===========================================================
Ubuntu Security Notice USN-925-1 April 08, 2010
moin vulnerabilities
CVE-2010-0828, CVE-2010-1238
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
Ubuntu 9.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
python2.4-moinmoin 1.5.2-1ubuntu2.6

Ubuntu 8.04 LTS:
python-moinmoin 1.5.8-5.1ubuntu2.4

Ubuntu 8.10:
python-moinmoin 1.7.1-1ubuntu1.5

Ubuntu 9.04:
python-moinmoin 1.8.2-2ubuntu2.3

Ubuntu 9.10:
python-moinmoin 1.8.4-1ubuntu1.2

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

It was discovered that MoinMoin did not properly sanitize its input when
processing Despam actions, resulting in cross-site scripting (XSS)
vulnerabilities. If a privileged wiki user were tricked into performing
the Despam action on a page with a crafted title, a remote attacker could
exploit this to execute JavaScript code. (CVE-2010-0828)

It was discovered that the TextCha protection in MoinMoin could be bypassed
by submitting a crafted form request. This issue only affected Ubuntu 8.10.
(CVE-2010-1238)

===========================================================
Ubuntu Security Notice USN-911-1 March 11, 2010
moin vulnerabilities
CVE-2010-0668, CVE-2010-0669, CVE-2010-0717
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
Ubuntu 9.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
python2.4-moinmoin 1.5.2-1ubuntu2.5

Ubuntu 8.04 LTS:
python-moinmoin 1.5.8-5.1ubuntu2.3

Ubuntu 8.10:
python-moinmoin 1.7.1-1ubuntu1.3

Ubuntu 9.04:
python-moinmoin 1.8.2-2ubuntu2.2

Ubuntu 9.10:
python-moinmoin 1.8.4-1ubuntu1.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

It was discovered that several wiki actions and preference settings in
MoinMoin were not protected from cross-site request forgery (CSRF). If an
authenticated user were tricked into visiting a malicious website while
logged into MoinMoin, a remote attacker could change the user’s
configuration or wiki content. (CVE-2010-0668, CVE-2010-0717)

It was discovered that MoinMoin did not properly sanitize its input when
processing user preferences. An attacker could enter malicious content
which when viewed by a user, could render in unexpected ways.
(CVE-2010-0669)