Multiple security issues have been reported in Moin: [1] http://moinmo.in/SecurityFixes [2] http://secunia.com/advisories/38444/ Upstream Moin v1.8.7 version was released: [3] http://moinmo.in/ Addressing "major security issues in miscellaneous parts of moin.": [4] http://moinmo.in/MoinMoinRelease1.8 [5] http://hg.moinmo.in/moin/1.8/raw-file/1.8.7/docs/CHANGES CVE Request: [6] http://www.openwall.com/lists/oss-security/2010/02/15/2 Other references: [7] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=569975 As mentioned in [7]: "<ThomasWaldmann> 2) it's not just a single patch, it is quite much, you don't want to apply them manually. if you need it now, do a repo checkout and you'll have 1.9.2pre kind of"
These issues affect the versions of the Moin package, as shipped within Fedora release of 11 and 12. Please rebase to v1.8.7. These issues affect the versions of the Moin package, as present in EPEL-4 and EPEL-5 repositories (see [1] for list of affected versions of Moin). Please try to rebase EPEL versions of Moin to v1.8.7 version too, if possible.
OK, a few points: 1) I'll try to get a 1.8.7 update out in a few days for Fedora 11 and 12. 2) I've orphaned the Moin packages in EPEL, currently those have no maintainer. I'm not interested in trying to do any security fixes for them, 1.5 is not maintained by upstream anymore and the wiki data format is different from 1.8. The EPEL packages are pretty much a security nightmare, but so is trying to release an update to 1.8.7, as that would break all wikis which are possibly still running on the EPEL packages. 3) I won't go hunting for "1.9.2pre" patches from the mercurial repositories. If upstream does not want to disclose any more details on the 1.9.1 vulnerabilities, then I'll just wait for them to release 1.9.2. As 1.9.1 is only in Rawhide, I think (and hope) no one is running production wikis on it yet.
Hi Ville, thanks for tracking the plan. (In reply to comment #2) > OK, a few points: > > 1) I'll try to get a 1.8.7 update out in a few days for Fedora 11 and 12. OK. > > 2) I've orphaned the Moin packages in EPEL, currently those have no maintainer. > I'm not interested in trying to do any security fixes for them, 1.5 is not > maintained by upstream anymore and the wiki data format is different from 1.8. > The EPEL packages are pretty much a security nightmare, but so is trying to > release an update to 1.8.7, as that would break all wikis which are possibly > still running on the EPEL packages. OK. > > 3) I won't go hunting for "1.9.2pre" patches from the mercurial repositories. > If upstream does not want to disclose any more details on the 1.9.1 > vulnerabilities, then I'll just wait for them to release 1.9.2. As 1.9.1 is > only in Rawhide, I think (and hope) no one is running production wikis on it > yet. Sure, no point in searching for relevant concrete patches, better to upgrade in Rawhide to 1.9.2, once it is released. Thanks, Jan.
moin-1.8.7-1.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/moin-1.8.7-1.fc12
moin-1.8.7-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/moin-1.8.7-1.fc11
moin-1.8.7-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
moin-1.8.7-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
moin-1.9.2-1.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/moin-1.9.2-1.fc13
For completeness, 1.9.2 is released and fixes CVE-2010-0668, CVE-2010-0669 and CVE-2010-0717: http://hg.moinmo.in/moin/1.9/raw-file/1.9.2/docs/CHANGES I see from the above it has already been submitted as an update for Fedora 13. Thank you.
moin-1.9.2-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.