[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070220215027.GQ11187@outflux.net>
Date: Tue, 20 Feb 2007 13:50:27 -0800
From: Kees Cook <kees@...ntu.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-423-1] MoinMoin vulnerabilities
===========================================================
Ubuntu Security Notice USN-423-1 February 20, 2007
moin, moin1.3 vulnerabilities
CVE-2007-0901, CVE-2007-0902
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 5.10
Ubuntu 6.06 LTS
Ubuntu 6.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 5.10:
moin 1.2.4-1ubuntu2.2
python-moinmoin 1.3.4-6ubuntu1.5.10
Ubuntu 6.06 LTS:
python-moinmoin 1.5.2-1ubuntu2.2
Ubuntu 6.10:
python-moinmoin 1.5.3-1ubuntu1.2
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
A flaw was discovered in MoinMoin's debug reporting sanitizer which
could lead to a cross-site scripting attack. By tricking a user into
viewing a crafted MoinMoin URL, an attacker could execute arbitrary
JavaScript as the current MoinMoin user, possibly exposing the user's
authentication information for the domain where MoinMoin was hosted.
Only Ubuntu Breezy was vulnerable. (CVE-2007-0901)
An information leak was discovered in MoinMoin's debug reporting, which
could expose information about the versions of software running on the
host system. MoinMoin administrators can add "show_traceback=0" to
their site configurations to disable debug tracebacks. (CVE-2007-0902)
Updated packages for Ubuntu 5.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/m/moin1.3/moin1.3_1.3.4-6ubuntu1.5.10.diff.gz
Size/MD5: 45055 cf953c316085948e8dc9611835921bdc
http://security.ubuntu.com/ubuntu/pool/main/m/moin1.3/moin1.3_1.3.4-6ubuntu1.5.10.dsc
Size/MD5: 793 72c93be58cada2d2ea43a6e8904a56ac
http://security.ubuntu.com/ubuntu/pool/main/m/moin1.3/moin1.3_1.3.4.orig.tar.gz
Size/MD5: 3085225 aff667e7c60c5af2525cd1381f417608
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.2.4-1ubuntu2.2.diff.gz
Size/MD5: 39039 5b3de304bb89b4ae0ca9a0a2a9c4703d
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.2.4-1ubuntu2.2.dsc
Size/MD5: 646 49eadc7ac308498b2c53cde03ab8bc72
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.2.4.orig.tar.gz
Size/MD5: 1142734 4fea82b27079d1db50a38cf06317cfaa
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.2.4-1ubuntu2.2_all.deb
Size/MD5: 875492 439ce6791bfc4634de3c20f2aedbe025
http://security.ubuntu.com/ubuntu/pool/main/m/moin1.3/moinmoin-common_1.3.4-6ubuntu1.5.10_all.deb
Size/MD5: 726416 f91ba8e0a07d25811754b6d4c62a1696
http://security.ubuntu.com/ubuntu/pool/main/m/moin1.3/python-moinmoin_1.3.4-6ubuntu1.5.10_all.deb
Size/MD5: 50240 579771bff2ed9e979a477d7b5c47c229
http://security.ubuntu.com/ubuntu/pool/universe/m/moin1.3/python2.3-moinmoin_1.3.4-6ubuntu1.5.10_all.deb
Size/MD5: 584382 ed7269eefdbb71e2d060c325492cff1d
http://security.ubuntu.com/ubuntu/pool/main/m/moin1.3/python2.4-moinmoin_1.3.4-6ubuntu1.5.10_all.deb
Size/MD5: 584386 c914fa345dfdd89dc5896b04f1b02acc
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.2-1ubuntu2.2.diff.gz
Size/MD5: 37929 15194fb653e00c43092afcd7cf7efdcd
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.2-1ubuntu2.2.dsc
Size/MD5: 702 050a5cfec5708d8da0a1a6cc69621696
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.2.orig.tar.gz
Size/MD5: 3975925 689ed7aa9619aa207398b996d68b4b87
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moinmoin-common_1.5.2-1ubuntu2.2_all.deb
Size/MD5: 1507826 a10aea39090b803979f40169b09d9eee
http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.5.2-1ubuntu2.2_all.deb
Size/MD5: 69418 c0c6ccb72d6086ca701806cc7375ab82
http://security.ubuntu.com/ubuntu/pool/main/m/moin/python2.4-moinmoin_1.5.2-1ubuntu2.2_all.deb
Size/MD5: 834508 a0b20e90fd41c46caaf09229e32585e8
Updated packages for Ubuntu 6.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.3-1ubuntu1.2.diff.gz
Size/MD5: 38642 4f9dbe80cf2f2fd62f962fbed248f65a
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.3-1ubuntu1.2.dsc
Size/MD5: 726 379049d45f6684d2bc38f7ea5f722afe
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.3.orig.tar.gz
Size/MD5: 4187091 e95ec46ee8de9527a39793108de22f7d
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moinmoin-common_1.5.3-1ubuntu1.2_all.deb
Size/MD5: 1574742 9e686f13fbda8d19c7e10db62b7b522b
http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.5.3-1ubuntu1.2_all.deb
Size/MD5: 73506 8fcda2db454c1492332cb764b081d902
http://security.ubuntu.com/ubuntu/pool/main/m/moin/python2.4-moinmoin_1.5.3-1ubuntu1.2_all.deb
Size/MD5: 908884 abae777420f930a54430c6438316a20f
Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists