lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070508070703.GM20826@outflux.net>
Date: Tue, 8 May 2007 00:07:03 -0700
From: Kees Cook <kees@...ntu.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-458-1] MoinMoin vulnerabilities

=========================================================== 
Ubuntu Security Notice USN-458-1               May 07, 2007
moin vulnerabilities
CVE-2007-2423
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  python2.4-moinmoin                       1.5.2-1ubuntu2.3

Ubuntu 6.10:
  python2.4-moinmoin                       1.5.3-1ubuntu1.3

Ubuntu 7.04:
  python-moinmoin                          1.5.3-1.1ubuntu3.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

A flaw was discovered in MoinMoin's error reporting when using the 
AttachFile action.  By tricking a user into viewing a crafted MoinMoin 
URL, an attacker could execute arbitrary JavaScript as the current 
MoinMoin user, possibly exposing the user's authentication information 
for the domain where MoinMoin was hosted. (CVE-2007-2423)

Flaws were discovered in MoinMoin's ACL handling for calendars and 
includes.  Unauthorized users would be able to read pages that would 
otherwise be unavailable to them.


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.2-1ubuntu2.3.diff.gz
      Size/MD5:    39487 c3b1dfe20a3bb839def08020159321ef
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.2-1ubuntu2.3.dsc
      Size/MD5:      702 584b400e32f0fae1aef2fa69ffed2bd8
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.2.orig.tar.gz
      Size/MD5:  3975925 689ed7aa9619aa207398b996d68b4b87

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moinmoin-common_1.5.2-1ubuntu2.3_all.deb
      Size/MD5:  1507924 c53bc6a1452309b150dc86d0884feea6
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.5.2-1ubuntu2.3_all.deb
      Size/MD5:    69548 cc8dd84cef4cd95749a7f3914c55b49b
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/python2.4-moinmoin_1.5.2-1ubuntu2.3_all.deb
      Size/MD5:   834738 950146660e787274fe0d69a8ab2bff5d

Updated packages for Ubuntu 6.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.3-1ubuntu1.3.diff.gz
      Size/MD5:    40234 e232754328aa47d1f2c5be8252392bf3
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.3-1ubuntu1.3.dsc
      Size/MD5:      726 86bb330aafbfb7c428950f8646fc084b
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.3.orig.tar.gz
      Size/MD5:  4187091 e95ec46ee8de9527a39793108de22f7d

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moinmoin-common_1.5.3-1ubuntu1.3_all.deb
      Size/MD5:  1574744 57f533196afd6198798b24eaa105d596
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.5.3-1ubuntu1.3_all.deb
      Size/MD5:    73640 64019d9f0109287760bfd5b4660cdc4b
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/python2.4-moinmoin_1.5.3-1ubuntu1.3_all.deb
      Size/MD5:   909078 f6deadb7c99624b72b08b973c0973f8f

Updated packages for Ubuntu 7.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.3-1.1ubuntu3.1.diff.gz
      Size/MD5:    38905 30c1f2043f7629767530923b797026c5
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.3-1.1ubuntu3.1.dsc
      Size/MD5:      671 7209cfa3f1a21c1a45dcb2ddf16cabb9
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.3.orig.tar.gz
      Size/MD5:  4187091 e95ec46ee8de9527a39793108de22f7d

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moinmoin-common_1.5.3-1.1ubuntu3.1_all.deb
      Size/MD5:  1574964 e73dd559227f0712c5d453b80a08f388
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.5.3-1.1ubuntu3.1_all.deb
      Size/MD5:   914232 26c1e3c3344c2666c1150a77b0ffcccc


Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