Ubuntu 716-1: MoinMoin vulnerabilities

    Date29 Jan 2009
    CategoryUbuntu
    43
    Posted ByLinuxSecurity Advisories
    Fernando Quintero discovered than MoinMoin did not properly sanitize itsinput when processing login requests, resulting in cross-site scripting (XSS)vulnerabilities. With cross-site scripting vulnerabilities, if a user weretricked into viewing server output during a crafted server request, a remoteattacker could exploit this to modify the contents, or steal confidential data, [More...]
    ===========================================================
    Ubuntu Security Notice USN-716-1           January 30, 2009
    moin vulnerabilities
    CVE-2008-0780, CVE-2008-0781, CVE-2008-0782, CVE-2008-1098,
    CVE-2008-1099, CVE-2009-0260, CVE-2009-0312
    ===========================================================
    
    A security issue affects the following Ubuntu releases:
    
    Ubuntu 6.06 LTS
    Ubuntu 7.10
    Ubuntu 8.04 LTS
    Ubuntu 8.10
    
    This advisory also applies to the corresponding versions of
    Kubuntu, Edubuntu, and Xubuntu.
    
    The problem can be corrected by upgrading your system to the
    following package versions:
    
    Ubuntu 6.06 LTS:
      python2.4-moinmoin              1.5.2-1ubuntu2.4
    
    Ubuntu 7.10:
      python-moinmoin                 1.5.7-3ubuntu2.1
    
    Ubuntu 8.04 LTS:
      python-moinmoin                 1.5.8-5.1ubuntu2.2
    
    Ubuntu 8.10:
      python-moinmoin                 1.7.1-1ubuntu1.1
    
    In general, a standard system upgrade is sufficient to effect the
    necessary changes.
    
    Details follow:
    
    Fernando Quintero discovered than MoinMoin did not properly sanitize its
    input when processing login requests, resulting in cross-site scripting (XSS)
    vulnerabilities. With cross-site scripting vulnerabilities, if a user were
    tricked into viewing server output during a crafted server request, a remote
    attacker could exploit this to modify the contents, or steal confidential data,
    within the same domain. This issue affected Ubuntu 7.10 and 8.04 LTS.
    (CVE-2008-0780)
    
    Fernando Quintero discovered that MoinMoin did not properly sanitize its input
    when attaching files, resulting in cross-site scripting vulnerabilities. This
    issue affected Ubuntu 6.06 LTS, 7.10 and 8.04 LTS. (CVE-2008-0781)
    
    It was discovered that MoinMoin did not properly sanitize its input when
    processing user forms. A remote attacker could submit crafted cookie values and
    overwrite arbitrary files via directory traversal. This issue affected Ubuntu
    6.06 LTS, 7.10 and 8.04 LTS. (CVE-2008-0782)
    
    It was discovered that MoinMoin did not properly sanitize its input when
    editing pages, resulting in cross-site scripting vulnerabilities. This issue
    only affected Ubuntu 6.06 LTS and 7.10. (CVE-2008-1098)
    
    It was discovered that MoinMoin did not properly enforce access controls,
    which could allow a remoter attacker to view private pages. This issue only
    affected Ubuntu 6.06 LTS and 7.10. (CVE-2008-1099)
    
    It was discovered that MoinMoin did not properly sanitize its input when
    attaching files and using the rename parameter, resulting in cross-site
    scripting vulnerabilities. (CVE-2009-0260)
    
    It was discovered that MoinMoin did not properly sanitize its input when
    displaying error messages after processing spam, resulting in cross-site
    scripting vulnerabilities. (CVE-2009-0312)
    
    
    Updated packages for Ubuntu 6.06 LTS:
    
      Source archives:
    
        http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.2-1ubuntu2.4.diff.gz
          Size/MD5:    42544 ebd2cc72e4a9b91642c7e5b7fcae7754
        http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.2-1ubuntu2.4.dsc
          Size/MD5:      710 1c979ab18f50b60ec0b9494a7513b71f
        http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.2.orig.tar.gz
          Size/MD5:  3975925 689ed7aa9619aa207398b996d68b4b87
    
      Architecture independent packages:
    
        http://security.ubuntu.com/ubuntu/pool/main/m/moin/moinmoin-common_1.5.2-1ubuntu2.4_all.deb
          Size/MD5:  1508228 88106c7e059b5b91deac7bfb71f96fb3
        http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.5.2-1ubuntu2.4_all.deb
          Size/MD5:    69842 bf8ce8a5b46a32185e1f09af0b370e41
        http://security.ubuntu.com/ubuntu/pool/main/m/moin/python2.4-moinmoin_1.5.2-1ubuntu2.4_all.deb
          Size/MD5:   835312 aa269dbf77b123fe000ee69de31df352
    
    Updated packages for Ubuntu 7.10:
    
      Source archives:
    
        http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.7-3ubuntu2.1.diff.gz
          Size/MD5:    57794 cbaa73b938fa38550adfca2cd82b2228
        http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.7-3ubuntu2.1.dsc
          Size/MD5:      805 ac38488f222ba5451ae827b834713bf2
        http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.7.orig.tar.gz
          Size/MD5:  4411634 b304f1c2054c7f3bf0dc48c141b28b33
    
      Architecture independent packages:
    
        http://security.ubuntu.com/ubuntu/pool/main/m/moin/moinmoin-common_1.5.7-3ubuntu2.1_all.deb
          Size/MD5:  1660458 98e840ca6bc4322a5a8c9c2776e5ff18
        http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.5.7-3ubuntu2.1_all.deb
          Size/MD5:  1020898 947daca038abf2eb07c4bb220b0c9276
    
    Updated packages for Ubuntu 8.04 LTS:
    
      Source archives:
    
        http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.8-5.1ubuntu2.2.diff.gz
          Size/MD5:    61334 1b3992acd9d6720686415752ec2b84da
        http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.8-5.1ubuntu2.2.dsc
          Size/MD5:      989 cf1add0defdb66648b3d327bb6fb3c59
        http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.8.orig.tar.gz
          Size/MD5:  4351630 79625eaeb65907bfaf8b3036d81c82a5
    
      Architecture independent packages:
    
        http://security.ubuntu.com/ubuntu/pool/main/m/moin/moinmoin-common_1.5.8-5.1ubuntu2.2_all.deb
          Size/MD5:  1661790 6f1cf1970e15ae49e807c91b9a92d841
        http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.5.8-5.1ubuntu2.2_all.deb
          Size/MD5:   942866 03c9f754644bab2a9bb59fb341988831
    
    Updated packages for Ubuntu 8.10:
    
      Source archives:
    
        http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.7.1-1ubuntu1.1.diff.gz
          Size/MD5:    69361 73955e746562f932d4c47650457e6d17
        http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.7.1-1ubuntu1.1.dsc
          Size/MD5:     1266 95f6ced2570e48fcf3f947f8b0dee615
        http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.7.1.orig.tar.gz
          Size/MD5:  5468224 871337b8171c91f9a6803e5376857e8d
    
      Architecture independent packages:
    
        http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.7.1-1ubuntu1.1_all.deb
          Size/MD5:  4498436 617459b556027289b17473abccade9ff
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"25","type":"x","order":"1","pct":55.56,"resources":[]},{"id":"88","title":"Should be more technical","votes":"5","type":"x","order":"2","pct":11.11,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"15","type":"x","order":"3","pct":33.33,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.