#1598: Freeze break request: moin-1.8.2-2.fc11
Fedora Release Engineering
rel-eng at fedoraproject.org
Wed Apr 22 18:18:17 UTC 2009
#1598: Freeze break request: moin-1.8.2-2.fc11
------------------+---------------------------------------------------------
Reporter: vpv | Owner: rel-eng at lists.fedoraproject.org
Type: task | Status: new
Milestone: | Component: koji
Keywords: |
------------------+---------------------------------------------------------
* A description of what you want to change
* I'm asking for this package to be tagged for F11 final, because it
includes two security patches.
* Rationale for why the change is important enough to be allowed in after
the final freeze.
* When doing a sort-of audit of security patches for the moin version in
F9 and F10 I noticed the fix for http://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2008-0781 was missing from moin 1.6 and newer.
After having reported this to upstream, they released two security patches
to fix the vulnerability again. The patches are listed at
http://moinmo.in/SecurityFixes#moin1.8.2 and included in this new package.
* Impact of *not* accepting the development at this point of the
schedule.
* The original CVE report says 'Multiple cross-site scripting (XSS)
vulnerabilities in action/AttachFile.py allow remote attackers to inject
arbitrary web script or HTML via (1) message, (2) pagename, and (3) target
filenames.'
* Information on what testing you've already done on the development to
help reduce the risk.
* I've done some basic testing of the patched AttachFile action myself.
These patches are from upstream, so the moin developers have done some
testing as well.
--
Ticket URL: <https://fedorahosted.org/rel-eng/ticket/1598>
Fedora Release Engineering <http://fedorahosted.org/rel-eng>
Release Engineering for the Fedora Project
More information about the rel-eng
mailing list