Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 305663 (CVE-2010-0668) - <www-apps/moinmoin-1.8.8: multiple vulnerabilites (CVE-2010-{0668,0669,0717,0828,1238,2487,2969,2970})
Summary: <www-apps/moinmoin-1.8.8: multiple vulnerabilites (CVE-2010-{0668,0669,0717,0...
Status: RESOLVED FIXED
Alias: CVE-2010-0668
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://moinmo.in/SecurityFixes
Whiteboard: B3 [glsa]
Keywords:
: CVE-2010-0667 (view as bug list)
Depends on: CVE-2008-5983
Blocks:
  Show dependency tree
 
Reported: 2010-02-17 21:33 UTC by Krzysiek
Modified: 2012-10-18 20:58 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Krzysiek 2010-02-17 21:33:41 UTC
There is a new version of moinmoin wiki engine available. Would be very nice to have the 1.9 branch in Portage.

Reproducible: Always
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2010-02-18 02:11:17 UTC
Version 1.9.1:
  Bug fixes:
  * Fixed sys.argv security issue.
Comment 2 Tobias Heinlein (RETIRED) gentoo-dev 2010-02-18 19:10:47 UTC
web-apps, please bump.

Is it okay to mark it stable after that?
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 15:59:31 UTC
CVE-2010-0667 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0667):
  MoinMoin 1.9 before 1.9.1 does not perform the expected clearing of
  the sys.argv array in situations where the GATEWAY_INTERFACE
  environment variable is set, which allows remote attackers to obtain
  sensitive information via unspecified vectors.

CVE-2010-0668 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0668):
  Unspecified vulnerability in MoinMoin 1.5.x through 1.7.x, 1.8.x
  before 1.8.7, and 1.9.x before 1.9.2 has unknown impact and attack
  vectors, related to configurations that have a non-empty superuser
  list, the xmlrpc action enabled, the SyncPages action enabled, or
  OpenID configured.

CVE-2010-0669 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0669):
  MoinMoin before 1.8.7 and 1.9.x before 1.9.2 does not properly
  sanitize user profiles, which has unspecified impact and attack
  vectors.

CVE-2010-0717 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0717):
  The default configuration of cfg.packagepages_actions_excluded in
  MoinMoin before 1.8.7 does not prevent unsafe package actions, which
  has unspecified impact and attack vectors.

Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2010-04-06 03:51:17 UTC
We need 1.9.2.
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2010-04-06 04:04:53 UTC
CVE-2010-0828 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0828):
  Cross-site scripting (XSS) vulnerability in action/Despam.py in the
  Despam action module in MoinMoin 1.8.7 and 1.9.2 allows remote
  authenticated users to inject arbitrary web script or HTML by
  creating a page with a crafted URI.

CVE-2010-1238 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1238):
  MoinMoin 1.7.1 allows remote attackers to bypass the textcha
  protection mechanism by modifying the textcha-question and
  textcha-answer fields to have empty values.

Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2010-04-11 14:02:07 UTC
CVE-2010-0828 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0828):
  Cross-site scripting (XSS) vulnerability in action/Despam.py in the
  Despam action module in MoinMoin 1.8.7 and 1.9.2 allows remote
  authenticated users to inject arbitrary web script or HTML by
  creating a page with a crafted URI.

Comment 7 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-08-10 15:20:39 UTC
CVE-2010-2487 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2487):
  Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin 1.7.3
  and earlier, 1.8.x before 1.8.8, and 1.9.x before 1.9.3 allow remote
  attackers to inject arbitrary web script or HTML via crafted content,
  related to (1) Page.py, (2) PageEditor.py, (3)
  PageGraphicalEditor.py, (4) action/CopyPage.py, (5) action/Load.py,
  (6) action/RenamePage.py, (7) action/backup.py, (8) action/login.py,
  (9) action/newaccount.py, and (10) action/recoverpass.py.

CVE-2010-2969 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2969):
  Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin 1.7.3
  and earlier, and 1.9.x before 1.9.3, allow remote attackers to inject
  arbitrary web script or HTML via crafted content, related to (1)
  action/LikePages.py, (2) action/chart.py, and (3)
  action/userprofile.py, a similar issue to CVE-2010-2487.

CVE-2010-2970 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2970):
  Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin 1.9.x
  before 1.9.3 allow remote attackers to inject arbitrary web script or
  HTML via crafted content, related to (1) action/SlideShow.py, (2)
  action/anywikidraw.py, and (3) action/language_setup.py, a similar
  issue to CVE-2010-2487.

Comment 8 Tim Harder gentoo-dev 2010-10-13 00:20:09 UTC
I've added 1.8.8 to the tree which should have fixes for these security issues. 1.9.3 will be following soon.
Comment 9 Tim Sammut (RETIRED) gentoo-dev 2010-10-13 03:02:01 UTC
*** Bug 334697 has been marked as a duplicate of this bug. ***
Comment 10 Tim Harder gentoo-dev 2010-10-13 18:03:45 UTC
Arches please test and mark stable =www-apps/moinmoin-1.8.8.
Target keywords: amd64, ppc, sparc, x86
Comment 11 Markos Chandras (RETIRED) gentoo-dev 2010-10-13 19:24:36 UTC
amd64 done
Comment 12 Markus Meier gentoo-dev 2010-10-13 20:12:05 UTC
x86 stable
Comment 13 Brent Baude (RETIRED) gentoo-dev 2010-10-15 12:52:20 UTC
ppc done
Comment 14 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-10-17 09:05:54 UTC
Dropping CVE-2010-0667, as it is 1.9.x-only.
Comment 15 Raúl Porcel (RETIRED) gentoo-dev 2010-10-30 18:02:27 UTC
sparc stable
Comment 16 Tim Sammut (RETIRED) gentoo-dev 2010-10-30 18:35:08 UTC
GLSA Vote: Yes, there is a not of non-XSS impact.
Comment 17 Stefan Behte (RETIRED) gentoo-dev Security 2010-11-21 17:12:04 UTC
GLSA request filed.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2012-10-18 20:58:51 UTC
This issue was resolved and addressed in
 GLSA 201210-02 at http://security.gentoo.org/glsa/glsa-201210-02.xml
by GLSA coordinator Stefan Behte (craig).