oss-sec mailing list archives
Re: Debian Moin Question
From: Michael Gilbert <michael.s.gilbert () gmail com>
Date: Mon, 5 Apr 2010 15:31:00 -0400
On Mon, 5 Apr 2010 14:25:05 -0400 (EDT), Josh Bressers wrote:
Hello everyone, I just ran across this ID from MITRE: Name: CVE-2010-1238 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1238 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20100405 Category: Reference: DEBIAN:DSA-2024 Reference: URL:http://www.debian.org/security/2010/dsa-2024 MoinMoin 1.7.1 allows remote attackers to bypass the textcha protection mechanism by modifying the textcha-question and textcha-answer fields to have empty values. The only data I can find on this is from the Debian DSA, and the information is quite slim. Can someone shed more light on this flaw?
would the textcha.patch section in the debian diff [0] as linked from the DSA be sufficient? mike [0] http://security.debian.org/pool/updates/main/m/moin/moin_1.7.1-3+lenny4.diff.gz
Current thread:
- Debian Moin Question Josh Bressers (Apr 05)
- Re: Debian Moin Question Michael Gilbert (Apr 05)
- Re: Debian Moin Question Giuseppe Iuculano (Apr 05)