lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1282750872.2662.8.camel@mdlinux>
Date: Wed, 25 Aug 2010 11:41:12 -0400
From: Marc Deslauriers <marc.deslauriers@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: [USN-977-1] MoinMoin vulnerabilities

===========================================================
Ubuntu Security Notice USN-977-1            August 25, 2010
moin vulnerabilities
CVE-2010-2487, CVE-2010-2969, CVE-2010-2970
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 9.04
Ubuntu 9.10
Ubuntu 10.04 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  python2.4-moinmoin              1.5.2-1ubuntu2.7

Ubuntu 8.04 LTS:
  python-moinmoin                 1.5.8-5.1ubuntu2.5

Ubuntu 9.04:
  python-moinmoin                 1.8.2-2ubuntu2.5

Ubuntu 9.10:
  python-moinmoin                 1.8.4-1ubuntu1.3

Ubuntu 10.04 LTS:
  python-moinmoin                 1.9.2-2ubuntu3.1

In general, a standard system update will make all the necessary changes.

Details follow:

It was discovered that MoinMoin did not properly sanitize its input,
resulting in cross-site scripting (XSS) vulnerabilities. With cross-site
scripting vulnerabilities, if a user were tricked into viewing server
output during a crafted server request, a remote attacker could exploit
this to modify the contents, or steal confidential data, within the same
domain.


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.2-1ubuntu2.7.diff.gz
      Size/MD5:    49089 798d58a0653bc3c6f340a8dfcd67139a
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.2-1ubuntu2.7.dsc
      Size/MD5:      711 b3b09797305667d6fcfd30e8bf7876ba
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.2.orig.tar.gz
      Size/MD5:  3975925 689ed7aa9619aa207398b996d68b4b87

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moinmoin-common_1.5.2-1ubuntu2.7_all.deb
      Size/MD5:  1508970 fbda9dabaa4e983fbc56b10d59c3fc2d
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.5.2-1ubuntu2.7_all.deb
      Size/MD5:    70242 750193bf55e2d3df3f2fde6ed6b03a67
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/python2.4-moinmoin_1.5.2-1ubuntu2.7_all.deb
      Size/MD5:   837102 5a32177941963f7e4f706c3277c13b2d

Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.8-5.1ubuntu2.5.diff.gz
      Size/MD5:    68607 0edfd9492a73f79ec0abc4bc92d37be3
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.8-5.1ubuntu2.5.dsc
      Size/MD5:      990 ced66d820c57593f80df919fa69170b6
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.8.orig.tar.gz
      Size/MD5:  4351630 79625eaeb65907bfaf8b3036d81c82a5

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moinmoin-common_1.5.8-5.1ubuntu2.5_all.deb
      Size/MD5:  1662232 91ca3ee6f8d48db16e29aff8d3f923e6
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.5.8-5.1ubuntu2.5_all.deb
      Size/MD5:   943264 3c08830a948982b97c93a331b2188b55

Updated packages for Ubuntu 9.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.8.2-2ubuntu2.5.diff.gz
      Size/MD5:   109042 f0195805c73089e3fda1ad724fb60493
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.8.2-2ubuntu2.5.dsc
      Size/MD5:     1354 307dda00e18ff959b74eb47c7082e954
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.8.2.orig.tar.gz
      Size/MD5:  5943057 b3ced56bbe09311a7c56049423214cdb

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.8.2-2ubuntu2.5_all.deb
      Size/MD5:  3904124 583e95f544c30bbd69655ce5b7d21dbf

Updated packages for Ubuntu 9.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.8.4-1ubuntu1.3.diff.gz
      Size/MD5:   113133 d84de84bb2707f19f7a301e34505c313
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.8.4-1ubuntu1.3.dsc
      Size/MD5:     1359 510b24aa0fc1f45708dba675ddb4b322
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.8.4.orig.tar.gz
      Size/MD5:  5959517 6a91a62f5c0dd5379f3c2411c6629496

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.8.4-1ubuntu1.3_all.deb
      Size/MD5:  3926296 280bb8332b7e105762cc417553579adc

Updated packages for Ubuntu 10.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.9.2-2ubuntu3.1.debian.tar.gz
      Size/MD5:   120262 a968937a9e6fa0a2a01c00fd72d35e94
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.9.2-2ubuntu3.1.dsc
      Size/MD5:     1297 0771b4b929b30d60adf7932855653ba2
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.9.2.orig.tar.gz
      Size/MD5: 30111807 e464c474c3a56c803dc553b8ca13c37f

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.9.2-2ubuntu3.1_all.deb
      Size/MD5: 14816954 944de011cd3e5cb24c8bd58cc4666882




Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