<<< Date Index >>>     <<< Thread Index >>>

[USN-716-1] MoinMoin vulnerabilities



===========================================================
Ubuntu Security Notice USN-716-1           January 30, 2009
moin vulnerabilities
CVE-2008-0780, CVE-2008-0781, CVE-2008-0782, CVE-2008-1098,
CVE-2008-1099, CVE-2009-0260, CVE-2009-0312
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 7.10
Ubuntu 8.04 LTS
Ubuntu 8.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  python2.4-moinmoin              1.5.2-1ubuntu2.4

Ubuntu 7.10:
  python-moinmoin                 1.5.7-3ubuntu2.1

Ubuntu 8.04 LTS:
  python-moinmoin                 1.5.8-5.1ubuntu2.2

Ubuntu 8.10:
  python-moinmoin                 1.7.1-1ubuntu1.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Fernando Quintero discovered than MoinMoin did not properly sanitize its
input when processing login requests, resulting in cross-site scripting (XSS)
vulnerabilities. With cross-site scripting vulnerabilities, if a user were
tricked into viewing server output during a crafted server request, a remote
attacker could exploit this to modify the contents, or steal confidential data,
within the same domain. This issue affected Ubuntu 7.10 and 8.04 LTS.
(CVE-2008-0780)

Fernando Quintero discovered that MoinMoin did not properly sanitize its input
when attaching files, resulting in cross-site scripting vulnerabilities. This
issue affected Ubuntu 6.06 LTS, 7.10 and 8.04 LTS. (CVE-2008-0781)

It was discovered that MoinMoin did not properly sanitize its input when
processing user forms. A remote attacker could submit crafted cookie values and
overwrite arbitrary files via directory traversal. This issue affected Ubuntu
6.06 LTS, 7.10 and 8.04 LTS. (CVE-2008-0782)

It was discovered that MoinMoin did not properly sanitize its input when
editing pages, resulting in cross-site scripting vulnerabilities. This issue
only affected Ubuntu 6.06 LTS and 7.10. (CVE-2008-1098)

It was discovered that MoinMoin did not properly enforce access controls,
which could allow a remoter attacker to view private pages. This issue only
affected Ubuntu 6.06 LTS and 7.10. (CVE-2008-1099)

It was discovered that MoinMoin did not properly sanitize its input when
attaching files and using the rename parameter, resulting in cross-site
scripting vulnerabilities. (CVE-2009-0260)

It was discovered that MoinMoin did not properly sanitize its input when
displaying error messages after processing spam, resulting in cross-site
scripting vulnerabilities. (CVE-2009-0312)


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.2-1ubuntu2.4.diff.gz
      Size/MD5:    42544 ebd2cc72e4a9b91642c7e5b7fcae7754
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.2-1ubuntu2.4.dsc
      Size/MD5:      710 1c979ab18f50b60ec0b9494a7513b71f
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.2.orig.tar.gz
      Size/MD5:  3975925 689ed7aa9619aa207398b996d68b4b87

  Architecture independent packages:

    
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moinmoin-common_1.5.2-1ubuntu2.4_all.deb
      Size/MD5:  1508228 88106c7e059b5b91deac7bfb71f96fb3
    
http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.5.2-1ubuntu2.4_all.deb
      Size/MD5:    69842 bf8ce8a5b46a32185e1f09af0b370e41
    
http://security.ubuntu.com/ubuntu/pool/main/m/moin/python2.4-moinmoin_1.5.2-1ubuntu2.4_all.deb
      Size/MD5:   835312 aa269dbf77b123fe000ee69de31df352

Updated packages for Ubuntu 7.10:

  Source archives:

    
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.7-3ubuntu2.1.diff.gz
      Size/MD5:    57794 cbaa73b938fa38550adfca2cd82b2228
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.7-3ubuntu2.1.dsc
      Size/MD5:      805 ac38488f222ba5451ae827b834713bf2
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.7.orig.tar.gz
      Size/MD5:  4411634 b304f1c2054c7f3bf0dc48c141b28b33

  Architecture independent packages:

    
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moinmoin-common_1.5.7-3ubuntu2.1_all.deb
      Size/MD5:  1660458 98e840ca6bc4322a5a8c9c2776e5ff18
    
http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.5.7-3ubuntu2.1_all.deb
      Size/MD5:  1020898 947daca038abf2eb07c4bb220b0c9276

Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.8-5.1ubuntu2.2.diff.gz
      Size/MD5:    61334 1b3992acd9d6720686415752ec2b84da
    
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.8-5.1ubuntu2.2.dsc
      Size/MD5:      989 cf1add0defdb66648b3d327bb6fb3c59
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.8.orig.tar.gz
      Size/MD5:  4351630 79625eaeb65907bfaf8b3036d81c82a5

  Architecture independent packages:

    
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moinmoin-common_1.5.8-5.1ubuntu2.2_all.deb
      Size/MD5:  1661790 6f1cf1970e15ae49e807c91b9a92d841
    
http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.5.8-5.1ubuntu2.2_all.deb
      Size/MD5:   942866 03c9f754644bab2a9bb59fb341988831

Updated packages for Ubuntu 8.10:

  Source archives:

    
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.7.1-1ubuntu1.1.diff.gz
      Size/MD5:    69361 73955e746562f932d4c47650457e6d17
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.7.1-1ubuntu1.1.dsc
      Size/MD5:     1266 95f6ced2570e48fcf3f947f8b0dee615
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.7.1.orig.tar.gz
      Size/MD5:  5468224 871337b8171c91f9a6803e5376857e8d

  Architecture independent packages:

    
http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.7.1-1ubuntu1.1_all.deb
      Size/MD5:  4498436 617459b556027289b17473abccade9ff


Attachment: signature.asc
Description: Digital signature