Author: Corey Bryant
Revision Date: 2015-08-25 15:30:19 UTC

debian/patches/pymysql-replacement.patch: Use pymysql as drop in
replacement for MySQLdb.

Author: Corey Bryant
Revision Date: 2015-08-25 15:30:19 UTC

debian/patches/pymysql-replacement.patch: Use pymysql as drop in
replacement for MySQLdb.

Author: Barry Warsaw
Revision Date: 2014-08-04 14:34:11 UTC

* Merge from Debian unstable (LP: #1351331). Remaining changes:
* debian/control:
  - remove python-xml from Suggests field, the package isn't in
    sys.path any more.
  - demote fckeditor from Recommends to Suggests; the code was previously
    embedded in moin, but it was also disabled, so there's no reason for us
    to pull this in by default currently. Note: fckeditor has a number of
    security problems and so this change probably needs to be carried
    indefinitely.

Author: Barry Warsaw
Revision Date: 2014-08-04 14:34:11 UTC

* Merge from Debian unstable (LP: #1351331). Remaining changes:
* debian/control:
  - remove python-xml from Suggests field, the package isn't in
    sys.path any more.
  - demote fckeditor from Recommends to Suggests; the code was previously
    embedded in moin, but it was also disabled, so there's no reason for us
    to pull this in by default currently. Note: fckeditor has a number of
    security problems and so this change probably needs to be carried
    indefinitely.

Author: Barry Warsaw
Revision Date: 2014-08-04 14:34:11 UTC

* Merge from Debian unstable (LP: #1351331). Remaining changes:
* debian/control:
  - remove python-xml from Suggests field, the package isn't in
    sys.path any more.
  - demote fckeditor from Recommends to Suggests; the code was previously
    embedded in moin, but it was also disabled, so there's no reason for us
    to pull this in by default currently. Note: fckeditor has a number of
    security problems and so this change probably needs to be carried
    indefinitely.

Author: Andrey Bondarenko
Revision Date: 2014-05-20 10:09:03 UTC

* Merge with Ubuntu; remaining changes:
* MoinMoin/Page.py: add pi[title] for custom page titles
  see http://moinmo.in/FeatureRequests/CustomPageTitle
* Make XMLRPC error messages more detailed.
  - MoinMoin/xmlrpc/__init__.py: add pagename for NOT_EXIST fault.
  - MoinMoin/util/rpc_aggregator.py: add function name and args to
    fault message.
* MoinMoin/action/SyncPages.py: do not sync pages that are deleted in both wiki

Author: Matthias Klose
Revision Date: 2014-02-23 13:48:55 UTC

Rebuild to drop files installed into /usr/share/pyshared.

Author: Matthias Klose
Revision Date: 2014-02-23 13:48:55 UTC

Rebuild to drop files installed into /usr/share/pyshared.

Author: Sebastien Bacher
Revision Date: 2013-05-16 11:56:01 UTC

* Merge from Debian unstable. Remaining changes:
* debian/control:
  - remove python-xml from Suggests field, the package isn't in
    sys.path any more.
  - demote fckeditor from Recommends to Suggests; the code was previously
    embedded in moin, but it was also disabled, so there's no reason for us
    to pull this in by default currently. Note: fckeditor has a number of
    security problems and so this change probably needs to be carried
    indefinitely.

Author: Sebastien Bacher
Revision Date: 2013-05-16 11:56:01 UTC

* Merge from Debian unstable. Remaining changes:
* debian/control:
  - remove python-xml from Suggests field, the package isn't in
    sys.path any more.
  - demote fckeditor from Recommends to Suggests; the code was previously
    embedded in moin, but it was also disabled, so there's no reason for us
    to pull this in by default currently. Note: fckeditor has a number of
    security problems and so this change probably needs to be carried
    indefinitely.

