On Sun, Dec 30, 2012 at 08:04:23AM +0100, Salvatore Bonaccorso wrote: >Hi Steve > >> +moin (1.9.4-8+deb7u1) testing-proposed-updates; urgency=high >> + >> + * Stack of security fixes from upstream: >> + + make taintfilename more secure >> + + escape user- or admin-defined css url >> + + use a constant time str comparison function to prevent timing >> + attacks >> + + fix remote code execution vulnerability in twikidraw/anywikidraw >> + actions (CVE-2012-XXXX). >> + + fix path traversal vulnerability in AttachFile action >> + (CVE-2012-XXXX). >> >> Looks okay to me; thanks. (fwiw, even for tpu unblock bugs are generally >> easier to track and less likely to get lost in the list.) > >In meantime CVE's where assigned to moin for these issues. If not yet >uploaded to t-p-u could you include these? They are CVE-2012-6080 >(path traversal vulnerability) and CVE-2012-6081 (remote code >execution vulnerability).
Hi Salvatore, It's already uploaded, but I'll update the changelog in git so that it'll be updated for future uploads. -- Steve McIntyre, Cambridge, UK. st...@einval.com "It's actually quite entertaining to watch ag129 prop his foot up on the desk so he can get a better aim." [ seen in ucam.chat ] -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121230170414.gw4...@einval.com