lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20100312020112.GA7413@severus.strandboge.com>
Date: Thu, 11 Mar 2010 20:01:12 -0600
From: Jamie Strandboge <jamie@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: [USN-911-1] MoinMoin vulnerabilities

===========================================================
Ubuntu Security Notice USN-911-1             March 11, 2010
moin vulnerabilities
CVE-2010-0668, CVE-2010-0669, CVE-2010-0717
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
Ubuntu 9.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  python2.4-moinmoin              1.5.2-1ubuntu2.5

Ubuntu 8.04 LTS:
  python-moinmoin                 1.5.8-5.1ubuntu2.3

Ubuntu 8.10:
  python-moinmoin                 1.7.1-1ubuntu1.3

Ubuntu 9.04:
  python-moinmoin                 1.8.2-2ubuntu2.2

Ubuntu 9.10:
  python-moinmoin                 1.8.4-1ubuntu1.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

It was discovered that several wiki actions and preference settings in
MoinMoin were not protected from cross-site request forgery (CSRF). If an
authenticated user were tricked into visiting a malicious website while
logged into MoinMoin, a remote attacker could change the user's
configuration or wiki content. (CVE-2010-0668, CVE-2010-0717)

It was discovered that MoinMoin did not properly sanitize its input when
processing user preferences. An attacker could enter malicious content
which when viewed by a user, could render in unexpected ways.
(CVE-2010-0669)


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.2-1ubuntu2.5.diff.gz
      Size/MD5:    47842 c9de4722f63975d5b0d549f4541faefb
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.2-1ubuntu2.5.dsc
      Size/MD5:      711 4261e09e14aba68d31430e62fad58b96
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.2.orig.tar.gz
      Size/MD5:  3975925 689ed7aa9619aa207398b996d68b4b87

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moinmoin-common_1.5.2-1ubuntu2.5_all.deb
      Size/MD5:  1508744 e4635b7122dc5791d393c23a50442f59
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.5.2-1ubuntu2.5_all.deb
      Size/MD5:    70056 c4d4c744b89a48208971de0f39487f78
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/python2.4-moinmoin_1.5.2-1ubuntu2.5_all.deb
      Size/MD5:   836826 8dfa7e8f720ba2e20bd8255af805c51b

Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.8-5.1ubuntu2.3.diff.gz
      Size/MD5:    67691 2c68baf991470b12246be536daeb8507
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.8-5.1ubuntu2.3.dsc
      Size/MD5:      990 db1dd97700f22787217f388eb38f9970
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.8.orig.tar.gz
      Size/MD5:  4351630 79625eaeb65907bfaf8b3036d81c82a5

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moinmoin-common_1.5.8-5.1ubuntu2.3_all.deb
      Size/MD5:  1661934 c7dcf03359418f3bda85596ffaa8ca39
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.5.8-5.1ubuntu2.3_all.deb
      Size/MD5:   943176 9646e309a911cf1612bea0b639656a8d

Updated packages for Ubuntu 8.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.7.1-1ubuntu1.3.diff.gz
      Size/MD5:    82145 883aaca0405a3c70dee3017934c02054
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.7.1-1ubuntu1.3.dsc
      Size/MD5:     1351 2ec2a7468d65b3e259b7f513ee4b3dd3
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.7.1.orig.tar.gz
      Size/MD5:  5468224 871337b8171c91f9a6803e5376857e8d

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.7.1-1ubuntu1.3_all.deb
      Size/MD5:  4498940 4d431e9e1fa15d78849f23c3fecc5237

Updated packages for Ubuntu 9.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.8.2-2ubuntu2.2.diff.gz
      Size/MD5:   104519 45d696b2c87d1e890fc1cb9bcdc29284
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.8.2-2ubuntu2.2.dsc
      Size/MD5:     1354 73b47d21e13df9d87b5907c38dd02949
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.8.2.orig.tar.gz
      Size/MD5:  5943057 b3ced56bbe09311a7c56049423214cdb

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.8.2-2ubuntu2.2_all.deb
      Size/MD5:  3903450 95c4bfcd53b45cf5bc7a5b369d2533c8

Updated packages for Ubuntu 9.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.8.4-1ubuntu1.1.diff.gz
      Size/MD5:   109195 ac4a31caeda3ff4f039d3adc38a2cc20
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.8.4-1ubuntu1.1.dsc
      Size/MD5:     1359 3d53805d47bc3fbd25a1965b26f3b70b
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.8.4.orig.tar.gz
      Size/MD5:  5959517 6a91a62f5c0dd5379f3c2411c6629496

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.8.4-1ubuntu1.1_all.deb
      Size/MD5:  3925688 ea6faa18323006cef4548b0a0e961350




Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