From owner-freebsd-security@freebsd.org  Mon Nov 30 18:14:55 2020
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 2B6544A41BA;
 Mon, 30 Nov 2020 18:14:55 +0000 (UTC)
 (envelope-from marquis@roble.com)
Received: from mx5.roble.com (mx5.roble.com [209.237.23.5])
 (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA512
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4ClD0b09yBz4V4f;
 Mon, 30 Nov 2020 18:14:54 +0000 (UTC)
 (envelope-from marquis@roble.com)
Received: from roble.com (roble.com [209.237.23.50])
 by mx5.roble.com (Postfix) with ESMTP id 6AA1F3D209;
 Mon, 30 Nov 2020 10:14:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=roble.com;
 s=rs060402; t=1606760087;
 bh=Avyb9lBJ9D+5i+TsxwfZX8GHoR1v6NbINFKelx1DaVA=;
 h=Date:From:To:cc:Subject:In-Reply-To:References;
 b=qxADnrTfDK/K34M4bWiFXzvcDu0fy73NqHPTee39Opo47USEvMhTh+viyWzWgWtFz
 pfh8dsCql47OmRA8vVsbFY+jGTXB70ySi3E2XQ7PiSzerbwDNAaOE2+eGO85JfsdwS
 BXWES0cqE+VI0TjMQkAa3uU61o7O3Gof5iojXh20=
Date: Mon, 30 Nov 2020 10:14:47 -0800 (PST)
From: Roger Marquis <marquis@roble.com>
To: Kubilay Kocak <koobs@FreeBSD.org>
cc: freebsd-security@freebsd.org, python <python@FreeBSD.org>
Subject: Re: Moinmoin
In-Reply-To: <ddc77449-c646-064b-cbcc-dc1ece466413@FreeBSD.org>
Message-ID: <9979379s-7694-76no-692r-p51n5p51877@mx.roble.com>
References: <8o206235-597-p266-o7s-oqn87s1np279@mx.roble.com>
 <ddc77449-c646-064b-cbcc-dc1ece466413@FreeBSD.org>
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset=US-ASCII
X-Rspamd-Queue-Id: 4ClD0b09yBz4V4f
X-Spamd-Bar: ----
Authentication-Results: mx1.freebsd.org;
	none
X-Spamd-Result: default: False [-4.00 / 15.00];
	 REPLY(-4.00)[]
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Nov 2020 18:14:55 -0000

Hey Kubilay,

Originally saw the vuln on a security RSS feeds, probably NIST's, but it
is also listed on the moinmo.in website:

   News

     2020-11-08 MoinMoin 1.9.11 released, including urgent security
     fixes! See: https://github.com/moinwiki/moin-1.9/releases/tag/1.9.11

Roger


> On 28/11/2020 12:55 pm, Roger Marquis wrote:
>> Anyone know if www/moinmoin is abandonware?  The maintainer is listed as
>> python@freebsd.org and the version in ports has had an unpatched
>> vulnerability for the last couple of weeks.
>> 
>
> Hi Roger,
>
> I don't believe so, but development is slow
>
> Can you point us to references for the vulnerability and/or any other 
> references (cve, anouncements, commits, issues, patches in other OS's, etc)
>
> ./koobs