Jdstrand

**Name of the Vulnerable Software and Affected Versions** MoinMoin versions 1.9.3 through 1.9.5 **Description** The issue allows remote attackers to overwrite arbitrary files via a `..` (dot dot) in a file name, due to a directory traversal vulnerability in the ` do attachment move` function in the AttachFile action (`action/AttachFile.py`). **Recommendations** For MoinMoin versions 1.9.3 through 1.9.5, consider disabling the ` do attachment move` function in the AttachFile action until a patch is available. Restrict access to the AttachFile action to minimize the risk of exploitation. Avoid using file names containing `..` (dot dot) in the affected AttachFile action until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** MoinMoin versions prior to 1.9.6 **Description** The issue allows remote authenticated users with write permissions to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory. This has been exploited in the wild in July 2012. The vulnerabilities are found in the twikidraw (`action/twikidraw.py`) and anywikidraw (`action/anywikidraw.py`) actions. **Recommendations** For versions prior to 1.9.6, update to version 1.9.6 or later to resolve the issue. As a temporary workaround, consider restricting write permissions or disabling the `action/twikidraw.py` and `action/anywikidraw.py` actions until a patch is applied. Avoid using these actions to upload files with executable extensions until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** MoinMoin versions prior to 1.9.6 **Description** The issue allows remote authenticated users with write permissions to overwrite arbitrary files via unspecified vectors. This can potentially be leveraged to execute arbitrary code. **Recommendations** For versions prior to 1.9.6, update to version 1.9.6 or later to resolve the issue. As a temporary workaround, consider restricting write permissions to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** APT versions 0.7.x through 0.7.24 APT versions 0.8.x through 0.8.15 **Description** The issue allows remote attackers to install altered packages via a man-in-the-middle (MITM) attack, because it relies on GnuPG argument order and does not check GPG subkeys when using the `apt-key net-update` to import keyrings. **Recommendations** For APT versions 0.7.x through 0.7.24, update to version 0.7.25 or later. For APT versions 0.8.x through 0.8.15, update to version 0.8.16 or later.

**Name of the Vulnerable Software and Affected Versions** Cobbler versions 2.2.0 through 2.5.x Cobbler versions prior to 2.6.0 **Description** The issue allows remote attackers to execute arbitrary commands via shell metacharacters in the `username` or `password` fields to the power system method in the xmlrpc API. **Recommendations** For Cobbler versions 2.2.0 through 2.5.x, update to version 2.6.0 or later. For Cobbler versions prior to 2.6.0, update to version 2.6.0 or later. As a temporary workaround, consider restricting access to the power system method in the xmlrpc API to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** gnome-screensaver version 2.28.0 **Description** The issue allows physically proximate attackers to access an unattended workstation where screen locking was intended, due to gnome-screensaver not resuming its activation settings after an inhibiting application becomes unavailable on the session bus. **Recommendations** For gnome-screensaver version 2.28.0, consider disabling the screensaver functionality until a patch is available, and ensure that workstations are properly secured when unattended to minimize the risk of exploitation.