Products Openwall GNU/*/Linux   server OS John the Ripper   password cracker Free & Open Source for any platform Pro for Linux (RPM package) Pro for Mac OS X (dmg package) Wordlists   for password cracking passwdqc   policy enforcement phpass   password hashing in PHP crypt_blowfish   ditto in C/C++ tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Community Mailing lists Community wiki Donations Resources Source code repository (CVSweb) File archive & mirrors How to verify digital signatures Password recovery resources Recommended books What's new

Date: Sat, 29 Dec 2012 20:41:01 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Tilmann Haak <tilmann.haak@....de>, tw-public@....de
Subject: Re: CVE request: MoinMoin Wiki (XSS in rss link)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/29/2012 07:37 AM, Tilmann Haak wrote:
> Hi all,
> 
> there is an XSS issue in MoinMoin wiki, version 1.9.5. Function 
> rsslink() in "theme/__init__.py" does not properly escape the page
> name parameter.
> 
> Details can be found at: http://moinmo.in/SecurityFixes
> 
> A fix is available at:
> http://hg.moinmo.in/moin/1.9/rev/c98ec456e493
> 
> Could you please assign a CVE number?
> 
> kind regards, Tilmann


Please use CVE-2012-6082 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQ37fNAAoJEBYNRVNeJnmTpYEP/A0cs4VB2U3aUQE03Toh7cHH
j0hjXhMRImATSDwI61qay9CUOhm1Hr5G0bNXs7XWGy95wGaxOzX62i241dpWa7Bf
qj1sWwDH960ZiVx9712B7Gxab6kVeQjpluBLqcpwazilh4mPjwES5a0AZuQbS0nw
DrjbDvXs/bWFGLZf8PnQ/CWZWVOiO/4pXn8dcWaz2FA7ZwPK8FMn7gp5BvZAlzpI
ruxOGpCJ5UiFgMFht/x8rk4HPf+vYnDbO5H9dvf68JyzTTG1klxqFSSYD5aEilLi
P8WXL4Rfjmu/XPasW20tnPMmZq8720QU+jmuARNGAEpsKwE2aDdxk+qiJ12I4UYu
HRHMsMEyvmPTrkGiwTx0ELoTwPTF8XASX6LhSir+tc/yO3Z5Rv+RzfIr1hUWj197
NYk30W/m2XTJOWBc+hgLtmqMxJXwbcmRfdbribpok7O/pxVFToWufPui0uuQLuBg
N90wgaFgGTVE1Zig6sWhzRSRtSgB6vngMDxNr4TTLXyij/jRZprN3Pj0miLCvyay
lqP8+XNKC13yvSG+1rioHYVaoh7FlORHxTE2jLiQzaNWxoyNFlSTb0U4fGgDo8XC
4YrAKZxQqGD1yK7pzeMUwhd159U6PGDH/cOr6gffmH2trp3oj2C9zml/BaZj5vJn
teeSNebc390umJaM+HUm
=kR7s
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