Revision
10021 -
Directory Listing
-
[select for diffs]
Modified
Sat Oct 9 15:19:32 2010 UTC
(13 years, 7 months ago)
by
laffer1
Diff to
previous 9153
Update to 1.9.3.
XSS by unescaped content emitted by theme.add_msg (CVE-2010-2487). Affected: likely all up to 1.9.2
fix XSS in template parameter
fix another potential XSS issue
fix more potential XSS issues
The portion of the above that patches MoinMoin/action/RenamePage.py has two problems
It doesn't apply directly to the 1.9.2 base because of other changes.
Use this diff made against 1.9.2 for applying to 1.9.2 installation: http://paste.pocoo.org/show/221927/ -- EugeneSyromyatnikov 2010-06-04 15:27:17
It contains an extraneous merge artifact ">>>>>>> other".
This issue (excuse me for my fault) fixed in http://hg.moinmo.in/moin/1.9/rev/60fde500cbc2 -- EugeneSyromyatnikov 2010-06-04 15:27:17
There is another problem with the above patch. The patch to MoinMoin/action/login.py does not import wikiutil and at least the 1.9.2 base does not have that import. -- MarkSapiro 2010-06-06 02:36:20
f8871116c6b3 -- EugeneSyromyatnikov 2010-06-06 05:38:08
fix XSS in Despam action (CVE-2010-0828) - thanks to Jamie Strandboge (Ubuntu) for fixing
To avoid the issue, please be careful when using Despam action (it is only available for superuser) - please check the page names of the pages to despam first. If they look strange (like containing javascript or html), then don't use Despam to clean them up. If you don't need Despam, you could of course also use actions_excluded to completely disable it.
Fixes security issues of moin 1.9.1:
1.9.2 fixes CVE-2010-0669.
1.9.2 fixes CVE-2010-0668 (and also CVE-2010-0717 which is just another sub-issue of the same issue)
