USN-458-1: MoinMoin vulnerabilities

Posted by Bob on: 05/08/2007 08:10 AM [ Print | 0 comment(s) ]

A new MoinMoin vulnerabilities update is available for Ubuntu Linux. Here the announcement:

Ubuntu Security Notice USN-458-1 May 07, 2007
moin vulnerabilities
CVE-2007-2423
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
python2.4-moinmoin 1.5.2-1ubuntu2.3

Ubuntu 6.10:
python2.4-moinmoin 1.5.3-1ubuntu1.3

Ubuntu 7.04:
python-moinmoin 1.5.3-1.1ubuntu3.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

A flaw was discovered in MoinMoin's error reporting when using the=20
AttachFile action. By tricking a user into viewing a crafted MoinMoin=20
URL, an attacker could execute arbitrary JavaScript as the current=20
MoinMoin user, possibly exposing the user's authentication information=20
for the domain where MoinMoin was hosted. (CVE-2007-2423)

Flaws were discovered in MoinMoin's ACL handling for calendars and=20
includes. Unauthorized users would be able to read pages that would=20
otherwise be unavailable to them.

Updated packages for Ubuntu 6.06 LTS:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.2-1ubuntu2.=
3.diff.gz
Size/MD5: 39487 c3b1dfe20a3bb839def08020159321ef
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.2-1ubuntu2.=
3.dsc
Size/MD5: 702 584b400e32f0fae1aef2fa69ffed2bd8
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.2.orig.tar.=
gz
Size/MD5: 3975925 689ed7aa9619aa207398b996d68b4b87

Architecture independent packages:

http://security.ubuntu.com/ubuntu/pool/main/m/moin/moinmoin-common_1.5.=
2-1ubuntu2.3_all.deb
Size/MD5: 1507924 c53bc6a1452309b150dc86d0884feea6
http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.5.=
2-1ubuntu2.3_all.deb
Size/MD5: 69548 cc8dd84cef4cd95749a7f3914c55b49b
http://security.ubuntu.com/ubuntu/pool/main/m/moin/python2.4-moinmoin_1=
=2E5.2-1ubuntu2.3_all.deb
Size/MD5: 834738 950146660e787274fe0d69a8ab2bff5d

Updated packages for Ubuntu 6.10:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.3-1ubuntu1.=
3.diff.gz
Size/MD5: 40234 e232754328aa47d1f2c5be8252392bf3
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.3-1ubuntu1.=
3.dsc
Size/MD5: 726 86bb330aafbfb7c428950f8646fc084b
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.3.orig.tar.=
gz
Size/MD5: 4187091 e95ec46ee8de9527a39793108de22f7d

Architecture independent packages:

http://security.ubuntu.com/ubuntu/pool/main/m/moin/moinmoin-common_1.5.=
3-1ubuntu1.3_all.deb
Size/MD5: 1574744 57f533196afd6198798b24eaa105d596
http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.5.=
3-1ubuntu1.3_all.deb
Size/MD5: 73640 64019d9f0109287760bfd5b4660cdc4b
http://security.ubuntu.com/ubuntu/pool/main/m/moin/python2.4-moinmoin_1=
=2E5.3-1ubuntu1.3_all.deb
Size/MD5: 909078 f6deadb7c99624b72b08b973c0973f8f

Updated packages for Ubuntu 7.04:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.3-1.1ubuntu=
3.1.diff.gz
Size/MD5: 38905 30c1f2043f7629767530923b797026c5
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.3-1.1ubuntu=
3.1.dsc
Size/MD5: 671 7209cfa3f1a21c1a45dcb2ddf16cabb9
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.3.orig.tar.=
gz
Size/MD5: 4187091 e95ec46ee8de9527a39793108de22f7d

Architecture independent packages:

http://security.ubuntu.com/ubuntu/pool/main/m/moin/moinmoin-common_1.5.=
3-1.1ubuntu3.1_all.deb
Size/MD5: 1574964 e73dd559227f0712c5d453b80a08f388
http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.5.=
3-1.1ubuntu3.1_all.deb
Size/MD5: 914232 26c1e3c3344c2666c1150a77b0ffcccc

--qMKY6FR9kfgQNBz7
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGQCGXH/9LqRcGPm0RAtLOAJ9/4dsEQxFd90lFvj19+xznr/KCywCgmSwC
KaGar0Q1l6ayjpiCACLC4rU=
=QLCU
-----END PGP SIGNATURE-----