http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1098 "Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin 1.5.8 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) certain input processed by formatter/text_gedit.py (aka the gui editor formatter); (2) a page name, which triggers an injection in PageEditor.py when the page is successfully deleted by a victim in a DeletePage action; or (3) the destination page name for a RenamePage action, which triggers an injection in PageEditor.py when a victim's rename attempt fails because of a duplicate name." F-7, F-8, EPEL-4 and EPEL-5 have 1.5.8 in CVS. Should be fixed upstream in 1.5.9, links to fixes at http://moinmo.in/SecurityFixes
moin-1.5.9-1.fc8 has been submitted as an update for Fedora 8
moin-1.5.9-1.fc7 has been submitted as an update for Fedora 7
moin-1.5.9-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
moin-1.5.9-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
I've taken over as the new moin maintainer. This bug could probably be closed, as 1.5.9 or higher is in all active branches?
Yes, you're right. I'll close it.