CVE-2011-1058

Advisory

Moin 1.9.3 includes a fix for CVE-2011-1058: A cross-site scripting (XSS) vulnerability in the reStructuredText (rst) parser in parser/text_rst.py in MoinMoin before 1.9.3, when docutils is installed or when "format rst" is set, allows remote attackers to inject arbitrary web script or HTML via javascript: URL in the refuri attribute.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

HINT: Python >= 2.5 is maybe required! See docs/REQUIREMENTS for details.

Fixes:
* Fix XSS / remove javascript URL support in rst parser (CVE-2011-1058).
* werkzeug: Removed a dummy import. Fixes Python 2.7 compatibility.
* Fix linux-to-windows edit-log migration/upgrade issue (wrong line endings)
* logfile: strip \n lineends from line data (\n is part of the file
structure, not of the data)
* Fix for MoinMoinBugs/SinglePageSlideShowAndParserMarkup.
* Simplify auto scroll initialization; fix bug in IE init discovered when
using IE7 on pages with wide tables.
* Fix timestamp in edit lock message to show the time when edit-locking ends.
* Updated wikiserverconfig.py from internal defaults, sync the one in
toplevel dir and the one in wiki/server/ - fixes hostname setting.
* SubProcess: make sure files are closed at the end (experimental change).
* text plain formatter: fix bullet_list, see number_list.
* Add some image mimetypes to MIMETYPES_MORE to fix windows issues.
* Include page name in password reset URL.
* Fix moin export dump to generate relative URLs.
* Fix MonthCalendar mouseover for pages with ampersand in page name.
* ldap_login: assign server early, it is used in exception handler.
* OpenID server preferences: fix traceback related to request method.
* Work around page.mtime_usecs() returning 0 for pages without edit-log.
* revert action: catch and display all SaveErrors when revert failed.
* Fixed bug in groups formatter which caused the last list item to be not in the group.
* Avoid strange exception in zipfile.py for pre-1980 timestamps.
* TableOfContents: fix for other markups than default wiki markup, e.g. rst
* script.account.homepage: added wiki format to homepage_default_text
* Enable webkit based browsers (try chrome/safari/konqueror now) for GUI
editing (after fixing selection FCKeditor plugin for chrome).
* Parsers: avoid crash when Parser.format() call gets inhibit_p kw arg.
* advancedsearch: fix problem with non-ascii chars breaking up words for OR
and NOT terms
* fix globaledit script to keep comments on Homepage...Template pages

New features:
* Added print mode to action.SlideShow, see
FeatureRequests/PrintableSinglePageSlideshows.
* xmlrpc: new methods xmlrpc_getProcessingInstruction(Version)
* Add support for other password hashes (all of them will get auto-upgraded
to SSHA when user logs in):
* {DES} (Unix crypt(3))
* {MD5} (MD5-based crypt())
* {APR1} (Apache .htpasswd).
* Experimental queued indexing support to work around memory leak - use it like this:
put all pages into indexer queue:
python MoinMoin/script/moin.py index build --mode=makequeue
take <count> pages out of the indexer queue and index them,
you need to repeat the following line respective to the total amount of pages
in your wiki (doing more indexer calls does no harm, doing less means an
incomplete index):
python MoinMoin/script/moin.py index build --mode=buildnewindexqueued --count=500
python MoinMoin/script/moin.py index build --mode=buildnewindexqueued --count=500
python MoinMoin/script/moin.py index build --mode=buildnewindexqueued --count=500
...
switch to new index:
python MoinMoin/script/moin.py index build --mode=usenewindex

Other changes:
* Raise exceptions as recommended in PEP 8.
* Updated i18n / underlay pages.
* Updated interwiki map.
* Use logging.traceback to get more information if a indexing filter crashes.
* u200b is not considered a space any more in unicode 4.0.1.
* Improve textcha security, use some crypto and timing to make cheating
harder - use cfg.textchas_expiry_time = 600 (default, seconds) to set the
time a textcha is valid.
* Upgraded bundled werkzeug to 0.8.1, pygments to 1.4, flup to repo tip.

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1058
• http://moinmo.in/SecurityFixes
• http://secunia.com/advisories/43413
• http://www.vupen.com/english/advisories/2011/0455
• http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055116.html
• http://lists.fedoraproject.org/pipermail/package-announce/2011-March/054544.html
• http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055124.html
• http://secunia.com/advisories/43665
• http://www.vupen.com/english/advisories/2011/0571
• http://www.securityfocus.com/bid/46476
• http://www.vupen.com/english/advisories/2011/0588
• http://www.debian.org/security/2011/dsa-2321
• http://www.ubuntu.com/usn/USN-1604-1
• http://secunia.com/advisories/50885
• https://exchange.xforce.ibmcloud.com/vulnerabilities/65545