full-disclosure-uk January 2009 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: [USN-716-1] MoinMoin vulnerabilities

[USN-716-1] MoinMoin vulnerabilities

From: Jamie Strandboge <jamie_at_nospam>
Date: Fri Jan 30 2009 - 04:29:57 GMT
To: ubuntu-security-announce@lists.ubuntu.com



Ubuntu Security Notice USN-716-1 January 30, 2009 moin vulnerabilities
CVE-2008-0780, CVE-2008-0781, CVE-2008-0782, CVE-2008-1098, CVE-2008-1099, CVE-2009-0260, CVE-2009-0312

A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.10 Ubuntu 8.04 LTS Ubuntu 8.10

This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the following package versions:

Ubuntu 6.06 LTS:
  python2.4-moinmoin 1.5.2-1ubuntu2.4

Ubuntu 7.10: python-moinmoin 1.5.7-3ubuntu2.1 Ubuntu 8.04 LTS: python-moinmoin 1.5.8-5.1ubuntu2.2 Ubuntu 8.10: python-moinmoin 1.7.1-1ubuntu1.1

In general, a standard system upgrade is sufficient to effect the necessary changes.

Details follow:

Fernando Quintero discovered than MoinMoin did not properly sanitize its input when processing login requests, resulting in cross-site scripting (XSS) vulnerabilities. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted server request, a remote attacker could exploit this to modify the contents, or steal confidential data, within the same domain. This issue affected Ubuntu 7.10 and 8.04 LTS. (CVE-2008-0780) Fernando Quintero discovered that MoinMoin did not properly sanitize its input when attaching files, resulting in cross-site scripting vulnerabilities. This issue affected Ubuntu 6.06 LTS, 7.10 and 8.04 LTS. (CVE-2008-0781)

It was discovered that MoinMoin did not properly sanitize its input when processing user forms. A remote attacker could submit crafted cookie values and overwrite arbitrary files via directory traversal. This issue affected Ubuntu 6.06 LTS, 7.10 and 8.04 LTS. (CVE-2008-0782)

It was discovered that MoinMoin did not properly sanitize its input when editing pages, resulting in cross-site scripting vulnerabilities. This issue only affected Ubuntu 6.06 LTS and 7.10. (CVE-2008-1098)

It was discovered that MoinMoin did not properly enforce access controls, which could allow a remoter attacker to view private pages. This issue only affected Ubuntu 6.06 LTS and 7.10. (CVE-2008-1099)

It was discovered that MoinMoin did not properly sanitize its input when attaching files and using the rename parameter, resulting in cross-site scripting vulnerabilities. (CVE-2009-0260)

It was discovered that MoinMoin did not properly sanitize its input when displaying error messages after processing spam, resulting in cross-site scripting vulnerabilities. (CVE-2009-0312)

Updated packages for Ubuntu 6.06 LTS:

  Source archives: http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.2-1ubuntu2.4.diff.gz Size/MD5: 42544 ebd2cc72e4a9b91642c7e5b7fcae7754 http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.2-1ubuntu2.4.dsc Size/MD5: 710 1c979ab18f50b60ec0b9494a7513b71f http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.2.orig.tar.gz Size/MD5: 3975925 689ed7aa9619aa207398b996d68b4b87

  Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/m/moin/moinmoin-common_1.5.2-1ubuntu2.4_all.deb Size/MD5: 1508228 88106c7e059b5b91deac7bfb71f96fb3 http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.5.2-1ubuntu2.4_all.deb Size/MD5: 69842 bf8ce8a5b46a32185e1f09af0b370e41 http://security.ubuntu.com/ubuntu/pool/main/m/moin/python2.4-moinmoin_1.5.2-1ubuntu2.4_all.deb Size/MD5: 835312 aa269dbf77b123fe000ee69de31df352

Updated packages for Ubuntu 7.10:

  Source archives: http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.7-3ubuntu2.1.diff.gz Size/MD5: 57794 cbaa73b938fa38550adfca2cd82b2228 http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.7-3ubuntu2.1.dsc Size/MD5: 805 ac38488f222ba5451ae827b834713bf2 http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.7.orig.tar.gz Size/MD5: 4411634 b304f1c2054c7f3bf0dc48c141b28b33

  Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/m/moin/moinmoin-common_1.5.7-3ubuntu2.1_all.deb Size/MD5: 1660458 98e840ca6bc4322a5a8c9c2776e5ff18 http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.5.7-3ubuntu2.1_all.deb Size/MD5: 1020898 947daca038abf2eb07c4bb220b0c9276

Updated packages for Ubuntu 8.04 LTS:

  Source archives: http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.8-5.1ubuntu2.2.diff.gz Size/MD5: 61334 1b3992acd9d6720686415752ec2b84da http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.8-5.1ubuntu2.2.dsc Size/MD5: 989 cf1add0defdb66648b3d327bb6fb3c59 http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.8.orig.tar.gz Size/MD5: 4351630 79625eaeb65907bfaf8b3036d81c82a5

  Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/m/moin/moinmoin-common_1.5.8-5.1ubuntu2.2_all.deb Size/MD5: 1661790 6f1cf1970e15ae49e807c91b9a92d841 http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.5.8-5.1ubuntu2.2_all.deb Size/MD5: 942866 03c9f754644bab2a9bb59fb341988831

Updated packages for Ubuntu 8.10:

  Source archives: http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.7.1-1ubuntu1.1.diff.gz Size/MD5: 69361 73955e746562f932d4c47650457e6d17 http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.7.1-1ubuntu1.1.dsc Size/MD5: 1266 95f6ced2570e48fcf3f947f8b0dee615 http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.7.1.orig.tar.gz Size/MD5: 5468224 871337b8171c91f9a6803e5376857e8d

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.7.1-1ubuntu1.1_all.deb       Size/MD5: 4498436 617459b556027289b17473abccade9ff

-- ubuntu-security-announce mailing list ubuntu-security-announce@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce