LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: October 31st, 2014
Linux Security Week: October 27th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Ubuntu: MoinMoin vulnerability Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Ubuntu A flaw was discovered in MoinMoin's page name sanitizer which could lead to a cross-site scripting attack. By tricking a user into viewing a crafted MoinMoin page, an attacker could execute arbitrary JavaScript as the current MoinMoin user, possibly exposing the user's authentication information for the domain where MoinMoin was hosted.
=========================================================== 
Ubuntu Security Notice USN-421-1          February 10, 2007
moin, moin1.3 vulnerability
CVE-2007-0857
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 5.10
Ubuntu 6.06 LTS
Ubuntu 6.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 5.10:
  moin                                     1.2.4-1ubuntu2.1
  python2.3-moinmoin                       1.3.4-6ubuntu1.1
  python2.4-moinmoin                       1.3.4-6ubuntu1.1

Ubuntu 6.06 LTS:
  python2.4-moinmoin                       1.5.2-1ubuntu2.1

Ubuntu 6.10:
  python2.4-moinmoin                       1.5.3-1ubuntu1.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

A flaw was discovered in MoinMoin's page name sanitizer which could lead 
to a cross-site scripting attack.  By tricking a user into viewing a 
crafted MoinMoin page, an attacker could execute arbitrary JavaScript as 
the current MoinMoin user, possibly exposing the user's authentication 
information for the domain where MoinMoin was hosted.


Updated packages for Ubuntu 5.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/moin1.3/moin1.3_1.3.4-6ubuntu1.1.diff.gz
      Size/MD5:    44173 692c6d70ddfcd4bee6c52b5a058e12a5
    http://security.ubuntu.com/ubuntu/pool/main/m/moin1.3/moin1.3_1.3.4-6ubuntu1.1.dsc
      Size/MD5:      787 5d884216cdba772e9e4aa899754b043f
    http://security.ubuntu.com/ubuntu/pool/main/m/moin1.3/moin1.3_1.3.4.orig.tar.gz
      Size/MD5:  3085225 aff667e7c60c5af2525cd1381f417608
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.2.4-1ubuntu2.1.diff.gz
      Size/MD5:    38141 d36e9f5e4a49fbd5cbf3660e26a2bb08
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.2.4-1ubuntu2.1.dsc
      Size/MD5:      646 a12da82f5b5bc78c4fa81d0a41d3505d
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.2.4.orig.tar.gz
      Size/MD5:  1142734 4fea82b27079d1db50a38cf06317cfaa

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.2.4-1ubuntu2.1_all.deb
      Size/MD5:   875380 c51d8534d114a5ac8168d74078d057ac
    http://security.ubuntu.com/ubuntu/pool/main/m/moin1.3/moinmoin-common_1.3.4-6ubuntu1.1_all.deb
      Size/MD5:   726336 7d06a0597d2cf730071a3ab8f89fa1b1
    http://security.ubuntu.com/ubuntu/pool/main/m/moin1.3/python-moinmoin_1.3.4-6ubuntu1.1_all.deb
      Size/MD5:    50100 8989297583d220982a5d357024b67512
    http://security.ubuntu.com/ubuntu/pool/universe/m/moin1.3/python2.3-moinmoin_1.3.4-6ubuntu1.1_all.deb
      Size/MD5:   584174 320ab3f0940162c0d9effc5c6c20eeb6
    http://security.ubuntu.com/ubuntu/pool/main/m/moin1.3/python2.4-moinmoin_1.3.4-6ubuntu1.1_all.deb
      Size/MD5:   584184 8d64c3204991c3f0f1ef23fbb76b3ccc

Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.2-1ubuntu2.1.diff.gz
      Size/MD5:    36962 a118fa520ea2ffbb43138ddbed7fdf79
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.2-1ubuntu2.1.dsc
      Size/MD5:      702 220ca3322333fff147b16635b632b6a6
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.2.orig.tar.gz
      Size/MD5:  3975925 689ed7aa9619aa207398b996d68b4b87

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moinmoin-common_1.5.2-1ubuntu2.1_all.deb
      Size/MD5:  1507708 cc18106ba9a34162b5895474ffcd78a3
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.5.2-1ubuntu2.1_all.deb
      Size/MD5:    69348 87fba532f3c2a2dbc4d5e24efe0adedf
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/python2.4-moinmoin_1.5.2-1ubuntu2.1_all.deb
      Size/MD5:   834402 731d1b0936fe0002372e38fd196f2904

Updated packages for Ubuntu 6.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.3-1ubuntu1.1.diff.gz
      Size/MD5:    37699 aa17a2ab9e6228584e6215bde1f65dcb
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.3-1ubuntu1.1.dsc
      Size/MD5:      726 cc673d0b1366fe30e7be24efb5655b08
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.3.orig.tar.gz
      Size/MD5:  4187091 e95ec46ee8de9527a39793108de22f7d

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moinmoin-common_1.5.3-1ubuntu1.1_all.deb
      Size/MD5:  1574710 405eb7dd6d415d75897b38c27c137cc6
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.5.3-1ubuntu1.1_all.deb
      Size/MD5:    73438 2257461978d5728ff0028cfef6964735
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/python2.4-moinmoin_1.5.3-1ubuntu1.1_all.deb
      Size/MD5:   908768 b3a8d8fe09d6a0d33bde2a3e42c9d389


--+ARLBH93C7pgvpZY
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFFzTsHH/9LqRcGPm0RAmOjAJ9+WWIZ8otDqLelWsMEZLUziXKMzwCfaM/O
8KX3S8bOOPBALPoOuN4UQpo=KsWx
-----END PGP SIGNATURE-----

--+ARLBH93C7pgvpZY--


--==============66970528=Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

--==============66970528==--
 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Pirate Bay founder guilty in historic hacker case
Parallels CTO: Linux container security is not the problem
Advisory says to assume all Drupal 7 websites are compromised
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.