Author: Benjamin Kerensa
Revision Date: 2013-05-13 07:32:29 UTC

* Merge from Debian unstable. Remaining changes:
 - debian/rules: remove python-xml from CDBS_SUGGESTS field, the package
   isn't in sys.path any more.
 - debian/rules: demote fckeditor from CDBS_RECOMMENDS to CDBS_SUGGESTS; the
   code was previously embedded in moin, but it was also disabled, so
   there's no reason for us to pull this in by default currently. Note:
   fckeditor has a number of security problems and so this change probably
   needs to be carried indefinitely.
* Re-package without CDBS.
    (CVE-2012-6080).
    actions (CVE-2012-6081).
  + fix XSS issue, escape page name in rss link (CVE-2012-6082)

Author: Jamie Strandboge
Revision Date: 2013-01-03 10:58:34 UTC

* Merge from Debian unstable. Remaining changes:
 - debian/rules: remove python-xml from CDBS_SUGGESTS field, the package
   isn't in sys.path any more.
 - debian/rules: demote fckeditor from CDBS_RECOMMENDS to CDBS_SUGGESTS; the
   code was previously embedded in moin, but it was also disabled, so
   there's no reason for us to pull this in by default currently. Note:
   fckeditor has a number of security problems and so this change probably
   needs to be carried indefinitely.
* Dropped the following patches, no longer needed:
  - debian/patches/CVE-2012-XXXX.patch
  - debian/patches/CVE-2012-YYYY.patch

Author: Jamie Strandboge
Revision Date: 2013-01-03 10:58:34 UTC

* Merge from Debian unstable. Remaining changes:
 - debian/rules: remove python-xml from CDBS_SUGGESTS field, the package
   isn't in sys.path any more.
 - debian/rules: demote fckeditor from CDBS_RECOMMENDS to CDBS_SUGGESTS; the
   code was previously embedded in moin, but it was also disabled, so
   there's no reason for us to pull this in by default currently. Note:
   fckeditor has a number of security problems and so this change probably
   needs to be carried indefinitely.
* Dropped the following patches, no longer needed:
  - debian/patches/CVE-2012-XXXX.patch
  - debian/patches/CVE-2012-YYYY.patch

Author: Jamie Strandboge
Revision Date: 2012-12-29 18:22:20 UTC

* SECURITY UPDATE: arbitrary code execution via anywikidraw/twikidraw
  - debian/patches/CVE-2012-XXXX.patch: adjust action/anywikidraw.py and
    action/twikidraw.py to use wikiutil.taintfilename()
  - CVE-2012-XXXX
* SECURITY UPDATE: path traversal via AttachFile
  - debian/patches/CVE-2012-YYYY.patch: adjust action/AttachFile.py to use
    wikiutil.taintfilename()
  - CVE-2012-YYYY

Author: Jamie Strandboge
Revision Date: 2012-12-29 18:22:20 UTC

* SECURITY UPDATE: arbitrary code execution via anywikidraw/twikidraw
  - debian/patches/CVE-2012-XXXX.patch: adjust action/anywikidraw.py and
    action/twikidraw.py to use wikiutil.taintfilename()
  - CVE-2012-XXXX
* SECURITY UPDATE: path traversal via AttachFile
  - debian/patches/CVE-2012-YYYY.patch: adjust action/AttachFile.py to use
    wikiutil.taintfilename()
  - CVE-2012-YYYY

Author: Jamie Strandboge
Revision Date: 2012-12-29 18:20:21 UTC

* SECURITY UPDATE: arbitrary code execution via anywikidraw/twikidraw
  - debian/patches/CVE-2012-XXXX.patch: adjust action/anywikidraw.py and
    action/twikidraw.py to use wikiutil.taintfilename()
  - CVE-2012-XXXX
* SECURITY UPDATE: path traversal via AttachFile
  - debian/patches/CVE-2012-YYYY.patch: adjust action/AttachFile.py to use
    wikiutil.taintfilename()
  - CVE-2012-YYYY

Author: Jamie Strandboge
Revision Date: 2012-12-29 18:20:21 UTC

* SECURITY UPDATE: arbitrary code execution via anywikidraw/twikidraw
  - debian/patches/CVE-2012-XXXX.patch: adjust action/anywikidraw.py and
    action/twikidraw.py to use wikiutil.taintfilename()
  - CVE-2012-XXXX
* SECURITY UPDATE: path traversal via AttachFile
  - debian/patches/CVE-2012-YYYY.patch: adjust action/AttachFile.py to use
    wikiutil.taintfilename()
  - CVE-2012-YYYY

Author: Jamie Strandboge
Revision Date: 2012-12-29 18:18:00 UTC

* SECURITY UPDATE: arbitrary code execution via anywikidraw/twikidraw
  - debian/patches/CVE-2012-XXXX.patch: adjust action/anywikidraw.py and
    action/twikidraw.py to use wikiutil.taintfilename()
  - CVE-2012-XXXX
* SECURITY UPDATE: path traversal via AttachFile
  - debian/patches/CVE-2012-YYYY.patch: adjust action/AttachFile.py to use
    wikiutil.taintfilename()
  - CVE-2012-YYYY

