksums-Sha256: 
 f9cc61d5ac4e561455b1108138c26b402b1c33401d3ae4ee16710034f95ba7f8 1259 moin_1.7.1-3+lenny5.dsc
 8179472cadc1288895fa85706ced20a1e1dac387e48f472c7b5f4ff100ba1eef 92369 moin_1.7.1-3+lenny5.diff.gz
 ee93b193f08aa86941af2750641caa89d4c4ec7d1360ac088b4c20d0ae1a3ad3 4499604 python-moinmoin_1.7.1-3+lenny5_all.deb
Files: 
 574199fc8e4c954cdd8b75e81eecdcf2 1259 net optional moin_1.7.1-3+lenny5.dsc
 5363c01a34f85326113d767264edd42a 92369 net optional moin_1.7.1-3+lenny5.diff.gz
 c17eeecc46d92ea6db6078884c777669 4499604 python optional python-moinmoin_1.7.1-3+lenny5_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkxVfT8ACgkQHYflSXNkfP/C0ACdFC2Bq6ASWi14ar8t2Fm3kvvo
lSIAnRCSmJUUhaWk597Nj3KdudqnVYwG
=7jEZ
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 08 Sep 2010 07:31:31 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 06:46:06 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.