USNSpec
Launchpad Entry: security-karmic-usn-format
Created:
Contributors:
Packages affected:
Summary
This should provide an overview of the issue/functionality/change proposed here. Focus here on what will actually be DONE, summarising that so that other people don't have to read the whole spec. See also CategorySpec for examples.
Release Note
This section should include a paragraph describing the end-user impact of this change. It is meant to be included in the release notes of the first release in which it is implemented. (Not all of these will actually be included in the release notes, at the release manager's discretion; but writing them is a useful exercise.)
It is mandatory.
Rationale
This should cover the _why_: why is this change being proposed, what justifies it, where we see this justified.
User stories
Assumptions
Design
You can have subsections that better describe specific parts of the issue.
Implementation
This section should describe a plan of action (the "how") to implement the changes discussed. Could include subsections like:
Proposed format
Ubuntu Security Notice USN-716-1 January 30, 2009 MoinMoin vulnerabilities A security issue affects the following releases of Ubuntu and its derivatives: Ubuntu 6.06 LTS Ubuntu 7.10 Ubuntu 8.04 LTS Ubuntu 8.10 Summary: [issue summary] MoinMoin could be pwnd, yo. ... [package summary] MoinMoin is... Details: Fernando Quintero discovered than MoinMoin did not properly sanitize its input when processing login requests, resulting in cross-site scripting (XSS) vulnerabilities. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted server request, a remote attacker could exploit this to modify the contents, or steal confidential data, within the same domain. This issue affected Ubuntu 7.10 and 8.04 LTS. (CVE-2008-0780) Fernando Quintero discovered that MoinMoin did not properly sanitize its input when attaching files, resulting in cross-site scripting vulnerabilities. This issue affected Ubuntu 6.06 LTS, 7.10 and 8.04 LTS. (CVE-2008-0781) It was discovered that MoinMoin did not properly sanitize its input when processing user forms. A remote attacker could submit crafted cookie values and overwrite arbitrary files via directory traversal. This issue affected Ubuntu 6.06 LTS, 7.10 and 8.04 LTS. (CVE-2008-0782) It was discovered that MoinMoin did not properly sanitize its input when editing pages, resulting in cross-site scripting vulnerabilities. This issue only affected Ubuntu 6.06 LTS and 7.10. (CVE-2008-1098) It was discovered that MoinMoin did not properly enforce access controls, which could allow a remoter attacker to view private pages. This issue only affected Ubuntu 6.06 LTS and 7.10. (CVE-2008-1099) It was discovered that MoinMoin did not properly sanitize its input when attaching files and using the rename parameter, resulting in cross-site scripting vulnerabilities. (CVE-2009-0260) It was discovered that MoinMoin did not properly sanitize its input when displaying error messages after processing spam, resulting in cross-site scripting vulnerabilities. (CVE-2009-0312) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 6.06 LTS: python2.4-moinmoin 1.5.2-1ubuntu2.4 Ubuntu 7.10: python-moinmoin 1.5.7-3ubuntu2.1 Ubuntu 8.04 LTS: python-moinmoin 1.5.8-5.1ubuntu2.2 Ubuntu 8.10: python-moinmoin 1.7.1-1ubuntu1.1 To update your system, follow these instructions: https://halp.ubuntu.com/... In general, a standard system update is sufficient to effect the necessary changes. ATTENTION: abi fun fun fun ... References: CVE-2008-0780, CVE-2008-0781, CVE-2008-0782, CVE-2008-1098, CVE-2008-1099, CVE-2009-0260, CVE-2009-0312 https://bugs.launchpad.net/bug/123456 Package Information: https://launchpad.net/ubuntu/+source/moin/1.5.8-5.1ubuntu2.2 https://launchpad.net/ubuntu/+source/moin/1.5.8-5.1ubuntu2.2 https://launchpad.net/ubuntu/+source/moin/1.5.8-5.1ubuntu2.2 https://launchpad.net/ubuntu/+source/moin/1.5.8-5.1ubuntu2.2
Migration
Include:
- data migration, if any
- redirects from old URLs to new ones, if any
- how users will be pointed to the new way of doing things, if necessary.
Test/Demo Plan
It's important that we are able to test new features, and demonstrate them to users. Use this section to describe a short plan that anybody can follow that demonstrates the feature is working. This can then be used during testing, and to show off after release. Please add an entry to http://testcases.qa.ubuntu.com/Coverage/NewFeatures for tracking test coverage.
This need not be added or completed until the specification is nearing beta.
Unresolved issues
This should highlight any issues that should be addressed in further specifications, and not problems with the specification itself; since any specification with problems cannot be approved.
BoF agenda and discussion
Use this section to take notes during the BoF; if you keep it in the approved spec, use it for summarising what was discussed and note any options that were rejected.