Author: Jamie Strandboge
Revision Date: 2012-12-29 18:18:00 UTC

* SECURITY UPDATE: arbitrary code execution via anywikidraw/twikidraw
  - debian/patches/CVE-2012-XXXX.patch: adjust action/anywikidraw.py and
    action/twikidraw.py to use wikiutil.taintfilename()
  - CVE-2012-XXXX
* SECURITY UPDATE: path traversal via AttachFile
  - debian/patches/CVE-2012-YYYY.patch: adjust action/AttachFile.py to use
    wikiutil.taintfilename()
  - CVE-2012-YYYY

Author: Jamie Strandboge
Revision Date: 2012-12-29 18:14:52 UTC

* SECURITY UPDATE: arbitrary code execution via anywikidraw/twikidraw
  - debian/patches/CVE-2012-XXXX.patch: adjust action/anywikidraw.py and
    action/twikidraw.py to use wikiutil.taintfilename()
  - CVE-2012-XXXX
* SECURITY UPDATE: path traversal via AttachFile
  - debian/patches/CVE-2012-YYYY.patch: adjust action/AttachFile.py to use
    wikiutil.taintfilename()
  - CVE-2012-YYYY

Author: Jamie Strandboge
Revision Date: 2012-12-29 18:14:52 UTC

* SECURITY UPDATE: arbitrary code execution via anywikidraw/twikidraw
  - debian/patches/CVE-2012-XXXX.patch: adjust action/anywikidraw.py and
    action/twikidraw.py to use wikiutil.taintfilename()
  - CVE-2012-XXXX
* SECURITY UPDATE: path traversal via AttachFile
  - debian/patches/CVE-2012-YYYY.patch: adjust action/AttachFile.py to use
    wikiutil.taintfilename()
  - CVE-2012-YYYY

Author: Andrey Bondarenko
Revision Date: 2012-10-14 16:28:47 UTC

* Merge changes from 1.9.3-1ubuntu2.1
  * SECURITY UPDATE: cross-site scripting issue in reStructuredText parser
    - debian/patches/CVE-2011-1058.patch: remove javascript support in
      MoinMoin/parser/text_rst.py.
    - CVE-2011-1058
  * SECURITY UPDATE: incorrect permissions due to broken virtual group
    names handling
    - debian/patches/CVE-2012-4404.patch: fix group test in
      MoinMoin/security/__init__.py, added test in
      MoinMoin/security/_tests/test_security.py.
    - CVE-2012-4404

Author: Marc Deslauriers
Revision Date: 2012-10-10 10:20:46 UTC

* SECURITY UPDATE: cross-site scripting issue in reStructuredText parser
  - debian/patches/CVE-2011-1058.patch: remove javascript support in
    MoinMoin/parser/text_rst.py.
  - CVE-2011-1058
* SECURITY UPDATE: incorrect permissions due to broken virtual group
  names handling
  - debian/patches/CVE-2012-4404.patch: fix group test in
    MoinMoin/security/__init__.py, added test in
    MoinMoin/security/_tests/test_security.py.
  - CVE-2012-4404

Author: Marc Deslauriers
Revision Date: 2012-10-10 10:20:46 UTC

* SECURITY UPDATE: cross-site scripting issue in reStructuredText parser
  - debian/patches/CVE-2011-1058.patch: remove javascript support in
    MoinMoin/parser/text_rst.py.
  - CVE-2011-1058
* SECURITY UPDATE: incorrect permissions due to broken virtual group
  names handling
  - debian/patches/CVE-2012-4404.patch: fix group test in
    MoinMoin/security/__init__.py, added test in
    MoinMoin/security/_tests/test_security.py.
  - CVE-2012-4404

Author: Marc Deslauriers
Revision Date: 2012-10-10 10:13:05 UTC

* SECURITY UPDATE: cross-site scripting issue in reStructuredText parser
  - debian/patches/CVE-2011-1058.patch: remove javascript support in
    MoinMoin/parser/text_rst.py.
  - CVE-2011-1058
* SECURITY UPDATE: incorrect permissions due to broken virtual group
  names handling
  - debian/patches/CVE-2012-4404.patch: fix group test in
    MoinMoin/security/__init__.py, added test in
    MoinMoin/security/_tests/test_security.py.
  - CVE-2012-4404

