[USN-716-1] MoinMoin vulnerabilities
Date: Thu, 29 Jan 2009 22:29:57 -0600
From: Jamie Strandboge <jamie@canonical.com.>
To: [email protected]
Subject: [USN-716-1] MoinMoin vulnerabilities
Message-ID: <20090130042957.GA13760@severus.strandboge.com.>
Reply-To: Jamie Strandboge <jamie@canonical.com.>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="dDRMvlgZJXvWKvBx"
Content-Disposition: inline
User-Agent: Mutt/1.5.18 (2008-05-17)
X-Virus-Scanned: antivirus-gw at tyumen.ru
--dDRMvlgZJXvWKvBx
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Ubuntu Security Notice USN-716-1 January 30, 2009
moin vulnerabilities
CVE-2008-0780, CVE-2008-0781, CVE-2008-0782, CVE-2008-1098,
CVE-2008-1099, CVE-2009-0260, CVE-2009-0312
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 7.10
Ubuntu 8.04 LTS
Ubuntu 8.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
python2.4-moinmoin 1.5.2-1ubuntu2.4
Ubuntu 7.10:
python-moinmoin 1.5.7-3ubuntu2.1
Ubuntu 8.04 LTS:
python-moinmoin 1.5.8-5.1ubuntu2.2
Ubuntu 8.10:
python-moinmoin 1.7.1-1ubuntu1.1
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
Fernando Quintero discovered than MoinMoin did not properly sanitize its
input when processing login requests, resulting in cross-site scripting (XSS)
vulnerabilities. With cross-site scripting vulnerabilities, if a user were
tricked into viewing server output during a crafted server request, a remote
attacker could exploit this to modify the contents, or steal confidential data,
within the same domain. This issue affected Ubuntu 7.10 and 8.04 LTS.
(CVE-2008-0780)
Fernando Quintero discovered that MoinMoin did not properly sanitize its input
when attaching files, resulting in cross-site scripting vulnerabilities. This
issue affected Ubuntu 6.06 LTS, 7.10 and 8.04 LTS. (CVE-2008-0781)
It was discovered that MoinMoin did not properly sanitize its input when
processing user forms. A remote attacker could submit crafted cookie values and
overwrite arbitrary files via directory traversal. This issue affected Ubuntu
6.06 LTS, 7.10 and 8.04 LTS. (CVE-2008-0782)
It was discovered that MoinMoin did not properly sanitize its input when
editing pages, resulting in cross-site scripting vulnerabilities. This issue
only affected Ubuntu 6.06 LTS and 7.10. (CVE-2008-1098)
It was discovered that MoinMoin did not properly enforce access controls,
which could allow a remoter attacker to view private pages. This issue only
affected Ubuntu 6.06 LTS and 7.10. (CVE-2008-1099)
It was discovered that MoinMoin did not properly sanitize its input when
attaching files and using the rename parameter, resulting in cross-site
scripting vulnerabilities. (CVE-2009-0260)
It was discovered that MoinMoin did not properly sanitize its input when
displaying error messages after processing spam, resulting in cross-site
scripting vulnerabilities. (CVE-2009-0312)
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.2-1ubuntu2.4.diff.gz
Size/MD5: 42544 ebd2cc72e4a9b91642c7e5b7fcae7754
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.2-1ubuntu2.4.dsc
Size/MD5: 710 1c979ab18f50b60ec0b9494a7513b71f
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.2.orig.tar.gz
Size/MD5: 3975925 689ed7aa9619aa207398b996d68b4b87
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moinmoin-common_1.5.2-1ubuntu2.4_all.deb
Size/MD5: 1508228 88106c7e059b5b91deac7bfb71f96fb3
http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.5.2-1ubuntu2.4_all.deb
Size/MD5: 69842 bf8ce8a5b46a32185e1f09af0b370e41
http://security.ubuntu.com/ubuntu/pool/main/m/moin/python2.4-moinmoin_1.5.2-1ubuntu2.4_all.deb
Size/MD5: 835312 aa269dbf77b123fe000ee69de31df352
Updated packages for Ubuntu 7.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.7-3ubuntu2.1.diff.gz
Size/MD5: 57794 cbaa73b938fa38550adfca2cd82b2228
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.7-3ubuntu2.1.dsc
Size/MD5: 805 ac38488f222ba5451ae827b834713bf2
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.7.orig.tar.gz
Size/MD5: 4411634 b304f1c2054c7f3bf0dc48c141b28b33
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moinmoin-common_1.5.7-3ubuntu2.1_all.deb
Size/MD5: 1660458 98e840ca6bc4322a5a8c9c2776e5ff18
http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.5.7-3ubuntu2.1_all.deb
Size/MD5: 1020898 947daca038abf2eb07c4bb220b0c9276
Updated packages for Ubuntu 8.04 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.8-5.1ubuntu2.2.diff.gz
Size/MD5: 61334 1b3992acd9d6720686415752ec2b84da
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.8-5.1ubuntu2.2.dsc
Size/MD5: 989 cf1add0defdb66648b3d327bb6fb3c59
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.8.orig.tar.gz
Size/MD5: 4351630 79625eaeb65907bfaf8b3036d81c82a5
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moinmoin-common_1.5.8-5.1ubuntu2.2_all.deb
Size/MD5: 1661790 6f1cf1970e15ae49e807c91b9a92d841
http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.5.8-5.1ubuntu2.2_all.deb
Size/MD5: 942866 03c9f754644bab2a9bb59fb341988831
Updated packages for Ubuntu 8.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.7.1-1ubuntu1.1.diff.gz
Size/MD5: 69361 73955e746562f932d4c47650457e6d17
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.7.1-1ubuntu1.1.dsc
Size/MD5: 1266 95f6ced2570e48fcf3f947f8b0dee615
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.7.1.orig.tar.gz
Size/MD5: 5468224 871337b8171c91f9a6803e5376857e8d
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.7.1-1ubuntu1.1_all.deb
Size/MD5: 4498436 617459b556027289b17473abccade9ff
--dDRMvlgZJXvWKvBx
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkmCgkUACgkQW0JvuRdL8BpaBQCghNoiFKQoAWDofRbxY+v2y0a8
LfQAnjSEK/BxmSkThQGgs+B53IeXR7Mx
=5i1O
-----END PGP SIGNATURE-----
--dDRMvlgZJXvWKvBx--