releng

Clone

#1598 Freeze break request: moin-1.8.2-2.fc11
Closed: Fixed None Opened 15 years ago by vpv.

Closed: Fixed
Reopen Issue
  • A description of what you want to change
  • I'm asking for this package to be tagged for F11 final, because it includes two security patches.
  • Rationale for why the change is important enough to be allowed in after the final freeze.
  • When doing a sort-of audit of security patches for the moin version in F9 and F10 I noticed the fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0781 was missing from moin 1.6 and newer. After having reported this to upstream, they released two security patches to fix the vulnerability again. The patches are listed at http://moinmo.in/SecurityFixes#moin1.8.2 and included in this new package.
  • Impact of not accepting the development at this point of the schedule.
  • The original CVE report says 'Multiple cross-site scripting (XSS) vulnerabilities in action/AttachFile.py allow remote attackers to inject arbitrary web script or HTML via (1) message, (2) pagename, and (3) target filenames.'
  • Information on what testing you've already done on the development to help reduce the risk.
  • I've done some basic testing of the patched AttachFile action myself. These patches are from upstream, so the moin developers have done some testing as well.

+1

+1, moving.

Metadata Update from @vpv:
- Issue set to the milestone: Fedora 11 Final
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
None
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.