Author: Matthias Klose
Revision Date: 2011-12-17 13:16:29 UTC

Build using dh_python2

Author: Clint Byrum
Revision Date: 2010-08-11 12:35:34 UTC

* Merge from Debian unstable (LP: #586518). Based on work by Stefan Ebner.
  Remaining changes:
 - Remove python-xml from Suggests field, the package isn't anymore in
   sys.path.
 - Demote fckeditor from Recommends to Suggests; the code was previously
   embedded in moin, but it was also disabled, so there's no reason
   for us to pull this in by default currently. Note: fckeditor has a
   number of security problems and so this change probably needs to be
   carried indefinitely.

Author: Clint Byrum
Revision Date: 2010-08-11 12:35:34 UTC

* Merge from Debian unstable (LP: #586518). Based on work by Stefan Ebner.
  Remaining changes:
 - Remove python-xml from Suggests field, the package isn't anymore in
   sys.path.
 - Demote fckeditor from Recommends to Suggests; the code was previously
   embedded in moin, but it was also disabled, so there's no reason
   for us to pull this in by default currently. Note: fckeditor has a
   number of security problems and so this change probably needs to be
   carried indefinitely.

Author: Thierry Carrez
Revision Date: 2010-04-23 15:21:19 UTC

debian/rules: Avoid pulling libapache2-mod-wsgi by default, by recommending
"apache2 | httpd-cgi" instead of "libapache2-mod-wsgi | httpd-cgi".
Suggest libapache2-mod-wsgi instead. That prevents us from needing to rush
libapache2-mod-wsgi in main one week before release.

Author: Marc Deslauriers
Revision Date: 2010-08-20 13:37:52 UTC

* SECURITY UPDATE: arbitrary script injection via multiple cross-site
  scripting issues.
  - debian/patches/30009_CVE-2010-2487,2969,2970.patch: properly escape
    strings in MoinMoin/{Page,PageEditor,PageGraphicalEditor}.py,
    MoinMoin/action/*.py.
  - CVE-2010-2487
  - CVE-2010-2969

Author: Marc Deslauriers
Revision Date: 2010-08-20 10:49:14 UTC

* SECURITY UPDATE: arbitrary script injection via multiple cross-site
  scripting issues.
  - debian/patches/30003_CVE-2010-2487,2969,2970.patch: properly escape
    strings in MoinMoin/{Page,PageEditor,PageGraphicalEditor}.py,
    MoinMoin/action/*.py.
  - CVE-2010-2487
  - CVE-2010-2969

Author: Marc Deslauriers
Revision Date: 2010-08-20 10:49:14 UTC

* SECURITY UPDATE: arbitrary script injection via multiple cross-site
  scripting issues.
  - debian/patches/30003_CVE-2010-2487,2969,2970.patch: properly escape
    strings in MoinMoin/{Page,PageEditor,PageGraphicalEditor}.py,
    MoinMoin/action/*.py.
  - CVE-2010-2487
  - CVE-2010-2969

Author: Bhavani Shankar
Revision Date: 2009-07-05 23:31:26 UTC

* Merge from debian unstable, remaining changes: LP: #395833
  - debian/rules:
    - Add --install-layout=deb option to install everything in /usr instead
      of /usr/local.
    - Remove python-xml from Recommends field, the package isn't anymore in
      sys.path.
    - Demote fckeditor from Recommends to Suggests; the code was
      previously embedded in moin, but it was also disabled, so there's no
      reason for us to pull this in by default currently.

Author: Marc Deslauriers
Revision Date: 2010-08-20 11:01:45 UTC

* SECURITY UPDATE: arbitrary script injection via multiple cross-site
  scripting issues.
  - debian/patches/30006_CVE-2010-2487,2969,2970.patch: properly escape
    strings in MoinMoin/{Page,PageEditor,PageGraphicalEditor}.py,
    MoinMoin/action/*.py.
  - CVE-2010-2487
  - CVE-2010-2969

Author: Marc Deslauriers
Revision Date: 2010-08-20 11:01:45 UTC

* SECURITY UPDATE: arbitrary script injection via multiple cross-site
  scripting issues.
  - debian/patches/30006_CVE-2010-2487,2969,2970.patch: properly escape
    strings in MoinMoin/{Page,PageEditor,PageGraphicalEditor}.py,
    MoinMoin/action/*.py.
  - CVE-2010-2487
  - CVE-2010-2969

Author: Steve Langasek
Revision Date: 2009-04-09 00:20:18 UTC

Demote fckeditor from Recommends to Suggests; the code was
previously embedded in moin, but it was also disabled, so there's no
reason for us to pull this in by default currently.

