Ubuntu: MoinMoin vulnerability
Posted by Benjamin D. Thomas   
Ubuntu A flaw was discovered in MoinMoin's page name sanitizer which could lead to a cross-site scripting attack. By tricking a user into viewing a crafted MoinMoin page, an attacker could execute arbitrary JavaScript as the current MoinMoin user, possibly exposing the user's authentication information for the domain where MoinMoin was hosted.
=========================================================== 
Ubuntu Security Notice USN-421-1          February 10, 2007
moin, moin1.3 vulnerability
CVE-2007-0857
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 5.10
Ubuntu 6.06 LTS
Ubuntu 6.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 5.10:
  moin                                     1.2.4-1ubuntu2.1
  python2.3-moinmoin                       1.3.4-6ubuntu1.1
  python2.4-moinmoin                       1.3.4-6ubuntu1.1

Ubuntu 6.06 LTS:
  python2.4-moinmoin                       1.5.2-1ubuntu2.1

Ubuntu 6.10:
  python2.4-moinmoin                       1.5.3-1ubuntu1.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

A flaw was discovered in MoinMoin's page name sanitizer which could lead 
to a cross-site scripting attack.  By tricking a user into viewing a 
crafted MoinMoin page, an attacker could execute arbitrary JavaScript as 
the current MoinMoin user, possibly exposing the user's authentication 
information for the domain where MoinMoin was hosted.


Updated packages for Ubuntu 5.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/moin1.3/moin1.3_1.3.4-6ubuntu1.1.diff.gz
      Size/MD5:    44173 692c6d70ddfcd4bee6c52b5a058e12a5
    http://security.ubuntu.com/ubuntu/pool/main/m/moin1.3/moin1.3_1.3.4-6ubuntu1.1.dsc
      Size/MD5:      787 5d884216cdba772e9e4aa899754b043f
    http://security.ubuntu.com/ubuntu/pool/main/m/moin1.3/moin1.3_1.3.4.orig.tar.gz
      Size/MD5:  3085225 aff667e7c60c5af2525cd1381f417608
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.2.4-1ubuntu2.1.diff.gz
      Size/MD5:    38141 d36e9f5e4a49fbd5cbf3660e26a2bb08
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.2.4-1ubuntu2.1.dsc
      Size/MD5:      646 a12da82f5b5bc78c4fa81d0a41d3505d
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.2.4.orig.tar.gz
      Size/MD5:  1142734 4fea82b27079d1db50a38cf06317cfaa

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.2.4-1ubuntu2.1_all.deb
      Size/MD5:   875380 c51d8534d114a5ac8168d74078d057ac
    http://security.ubuntu.com/ubuntu/pool/main/m/moin1.3/moinmoin-common_1.3.4-6ubuntu1.1_all.deb
      Size/MD5:   726336 7d06a0597d2cf730071a3ab8f89fa1b1
    http://security.ubuntu.com/ubuntu/pool/main/m/moin1.3/python-moinmoin_1.3.4-6ubuntu1.1_all.deb
      Size/MD5:    50100 8989297583d220982a5d357024b67512
    http://security.ubuntu.com/ubuntu/pool/universe/m/moin1.3/python2.3-moinmoin_1.3.4-6ubuntu1.1_all.deb
      Size/MD5:   584174 320ab3f0940162c0d9effc5c6c20eeb6
    http://security.ubuntu.com/ubuntu/pool/main/m/moin1.3/python2.4-moinmoin_1.3.4-6ubuntu1.1_all.deb
      Size/MD5:   584184 8d64c3204991c3f0f1ef23fbb76b3ccc

Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.2-1ubuntu2.1.diff.gz
      Size/MD5:    36962 a118fa520ea2ffbb43138ddbed7fdf79
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.2-1ubuntu2.1.dsc
      Size/MD5:      702 220ca3322333fff147b16635b632b6a6
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.2.orig.tar.gz
      Size/MD5:  3975925 689ed7aa9619aa207398b996d68b4b87

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moinmoin-common_1.5.2-1ubuntu2.1_all.deb
      Size/MD5:  1507708 cc18106ba9a34162b5895474ffcd78a3
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.5.2-1ubuntu2.1_all.deb
      Size/MD5:    69348 87fba532f3c2a2dbc4d5e24efe0adedf
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/python2.4-moinmoin_1.5.2-1ubuntu2.1_all.deb
      Size/MD5:   834402 731d1b0936fe0002372e38fd196f2904

Updated packages for Ubuntu 6.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.3-1ubuntu1.1.diff.gz
      Size/MD5:    37699 aa17a2ab9e6228584e6215bde1f65dcb
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.3-1ubuntu1.1.dsc
      Size/MD5:      726 cc673d0b1366fe30e7be24efb5655b08
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.3.orig.tar.gz
      Size/MD5:  4187091 e95ec46ee8de9527a39793108de22f7d

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/m/moin/moinmoin-common_1.5.3-1ubuntu1.1_all.deb
      Size/MD5:  1574710 405eb7dd6d415d75897b38c27c137cc6
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.5.3-1ubuntu1.1_all.deb
      Size/MD5:    73438 2257461978d5728ff0028cfef6964735
    http://security.ubuntu.com/ubuntu/pool/main/m/moin/python2.4-moinmoin_1.5.3-1ubuntu1.1_all.deb
      Size/MD5:   908768 b3a8d8fe09d6a0d33bde2a3e42c9d389


--+ARLBH93C7pgvpZY
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFFzTsHH/9LqRcGPm0RAmOjAJ9+WWIZ8otDqLelWsMEZLUziXKMzwCfaM/O
8KX3S8bOOPBALPoOuN4UQpo=KsWx
-----END PGP SIGNATURE-----

--+ARLBH93C7pgvpZY--


--==============66970528=Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

--==============66970528==--