[Full-disclosure] [USN-977-1] MoinMoin vulnerabilities



===========================================================
Ubuntu Security Notice USN-977-1 August 25, 2010
moin vulnerabilities
CVE-2010-2487, CVE-2010-2969, CVE-2010-2970
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 9.04
Ubuntu 9.10
Ubuntu 10.04 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
python2.4-moinmoin 1.5.2-1ubuntu2.7

Ubuntu 8.04 LTS:
python-moinmoin 1.5.8-5.1ubuntu2.5

Ubuntu 9.04:
python-moinmoin 1.8.2-2ubuntu2.5

Ubuntu 9.10:
python-moinmoin 1.8.4-1ubuntu1.3

Ubuntu 10.04 LTS:
python-moinmoin 1.9.2-2ubuntu3.1

In general, a standard system update will make all the necessary changes.

Details follow:

It was discovered that MoinMoin did not properly sanitize its input,
resulting in cross-site scripting (XSS) vulnerabilities. With cross-site
scripting vulnerabilities, if a user were tricked into viewing server
output during a crafted server request, a remote attacker could exploit
this to modify the contents, or steal confidential data, within the same
domain.


Updated packages for Ubuntu 6.06 LTS:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.2-1ubuntu2.7.diff.gz
Size/MD5: 49089 798d58a0653bc3c6f340a8dfcd67139a
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.2-1ubuntu2.7.dsc
Size/MD5: 711 b3b09797305667d6fcfd30e8bf7876ba
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.2.orig.tar.gz
Size/MD5: 3975925 689ed7aa9619aa207398b996d68b4b87

Architecture independent packages:

http://security.ubuntu.com/ubuntu/pool/main/m/moin/moinmoin-common_1.5.2-1ubuntu2.7_all.deb
Size/MD5: 1508970 fbda9dabaa4e983fbc56b10d59c3fc2d
http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.5.2-1ubuntu2.7_all.deb
Size/MD5: 70242 750193bf55e2d3df3f2fde6ed6b03a67
http://security.ubuntu.com/ubuntu/pool/main/m/moin/python2.4-moinmoin_1.5.2-1ubuntu2.7_all.deb
Size/MD5: 837102 5a32177941963f7e4f706c3277c13b2d

Updated packages for Ubuntu 8.04 LTS:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.8-5.1ubuntu2.5.diff.gz
Size/MD5: 68607 0edfd9492a73f79ec0abc4bc92d37be3
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.8-5.1ubuntu2.5.dsc
Size/MD5: 990 ced66d820c57593f80df919fa69170b6
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.8.orig.tar.gz
Size/MD5: 4351630 79625eaeb65907bfaf8b3036d81c82a5

Architecture independent packages:

http://security.ubuntu.com/ubuntu/pool/main/m/moin/moinmoin-common_1.5.8-5.1ubuntu2.5_all.deb
Size/MD5: 1662232 91ca3ee6f8d48db16e29aff8d3f923e6
http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.5.8-5.1ubuntu2.5_all.deb
Size/MD5: 943264 3c08830a948982b97c93a331b2188b55

Updated packages for Ubuntu 9.04:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.8.2-2ubuntu2.5.diff.gz
Size/MD5: 109042 f0195805c73089e3fda1ad724fb60493
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.8.2-2ubuntu2.5.dsc
Size/MD5: 1354 307dda00e18ff959b74eb47c7082e954
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.8.2.orig.tar.gz
Size/MD5: 5943057 b3ced56bbe09311a7c56049423214cdb

Architecture independent packages:

http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.8.2-2ubuntu2.5_all.deb
Size/MD5: 3904124 583e95f544c30bbd69655ce5b7d21dbf

Updated packages for Ubuntu 9.10:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.8.4-1ubuntu1.3.diff.gz
Size/MD5: 113133 d84de84bb2707f19f7a301e34505c313
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.8.4-1ubuntu1.3.dsc
Size/MD5: 1359 510b24aa0fc1f45708dba675ddb4b322
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.8.4.orig.tar.gz
Size/MD5: 5959517 6a91a62f5c0dd5379f3c2411c6629496

Architecture independent packages:

http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.8.4-1ubuntu1.3_all.deb
Size/MD5: 3926296 280bb8332b7e105762cc417553579adc

Updated packages for Ubuntu 10.04:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.9.2-2ubuntu3.1.debian.tar.gz
Size/MD5: 120262 a968937a9e6fa0a2a01c00fd72d35e94
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.9.2-2ubuntu3.1.dsc
Size/MD5: 1297 0771b4b929b30d60adf7932855653ba2
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.9.2.orig.tar.gz
Size/MD5: 30111807 e464c474c3a56c803dc553b8ca13c37f

Architecture independent packages:

http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.9.2-2ubuntu3.1_all.deb
Size/MD5: 14816954 944de011cd3e5cb24c8bd58cc4666882



Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • [Full-disclosure] [USN-947-2] Linux kernel regression
    ... A security issue affects the following Ubuntu releases: ... Ubuntu 10.04 LTS ... crafted traffic to crash the system, leading to a denial of service. ... A local attacker with write access to a GFS2 filesystem could exploit ...
    (Full-Disclosure)
  • [Suspected Spam][USN-947-2] Linux kernel regression
    ... A security issue affects the following Ubuntu releases: ... Ubuntu 10.04 LTS ... crafted traffic to crash the system, leading to a denial of service. ... A local attacker with write access to a GFS2 filesystem could exploit ...
    (Bugtraq)
  • [Full-disclosure] [USN-966-1] Linux kernel vulnerabilities
    ... A security issue affects the following Ubuntu releases: ... Ubuntu 6.06 LTS ... Architecture independent packages: ... amd64 architecture: ...
    (Full-Disclosure)
  • [Full-disclosure] [USN-947-1] Linux kernel vulnerabilities
    ... A security issue affects the following Ubuntu releases: ... Ubuntu 6.06 LTS ... A local attacker with write access to a GFS2 filesystem could exploit ... amd64 architecture: ...
    (Full-Disclosure)
  • Re: Get ubuntu ! Get ubuntu ! Get ubuntu ! Get ubuntu !
    ... If one does decide to try Ubuntu, get the "LTS", because the 6mo release intervals is "bleeding edge" and can/will cause you trouble. ... I have DL'd the 9.04 ISO and checked it out, but it still doesn't recognize my built in wireless. ... install the OS, I install the programs they want and I show them how to use Ubuntu. ...
    (microsoft.public.windows.vista.general)