lp:ubuntu/dapper-updates/moin

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

14. By Marc Deslauriers on 2010-08-20

* SECURITY UPDATE: arbitrary script injection via multiple cross-site
  scripting issues.
  - debian/patches/103_CVE-2010-2487,2969,2970.patch: properly escape
    strings in MoinMoin/{Page,PageEditor,PageGraphicalEditor}.py,
    MoinMoin/action/*.py.
  - CVE-2010-2487
  - CVE-2010-2969

13. By Jamie Strandboge on 2010-03-30

* SECURITY UPDATE: fix XSS in Despam action
  - debian/patches/102_CVE-2010-0828.patch: use wikiutil.escape()
    in revert_pages()
  - CVE-2010-0828

12. By Jamie Strandboge on 2010-03-11

* SECURITY UPDATE: fix multiple CSRF vulnerabilities
  - debian/patches/100_CVE-2010-0668.patch: add tickets to prevent CSRF
    attacks in several components.
  - CVE-2010-0668
* SECURITY UPDATE: properly sanitize user profiles
  - debian/patches/101_CVE-2010-0669.patch: adjust userprefs/prefs.py,
    user.py and wikiutil.py to sanitize input
  - CVE-2010-0669

11. By Jamie Strandboge on 2009-01-27

* SECURITY UPDATE: cross-site scripting via rename parameter and
  basename variable
  - debian/patches/094_CVE-2009-0260.patch: use wikiutil.escape() in
    MoinMoin/action/AttachFile.py
  - CVE-2009-0260
* SECURITY UPDATE: cross-site scripting via content variable
  - debian/pathes/095_antispam_xss_fix.patch: use wikiutil.escape()
    in MoinMoin/util/antispam.py
  - CVE-2009-XXXX
* SECURITY UPDATE: cross-site scripting in AttachFile
  - debian/patches/096_CVE-2008-0781.patch: use wikiutil.escape() for
    msg and target filenames in MoinMoin/action/AttachFile.py
  - CVE-2008-0781
  - LP: #200897
* SECURITY UPDATE: directory traversal vulnerability via MOIN_ID in userform
    cookie action
  - debian/patches/097_CVE-2008-0782.patch: update MoinMoin/user.py to
    check USERID via the new id_sanitycheck() function
  - CVE-2008-0782
* SECURITY UPDATE: cross-site scripting in PageEditor
  - debian/patches/098_CVE-2008-1098.patch: use wikiutil.escape() in
    MoinMoin/PageEditor.py
  - CVE-2008-1098
* SECURITY UPDATE: _macro_Getval does not properly enforce ACLs
  - debian/patches/099_CVE-2008-1099.patch: update wikimacro.py and
    wikiutil.py to use request.user.may.read()
  - CVE-2008-1099

10. By Kees Cook on 2007-05-07

* SECURITY UPDATE: XSS via AttachFile actions, unchecked ACLs.
* Add 092_fix-attach-xss.patch: upstream patch.
* Add 093_fix-acl-checks.patch: upstream patches.
* References
  http://hg.thinkmo.de/moin/1.5/rev/288694f8dfde
  http://hg.thinkmo.de/moin/1.5/rev/4949ad88af4e
  http://hg.thinkmo.de/moin/1.5/rev/0e41a0429ee1
  CVE-2007-2423

9. By Kees Cook on 2007-02-15

* debian/patches/091_show-traceback-option.patch: allow for
  'show_traceback=0' in Moin configurations.
* References
  CVE-2007-0902

8. By Kees Cook on 2007-02-09

* SECURITY UPDATE: fix XSS in pagename displays.
* Add 'debian/patches/090_fix-pagename-xss.patch': based on patches from
  upstream. Added fixes for "LikePages".
* References
  http://hg.thinkmo.de/moin/1.5?fl=28eb59256911;file=docs/CHANGES
  CVE-2007-0857

7. By Sebastian Dröge on 2006-05-14

* debian/patches/001-attachment-xss-fix.patch:
  + SECURITY: Backported patch from latest upstream version:
    - Fixed cross site scripting issue which could lead to cookie theft etc.
      Thanks to the CAcert Security Team!
  + Thanks to Alexander Schremmer for pointing at this security problem

6. By Matthias Klose on 2006-02-14

Drop python2.3 package.

5. By Steve Kowalik on 2006-01-13

* New upstream release.
* Update packaging from Debian.
  - Merge the current debian/rules file with the Ubuntu one to make a
    hideous monster!
  - Stop using ${python:Depends}, as dh_python seems to be adding a
    python2.3 dependancy for some reason.