Author: Jamie Strandboge
Revision Date: 2010-03-30 13:53:34 UTC

* SECURITY UPDATE: fix XSS in Despam action
  - debian/patches/30006_CVE-2010-0828.patch: use wikiutil.escape()
    in revert_pages()
  - CVE-2010-0828
* SECURITY UPDATE: fix bypass of textcha protection
  - debian/patches/30007_CVE-2010-1238.patch: make sure the question and
    answer form fields are filled in
  - CVE-2010-1238

Author: Jamie Strandboge
Revision Date: 2010-03-30 13:53:34 UTC

* SECURITY UPDATE: fix XSS in Despam action
  - debian/patches/30006_CVE-2010-0828.patch: use wikiutil.escape()
    in revert_pages()
  - CVE-2010-0828
* SECURITY UPDATE: fix bypass of textcha protection
  - debian/patches/30007_CVE-2010-1238.patch: make sure the question and
    answer form fields are filled in
  - CVE-2010-1238

Author: Matthias Klose
Revision Date: 2008-10-20 16:54:08 UTC

Drop recommendation of python-xml, the packages isn't anymore in
sys.path.

Author: Jamie Strandboge
Revision Date: 2009-01-27 16:15:53 UTC

* SECURITY UPDATE: cross-site scripting via rename parameter and
  basename variable
  - debian/patches/30001_CVE-2009-0260.patch: use wikiutil.escape() in
    MoinMoin/action/AttachFile.py
  - CVE-2009-0260
* SECURITY UPDATE: cross-site scripting via content variable
  - debian/pathes/30002_antispam_xss_fix.patch: use wikiutil.escape()
    in MoinMoin/util/antispam.py
  - CVE-2009-XXXX
* SECURITY UPDATE: cross-site scripting in login
  - debian/patches/30003_CVE-2008-0780.patch: update action/login.py to use
    wikiutil.escape() for name
  - CVE-2008-0780
  - LP: #200897
* SECURITY UPDATE: cross-site scripting in AttachFile
  - debian/patches/30004_CVE-2008-0781.patch: use wikiutil.escape() for
    msg, pagename and target filenames in MoinMoin/action/AttachFile.py
  - CVE-2008-0781
* SECURITY UPDATE: directory traversal vulnerability via MOIN_ID in userform
    cookie action
  - debian/patches/30005_CVE-2008-0782.patch: update MoinMoin/user.py to
    check USERID via the new id_sanitycheck() function
  - CVE-2008-0782
* SECURITY UPDATE: cross-site scripting in PageEditor
  - debian/patches/30006_CVE-2008-1098.patch: use wikiutil.escape() in
    MoinMoin/PageEditor.py
  - CVE-2008-1098
* SECURITY UPDATE: _macro_Getval does not properly enforce ACLs
  - debian/patches/30007_CVE-2008-1099.patch: update wikimacro.py and
    wikiutil.py to use request.user.may.read()
  - CVE-2008-1099

Author: Marc Deslauriers
Revision Date: 2010-08-20 13:37:52 UTC

* SECURITY UPDATE: arbitrary script injection via multiple cross-site
  scripting issues.
  - debian/patches/30009_CVE-2010-2487,2969,2970.patch: properly escape
    strings in MoinMoin/{Page,PageEditor,PageGraphicalEditor}.py,
    MoinMoin/action/*.py.
  - CVE-2010-2487
  - CVE-2010-2969

Author: Matthias Klose
Revision Date: 2008-02-27 16:06:05 UTC

Do not suggest python-xml, but python-4suite-xml.

Author: Jamie Strandboge
Revision Date: 2009-01-27 16:15:53 UTC

* SECURITY UPDATE: cross-site scripting via rename parameter and
  basename variable
  - debian/patches/30001_CVE-2009-0260.patch: use wikiutil.escape() in
    MoinMoin/action/AttachFile.py
  - CVE-2009-0260
* SECURITY UPDATE: cross-site scripting via content variable
  - debian/pathes/30002_antispam_xss_fix.patch: use wikiutil.escape()
    in MoinMoin/util/antispam.py
  - CVE-2009-XXXX
* SECURITY UPDATE: cross-site scripting in login
  - debian/patches/30003_CVE-2008-0780.patch: update action/login.py to use
    wikiutil.escape() for name
  - CVE-2008-0780
  - LP: #200897
* SECURITY UPDATE: cross-site scripting in AttachFile
  - debian/patches/30004_CVE-2008-0781.patch: use wikiutil.escape() for
    msg, pagename and target filenames in MoinMoin/action/AttachFile.py
  - CVE-2008-0781
* SECURITY UPDATE: directory traversal vulnerability via MOIN_ID in userform
    cookie action
  - debian/patches/30005_CVE-2008-0782.patch: update MoinMoin/user.py to
    check USERID via the new id_sanitycheck() function
  - CVE-2008-0782
* SECURITY UPDATE: cross-site scripting in PageEditor
  - debian/patches/30006_CVE-2008-1098.patch: use wikiutil.escape() in
    MoinMoin/PageEditor.py
  - CVE-2008-1098
* SECURITY UPDATE: _macro_Getval does not properly enforce ACLs
  - debian/patches/30007_CVE-2008-1099.patch: update wikimacro.py and
    wikiutil.py to use request.user.may.read()
  - CVE-2008-1099

Author: Matthias Klose
Revision Date: 2007-09-09 01:36:23 UTC

Suggest python-xml (needed for DocBook rendering). LP: #31728.

Author: Kees Cook
Revision Date: 2007-05-07 03:33:36 UTC

* SECURITY UPDATE: XSS via AttachFile actions, unchecked ACLs.
* Add 092_fix-attach-xss.patch: upstream patch.
* Add 093_fix-acl-checks.patch: upstream patches.
* References
  http://hg.thinkmo.de/moin/1.5/rev/288694f8dfde
  http://hg.thinkmo.de/moin/1.5/rev/4949ad88af4e
  http://hg.thinkmo.de/moin/1.5/rev/0e41a0429ee1
  CVE-2007-2423

Author: Kees Cook
Revision Date: 2007-05-07 03:33:36 UTC

* SECURITY UPDATE: XSS via AttachFile actions, unchecked ACLs.
* Add 092_fix-attach-xss.patch: upstream patch.
* Add 093_fix-acl-checks.patch: upstream patches.
* References
  http://hg.thinkmo.de/moin/1.5/rev/288694f8dfde
  http://hg.thinkmo.de/moin/1.5/rev/4949ad88af4e
  http://hg.thinkmo.de/moin/1.5/rev/0e41a0429ee1
  CVE-2007-2423

Author: Marc Deslauriers
Revision Date: 2010-08-20 13:47:29 UTC

* SECURITY UPDATE: arbitrary script injection via multiple cross-site
  scripting issues.
  - debian/patches/103_CVE-2010-2487,2969,2970.patch: properly escape
    strings in MoinMoin/{Page,PageEditor,PageGraphicalEditor}.py,
    MoinMoin/action/*.py.
  - CVE-2010-2487
  - CVE-2010-2969

Author: Kees Cook
Revision Date: 2007-02-15 13:20:58 UTC

* debian/patches/091_show-traceback-option.patch: allow for
  'show_traceback=0' in Moin configurations.
* References
  CVE-2007-0902

Author: Kees Cook
Revision Date: 2007-05-07 03:36:59 UTC

* SECURITY UPDATE: XSS via AttachFile actions, unchecked ACLs.
* Add 092_fix-attach-xss.patch: upstream patch.
* Add 093_fix-acl-checks.patch: upstream patches.
* References
  http://hg.thinkmo.de/moin/1.5/rev/288694f8dfde
  http://hg.thinkmo.de/moin/1.5/rev/4949ad88af4e
  http://hg.thinkmo.de/moin/1.5/rev/0e41a0429ee1
  CVE-2007-2423

Author: Kees Cook
Revision Date: 2007-05-07 03:36:59 UTC

* SECURITY UPDATE: XSS via AttachFile actions, unchecked ACLs.
* Add 092_fix-attach-xss.patch: upstream patch.
* Add 093_fix-acl-checks.patch: upstream patches.
* References
  http://hg.thinkmo.de/moin/1.5/rev/288694f8dfde
  http://hg.thinkmo.de/moin/1.5/rev/4949ad88af4e
  http://hg.thinkmo.de/moin/1.5/rev/0e41a0429ee1
  CVE-2007-2423

Author: Sivan Greenberg
Revision Date: 2006-07-09 19:28:02 UTC

* Merge new debian version.
* Reapply Ubuntu changes:
    + debian/rules:
      - Comment out usage of control.ubuntu.in (doesn't fit!).
    + debian/control.in:
      - Dropped python2.3 binary package.
    + debian/control:
      - Dropped python2.3 binary, again.
      - Dropped python2.3-dev from Build-Depends-Indep.
    + debian/patches/001-attachment-xss-fix.patch:
      - Dropped this patch. It's now in upstream's distribution.

Author: Marc Deslauriers
Revision Date: 2010-08-20 13:47:29 UTC

* SECURITY UPDATE: arbitrary script injection via multiple cross-site
  scripting issues.
  - debian/patches/103_CVE-2010-2487,2969,2970.patch: properly escape
    strings in MoinMoin/{Page,PageEditor,PageGraphicalEditor}.py,
    MoinMoin/action/*.py.
  - CVE-2010-2487
  - CVE-2010-2969

Author: Sebastian Dröge
Revision Date: 2006-05-14 16:23:00 UTC

* debian/patches/001-attachment-xss-fix.patch:
  + SECURITY: Backported patch from latest upstream version:
    - Fixed cross site scripting issue which could lead to cookie theft etc.
      Thanks to the CAcert Security Team!
  + Thanks to Alexander Schremmer for pointing at this security problem

Author: Kees Cook
Revision Date: 2007-02-15 16:05:55 UTC

* SECURITY UPDATE: XSS via debug output.
* Add 'debian/patches/091_fix-debug-report-xss.patch': escape debug report,
  add "show_traceback" option to provide the ability to silence tracebacks
  completely. Configurable as "show_traceback=0" in your /etc/moin/*.py
  instance configurations.
* References
  CVE-2007-0901
  CVE-2007-0902

Author: LaMont Jones
Revision Date: 2005-05-02 19:28:08 UTC

Recommend: postfix | mail-transport-agent

Author: Matthias Klose
Revision Date: 2004-12-16 15:01:57 UTC

Build using python2.4.

Author: Jonas Smedegaard
Revision Date: 2004-06-17 07:27:16 UTC

* New upstream release. Closes: Bug#254756 (thanks to Ben
  <synrg@nslug.ns.ca>):
  + Improved diff generation (python 2.3 difflib used and local copy
    dropped).
  + Scripts changed to use #!/usr/bin/env python.
  + Users now _must_ specify a password when creating a new account.
  + User accounts matching config.page_group_regex are now illegal.
    Note: existing accounts must be manually checked (read upstream
    changelog for more info).
  + subscription email sending now honours ACLs correctly.
  + Several markup / rendering / user interface fixes/improvements.
  + RSS fixes: non-ASCII characters; UTC timestamps; RecentChanges ok.
  + Better email generation: Message-ID header; standards compliant
    subject; use config.mail_from with "lost my password" emails.
  + Improved file attachments handling.
  + Themes improvements, and new theme "rightsidebar" added.
  + Crashing bugs fixed: diffs for deleted pages; xml footnotes;
    SystemInfo with empty editlog.
  + Improved robots hints.
  + Translation updates / fixes, and russian i18n added.
  + TitleIndex now sorts case-insensitively.
  + New macro: PageHits.py.
* Include patch for UnpicklingError bug (thanks again to Ben
  <synrg@nslug.ns.ca>).
* Drop hashbang patches: fixed upstream now.
* Improve woody backport-ability:
  + Set DEB_PYTHON_COMPILE_VERSION immediately (use := instead of =).
  + Add newline when changing hashbang (bug in perl 5.6?).
  + Include difflib from python 2.2.3.
* Update InterWiki.txt.
* Small but important fix to danish localisation:
  s/BrugerIndstillinger/BrugerProfil/g .
* Standards-version 3.6.1 (no changes needed).

Author: Clint Byrum
Revision Date: 2010-08-11 12:35:34 UTC

* Merge from Debian unstable (LP: #586518). Based on work by Stefan Ebner.
  Remaining changes:
 - Remove python-xml from Suggests field, the package isn't anymore in
   sys.path.
 - Demote fckeditor from Recommends to Suggests; the code was previously
   embedded in moin, but it was also disabled, so there's no reason
   for us to pull this in by default currently. Note: fckeditor has a
   number of security problems and so this change probably needs to be
   carried indefinitely.