Bug 565604 (CVE-2010-0668, CVE-2010-0669, CVE-2010-0717)
Summary: | CVE-2010-0668 CVE-2010-0669 CVE-2010-0717 Moin: Security fixes in v1.8.7, v1.9.2 | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | matthias, vdanen, vpvainio |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://moinmo.in/MoinMoinRelease1.8 | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-03-29 08:58:39 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jan Lieskovsky
2010-02-15 18:10:52 UTC
These issues affect the versions of the Moin package, as shipped within Fedora release of 11 and 12. Please rebase to v1.8.7. These issues affect the versions of the Moin package, as present in EPEL-4 and EPEL-5 repositories (see [1] for list of affected versions of Moin). Please try to rebase EPEL versions of Moin to v1.8.7 version too, if possible. OK, a few points: 1) I'll try to get a 1.8.7 update out in a few days for Fedora 11 and 12. 2) I've orphaned the Moin packages in EPEL, currently those have no maintainer. I'm not interested in trying to do any security fixes for them, 1.5 is not maintained by upstream anymore and the wiki data format is different from 1.8. The EPEL packages are pretty much a security nightmare, but so is trying to release an update to 1.8.7, as that would break all wikis which are possibly still running on the EPEL packages. 3) I won't go hunting for "1.9.2pre" patches from the mercurial repositories. If upstream does not want to disclose any more details on the 1.9.1 vulnerabilities, then I'll just wait for them to release 1.9.2. As 1.9.1 is only in Rawhide, I think (and hope) no one is running production wikis on it yet. Hi Ville, thanks for tracking the plan. (In reply to comment #2) > OK, a few points: > > 1) I'll try to get a 1.8.7 update out in a few days for Fedora 11 and 12. OK. > > 2) I've orphaned the Moin packages in EPEL, currently those have no maintainer. > I'm not interested in trying to do any security fixes for them, 1.5 is not > maintained by upstream anymore and the wiki data format is different from 1.8. > The EPEL packages are pretty much a security nightmare, but so is trying to > release an update to 1.8.7, as that would break all wikis which are possibly > still running on the EPEL packages. OK. > > 3) I won't go hunting for "1.9.2pre" patches from the mercurial repositories. > If upstream does not want to disclose any more details on the 1.9.1 > vulnerabilities, then I'll just wait for them to release 1.9.2. As 1.9.1 is > only in Rawhide, I think (and hope) no one is running production wikis on it > yet. Sure, no point in searching for relevant concrete patches, better to upgrade in Rawhide to 1.9.2, once it is released. Thanks, Jan. moin-1.8.7-1.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/moin-1.8.7-1.fc12 moin-1.8.7-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/moin-1.8.7-1.fc11 moin-1.8.7-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. moin-1.8.7-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. moin-1.9.2-1.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/moin-1.9.2-1.fc13 For completeness, 1.9.2 is released and fixes CVE-2010-0668, CVE-2010-0669 and CVE-2010-0717: http://hg.moinmo.in/moin/1.9/raw-file/1.9.2/docs/CHANGES I see from the above it has already been submitted as an update for Fedora 13. Thank you. moin-1.9.2-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report. |