Re: CVE request: moin

["Steven M. Christey" <coley () linus mitre org>]

On Wed, 6 May 2009, Steffen Joeris wrote:

> This upstream commit[0] is slightly different then the issues described in
> CVE-2009-1482 and I think it deserves another CVE id to separate the XSS
> issues. The debian bug[1] can also be used as a reference.
> Steve, what do you think?

This is a different vector that isn't directly covered by that CVE, and
may not have been fixed entirely when CVE-2009-1482 was fixed, so a new
CVE can be considered.

However, we generally avoid including "defense-in-depth" fixes unless they
can be demonstrated to be exploitable - or, if a vendor plans to release
an advisory "just to be safe."

The changeset says "maybe not XSS exploitable though" so I'm not sure
whether a CVE's needed yet.

- Steve