[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070508070703.GM20826@outflux.net>
Date: Tue, 8 May 2007 00:07:03 -0700
From: Kees Cook <kees@...ntu.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-458-1] MoinMoin vulnerabilities
===========================================================
Ubuntu Security Notice USN-458-1 May 07, 2007
moin vulnerabilities
CVE-2007-2423
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
python2.4-moinmoin 1.5.2-1ubuntu2.3
Ubuntu 6.10:
python2.4-moinmoin 1.5.3-1ubuntu1.3
Ubuntu 7.04:
python-moinmoin 1.5.3-1.1ubuntu3.1
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
A flaw was discovered in MoinMoin's error reporting when using the
AttachFile action. By tricking a user into viewing a crafted MoinMoin
URL, an attacker could execute arbitrary JavaScript as the current
MoinMoin user, possibly exposing the user's authentication information
for the domain where MoinMoin was hosted. (CVE-2007-2423)
Flaws were discovered in MoinMoin's ACL handling for calendars and
includes. Unauthorized users would be able to read pages that would
otherwise be unavailable to them.
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.2-1ubuntu2.3.diff.gz
Size/MD5: 39487 c3b1dfe20a3bb839def08020159321ef
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.2-1ubuntu2.3.dsc
Size/MD5: 702 584b400e32f0fae1aef2fa69ffed2bd8
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.2.orig.tar.gz
Size/MD5: 3975925 689ed7aa9619aa207398b996d68b4b87
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moinmoin-common_1.5.2-1ubuntu2.3_all.deb
Size/MD5: 1507924 c53bc6a1452309b150dc86d0884feea6
http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.5.2-1ubuntu2.3_all.deb
Size/MD5: 69548 cc8dd84cef4cd95749a7f3914c55b49b
http://security.ubuntu.com/ubuntu/pool/main/m/moin/python2.4-moinmoin_1.5.2-1ubuntu2.3_all.deb
Size/MD5: 834738 950146660e787274fe0d69a8ab2bff5d
Updated packages for Ubuntu 6.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.3-1ubuntu1.3.diff.gz
Size/MD5: 40234 e232754328aa47d1f2c5be8252392bf3
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.3-1ubuntu1.3.dsc
Size/MD5: 726 86bb330aafbfb7c428950f8646fc084b
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.3.orig.tar.gz
Size/MD5: 4187091 e95ec46ee8de9527a39793108de22f7d
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moinmoin-common_1.5.3-1ubuntu1.3_all.deb
Size/MD5: 1574744 57f533196afd6198798b24eaa105d596
http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.5.3-1ubuntu1.3_all.deb
Size/MD5: 73640 64019d9f0109287760bfd5b4660cdc4b
http://security.ubuntu.com/ubuntu/pool/main/m/moin/python2.4-moinmoin_1.5.3-1ubuntu1.3_all.deb
Size/MD5: 909078 f6deadb7c99624b72b08b973c0973f8f
Updated packages for Ubuntu 7.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.3-1.1ubuntu3.1.diff.gz
Size/MD5: 38905 30c1f2043f7629767530923b797026c5
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.3-1.1ubuntu3.1.dsc
Size/MD5: 671 7209cfa3f1a21c1a45dcb2ddf16cabb9
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.3.orig.tar.gz
Size/MD5: 4187091 e95ec46ee8de9527a39793108de22f7d
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moinmoin-common_1.5.3-1.1ubuntu3.1_all.deb
Size/MD5: 1574964 e73dd559227f0712c5d453b80a08f388
http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.5.3-1.1ubuntu3.1_all.deb
Size/MD5: 914232 26c1e3c3344c2666c1150a77b0ffcccc
Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists