lp:~bkerensa/ubuntu/saucy/moin/1.9.5-5

Branch merges

Propose for merging

No branches dependent on this one.

On hold for merging into lp:ubuntu/saucy/moin

Sebastien Bacher: Disapprove on 2013-05-16

Ubuntu branches: Pending requested 2013-05-13

Diff: 23270 lines (+189/-22492)

50 files modified

.pc/.quilt_patches (+0/-1)
.pc/.quilt_series (+0/-1)
.pc/.version (+0/-1)
.pc/applied-patches (+0/-13)
.pc/attachfile-path-traversal.patch/MoinMoin/action/AttachFile.py (+0/-1180)
.pc/constant_time_strcmp.patch/MoinMoin/security/textcha.py (+0/-218)
.pc/constant_time_strcmp.patch/MoinMoin/user.py (+0/-1112)
.pc/constant_time_strcmp.patch/MoinMoin/wikiutil.py (+0/-2657)
.pc/disable_gui_editor_if_fckeditor_missing.patch/MoinMoin/config/multiconfig.py (+0/-1351)
.pc/draw-taintfile.patch/MoinMoin/action/AttachFile.py (+0/-1172)
.pc/draw-taintfile.patch/MoinMoin/action/anywikidraw.py (+0/-210)
.pc/draw-taintfile.patch/MoinMoin/action/twikidraw.py (+0/-222)
.pc/escape_css_url.patch/MoinMoin/theme/__init__.py (+0/-1946)
.pc/escape_pagename_in_rss.patch/MoinMoin/theme/__init__.py (+0/-1946)
.pc/hardcode_configdir.patch/setup.py (+0/-387)
.pc/htdocs_moved_to_usr_share_moin.patch/MoinMoin/web/static/__init__.py (+0/-80)
.pc/mail-verification.patch/MoinMoin/action/newaccount.py (+0/-204)
.pc/mail-verification.patch/MoinMoin/auth/__init__.py (+0/-482)
.pc/mail-verification.patch/MoinMoin/config/multiconfig.py (+0/-1359)
.pc/mail-verification.patch/MoinMoin/user.py (+0/-1105)
.pc/recaptcha.patch/MoinMoin/action/newaccount.py (+0/-189)
.pc/secure_taintfile_name.patch/MoinMoin/wikiutil.py (+0/-2659)
.pc/subscribercache.patch/MoinMoin/Page.py (+0/-1889)
.pc/subscribercache.patch/MoinMoin/user.py (+0/-1072)
.pc/use_systemwide_libs.patch/setup.py (+0/-386)
MoinMoin/Page.py (+1/-110)
MoinMoin/action/AttachFile.py (+0/-24)
MoinMoin/action/anywikidraw.py (+0/-2)
MoinMoin/action/newaccount.py (+9/-98)
MoinMoin/action/twikidraw.py (+0/-2)
MoinMoin/action/verifyaccount.py (+0/-64)
MoinMoin/auth/__init__.py (+1/-8)
MoinMoin/config/multiconfig.py (+0/-12)
MoinMoin/security/sec_recaptcha.py (+0/-73)
MoinMoin/security/textcha.py (+1/-3)
MoinMoin/theme/__init__.py (+2/-3)
MoinMoin/user.py (+3/-45)
MoinMoin/web/static/__init__.py (+1/-1)
MoinMoin/wikiutil.py (+4/-6)
debian/changelog (+23/-4)
debian/control (+4/-8)
debian/control.in (+0/-25)
debian/patches/mail-verification.patch (+1/-1)
debian/python-moinmoin.dirs (+4/-0)
debian/python-moinmoin.docs (+5/-0)
debian/python-moinmoin.examples (+4/-0)
debian/python-moinmoin.install (+2/-0)
debian/python-moinmoin.manpages (+3/-0)
debian/rules (+105/-145)
setup.py (+16/-16)

api

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

40. By Benjamin Kerensa on 2013-05-13

* Merge from Debian unstable. Remaining changes:
 - debian/rules: remove python-xml from CDBS_SUGGESTS field, the package
   isn't in sys.path any more.
 - debian/rules: demote fckeditor from CDBS_RECOMMENDS to CDBS_SUGGESTS; the
   code was previously embedded in moin, but it was also disabled, so
   there's no reason for us to pull this in by default currently. Note:
   fckeditor has a number of security problems and so this change probably
   needs to be carried indefinitely.
* Re-package without CDBS.
    (CVE-2012-6080).
    actions (CVE-2012-6081).
  + fix XSS issue, escape page name in rss link (CVE-2012-6082)

39. By Jamie Strandboge on 2013-01-03

* Merge from Debian unstable. Remaining changes:
 - debian/rules: remove python-xml from CDBS_SUGGESTS field, the package
   isn't in sys.path any more.
 - debian/rules: demote fckeditor from CDBS_RECOMMENDS to CDBS_SUGGESTS; the
   code was previously embedded in moin, but it was also disabled, so
   there's no reason for us to pull this in by default currently. Note:
   fckeditor has a number of security problems and so this change probably
   needs to be carried indefinitely.
* Dropped the following patches, no longer needed:
  - debian/patches/CVE-2012-XXXX.patch
  - debian/patches/CVE-2012-YYYY.patch

38. By Jamie Strandboge on 2012-12-29

* SECURITY UPDATE: arbitrary code execution via anywikidraw/twikidraw
  - debian/patches/CVE-2012-XXXX.patch: adjust action/anywikidraw.py and
    action/twikidraw.py to use wikiutil.taintfilename()
  - CVE-2012-XXXX
* SECURITY UPDATE: path traversal via AttachFile
  - debian/patches/CVE-2012-YYYY.patch: adjust action/AttachFile.py to use
    wikiutil.taintfilename()
  - CVE-2012-YYYY

37. By Marc Deslauriers on 2012-11-23

* Merge from Debian unstable (LP: #1046616). Remaining changes:
 - Remove python-xml from Suggests field, the package isn't anymore in
   sys.path.
 - Demote fckeditor from Recommends to Suggests; the code was previously
   embedded in moin, but it was also disabled, so there's no reason
   for us to pull this in by default currently. Note: fckeditor has a
   number of security problems and so this change probably needs to be
   carried indefinitely.

36. By Marc Deslauriers on 2012-10-10

* SECURITY UPDATE: cross-site scripting issue in reStructuredText parser
  - debian/patches/CVE-2011-1058.patch: remove javascript support in
    MoinMoin/parser/text_rst.py.
  - CVE-2011-1058
* SECURITY UPDATE: incorrect permissions due to broken virtual group
  names handling
  - debian/patches/CVE-2012-4404.patch: fix group test in
    MoinMoin/security/__init__.py, added test in
    MoinMoin/security/_tests/test_security.py.
  - CVE-2012-4404

35. By Matthias Klose on 2011-12-17

Build using dh_python2

34. By Clint Byrum on 2010-08-11

* Merge from Debian unstable (LP: #586518). Based on work by Stefan Ebner.
  Remaining changes:
 - Remove python-xml from Suggests field, the package isn't anymore in
   sys.path.
 - Demote fckeditor from Recommends to Suggests; the code was previously
   embedded in moin, but it was also disabled, so there's no reason
   for us to pull this in by default currently. Note: fckeditor has a
   number of security problems and so this change probably needs to be
   carried indefinitely.

33. By Thierry Carrez on 2010-04-23

debian/rules: Avoid pulling libapache2-mod-wsgi by default, by recommending
"apache2 | httpd-cgi" instead of "libapache2-mod-wsgi | httpd-cgi".
Suggest libapache2-mod-wsgi instead. That prevents us from needing to rush
libapache2-mod-wsgi in main one week before release.

32. By Jamie Strandboge on 2010-03-30

* Debian declares python-werkzeug and python-parsedatetime as Depends and
  python-xappy as Recommends, however these packages are in universe,
  which breaks Ubuntu policy (section 2.2.1). Until these packages can be
  added to main, use the embedded copies in moin.
  - debian/patches/ubuntu_use_embedded_for_main.patch: update setup.py
  - debian/rules: update CDBS_DEPENDS and CDBS_RECOMMENDS for the above
* SECURITY UPDATE: fix XSS in Despam action
  - debian/patches/CVE-2010-0828.patch: use wikiutil.escape() in
    revert_pages()
  - CVE-2010-0828

31. By Jamie Strandboge on 2010-03-30

* Merge from Debian testing (LP: #521834). Based on work by Stefan Ebner.
  Remaining changes:
 - Remove python-xml from Suggests field, the package isn't anymore in
   sys.path.
 - Demote fckeditor from Recommends to Suggests; the code was previously
   embedded in moin, but it was also disabled, so there's no reason for us
   to pull this in by default currently. Note: This isn't necessary anymore
   but needs a MIR for fckeditor, so postpone dropping this change until
   lucid+1
* debian/rules:
  - Replace hardcoded python2.5 with python* and hardcore python2.6 for ln
* debian/control.in: drop versioned depends on cdbs