LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: April 21st, 2014
Linux Security Week: April 7th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Ubuntu: MoinMoin vulnerabilities Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Ubuntu A flaw was discovered in MoinMoin's error reporting when using the AttachFile action. By tricking a user into viewing a crafted MoinMoin URL, an attacker could execute arbitrary JavaScript as the current MoinMoin user, possibly exposing the user's authentication information for the domain where MoinMoin was hosted.
=========================================================== 
Ubuntu Security Notice USN-458-1               May 07, 2007
moin vulnerabilities
CVE-2007-2423
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  python2.4-moinmoin                       1.5.2-1ubuntu2.3

Ubuntu 6.10:
  python2.4-moinmoin                       1.5.3-1ubuntu1.3

Ubuntu 7.04:
  python-moinmoin                          1.5.3-1.1ubuntu3.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

A flaw was discovered in MoinMoin's error reporting when using the 
AttachFile action.  By tricking a user into viewing a crafted MoinMoin 
URL, an attacker could execute arbitrary JavaScript as the current 
MoinMoin user, possibly exposing the user's authentication information 
for the domain where MoinMoin was hosted. (CVE-2007-2423)

Flaws were discovered in MoinMoin's ACL handling for calendars and 
includes.  Unauthorized users would be able to read pages that would 
otherwise be unavailable to them.


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.2-1ubuntu2.3.diff.gz
      Size/MD5:    39487 c3b1dfe20a3bb839def08020159321ef
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.2-1ubuntu2.3.dsc
      Size/MD5:      702 584b400e32f0fae1aef2fa69ffed2bd8
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.2.orig.tar.gz
      Size/MD5:  3975925 689ed7aa9619aa207398b996d68b4b87

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moinmoin-common_1.5.2-1ubuntu2.3_all.deb
      Size/MD5:  1507924 c53bc6a1452309b150dc86d0884feea6
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.5.2-1ubuntu2.3_all.deb
      Size/MD5:    69548 cc8dd84cef4cd95749a7f3914c55b49b
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/python2.4-moinmoin_1.5.2-1ubuntu2.3_all.deb
      Size/MD5:   834738 950146660e787274fe0d69a8ab2bff5d

Updated packages for Ubuntu 6.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.3-1ubuntu1.3.diff.gz
      Size/MD5:    40234 e232754328aa47d1f2c5be8252392bf3
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.3-1ubuntu1.3.dsc
      Size/MD5:      726 86bb330aafbfb7c428950f8646fc084b
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.3.orig.tar.gz
      Size/MD5:  4187091 e95ec46ee8de9527a39793108de22f7d

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moinmoin-common_1.5.3-1ubuntu1.3_all.deb
      Size/MD5:  1574744 57f533196afd6198798b24eaa105d596
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.5.3-1ubuntu1.3_all.deb
      Size/MD5:    73640 64019d9f0109287760bfd5b4660cdc4b
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/python2.4-moinmoin_1.5.3-1ubuntu1.3_all.deb
      Size/MD5:   909078 f6deadb7c99624b72b08b973c0973f8f

Updated packages for Ubuntu 7.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.3-1.1ubuntu3.1.diff.gz
      Size/MD5:    38905 30c1f2043f7629767530923b797026c5
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.3-1.1ubuntu3.1.dsc
      Size/MD5:      671 7209cfa3f1a21c1a45dcb2ddf16cabb9
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.3.orig.tar.gz
      Size/MD5:  4187091 e95ec46ee8de9527a39793108de22f7d

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moinmoin-common_1.5.3-1.1ubuntu3.1_all.deb
      Size/MD5:  1574964 e73dd559227f0712c5d453b80a08f388
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.5.3-1.1ubuntu3.1_all.deb
      Size/MD5:   914232 26c1e3c3344c2666c1150a77b0ffcccc


 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Linux Foundation enlists Microsoft, Google to prevent the next Heartbleed
Heartbleed prompts joint vendor effort to boost OpenSSL, security
F.B.I. Informant Is Tied to Cyberattacks Abroad
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.