oss-sec mailing list archives

Re: Debian Moin Question

From: Michael Gilbert <michael.s.gilbert () gmail com>
Date: Mon, 5 Apr 2010 15:31:00 -0400

On Mon, 5 Apr 2010 14:25:05 -0400 (EDT), Josh Bressers wrote:

Hello everyone,

I just ran across this ID from MITRE:

Name: CVE-2010-1238
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1238
Final-Decision:
Interim-Decision:
Modified:
Proposed:
Assigned: 20100405
Category:
Reference: DEBIAN:DSA-2024
Reference: URL:http://www.debian.org/security/2010/dsa-2024

MoinMoin 1.7.1 allows remote attackers to bypass the textcha
protection mechanism by modifying the textcha-question and
textcha-answer fields to have empty values.

The only data I can find on this is from the Debian DSA, and the
information is quite slim. Can someone shed more light on this flaw?


would the textcha.patch section in the debian diff [0] as linked
from the DSA be sufficient?

mike

[0] http://security.debian.org/pool/updates/main/m/moin/moin_1.7.1-3+lenny4.diff.gz

Current thread:

Debian Moin Question Josh Bressers (Apr 05)
- Re: Debian Moin Question Michael Gilbert (Apr 05)
- Re: Debian Moin Question Giuseppe Iuculano (Apr 05)