Debian Bug report logs - #569975
python-moinmoin: Serious security issue in all moinmoin versions

version graph

Package: python-moinmoin; Maintainer for python-moinmoin is Steve McIntyre <93sam@debian.org>; Source for python-moinmoin is src:moin.

Reported by: John Goerzen <jgoerzen@complete.org>

Date: Mon, 15 Feb 2010 15:30:01 UTC

Severity: grave

Tags: security

Found in versions moin/1.5.3-1.2etch2, moin/1.7.1-3+lenny2, moin/1.9.1-1, moin/1.5.3-1.2

Fixed in versions moin/1.7.1-3+lenny3, moin/1.9.2-1

Done: Giuseppe Iuculano <iuculano@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, security@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Jonas Smedegaard <dr@jones.dk>:
Bug#569975; Package python-moinmoin. (Mon, 15 Feb 2010 15:30:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to John Goerzen <jgoerzen@complete.org>:
New Bug report received and forwarded. Copy sent to security@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Jonas Smedegaard <dr@jones.dk>. (Mon, 15 Feb 2010 15:30:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: John Goerzen <jgoerzen@complete.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: python-moinmoin: Serious security issue in all moinmoin versions
Date: Mon, 15 Feb 2010 09:29:04 -0600
Package: python-moinmoin
Version: 1.5.3-1.2etch2
Severity: grave
Tags: security
Justification: user security hole

Per http://moinmo.in/SecurityFixes, there is a major security issue in
moin.  It affects all moin versions from "1.5.0 up to and including
1.9.1".

This means that all of these versions are vulnerable:

etch (oldstable): 1.5.3-1.2etch2

lenny (stable): 1.7.1-3+lenny2

squeeze (testing) & sid (unstable): 1.9.1-1


The Moin team has released 1.8.7, which patches the issue in 1.8.6.
They have not yet issued a patch for any other branch, including the
1.9.1 branch, although it appears that they are working on it.  That
patch may be instructive on patching these other versions.




Information forwarded to debian-bugs-dist@lists.debian.org, Jonas Smedegaard <dr@jones.dk>:
Bug#569975; Package python-moinmoin. (Mon, 15 Feb 2010 15:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to John Goerzen <jgoerzen@complete.org>:
Extra info received and forwarded to list. Copy sent to Jonas Smedegaard <dr@jones.dk>. (Mon, 15 Feb 2010 15:39:03 GMT) Full text and rfc822 format available.

Message #10 received at 569975@bugs.debian.org (full text, mbox):

From: John Goerzen <jgoerzen@complete.org>
To: 569975@bugs.debian.org, control@bugs.debian.org, security@debian.org
Subject: Additional information on moin security bug
Date: Mon, 15 Feb 2010 09:37:00 -0600
found 569975 1.7.1-3+lenny2
found 569975 1.9.1-1
thanks

The security team can coordinate this with Thomas Waldmann, who has
contact information at http://moinmo.in/ThomasWaldmann and is on
FreeNode as ThomasWaldmann.

Here is an IRC conversation transcript:

<CosmicRay> Hi folks.  Question about the security problems: 1) am I
right that there is no fix for 1.9.1 right now?  2) What's the deal with
SecurityFixes/Installation referencing patches on SecurityFixes?  I'm
not seeing any recent patches on SecurityFixes.  Has your policy for
that stuff changed?
<ThomasWaldmann> 1) yes, but soon
<ThomasWaldmann> (except if you want to pull from repository, stuff is
fixed there, but we are still testing, translators might need a bit to
finish translation)
<ThomasWaldmann> 2) it's not just a single patch, it is quite much, you
don't want to apply them manually. if you need it now, do a repo
checkout and you'll have 1.9.2pre kind of
<ThomasWaldmann> and I am intentionally being rather vague on that page
and not (yet?) linking to changesets, because disclosing too much info
is dangerous for unpatched sites
<ThomasWaldmann> 1.9.2 planned in about 1 or 2 weeks

-- John




Bug Marked as found in versions moin/1.7.1-3+lenny2. Request was from John Goerzen <jgoerzen@complete.org> to control@bugs.debian.org. (Mon, 15 Feb 2010 15:39:04 GMT) Full text and rfc822 format available.

Bug Marked as found in versions moin/1.9.1-1. Request was from John Goerzen <jgoerzen@complete.org> to control@bugs.debian.org. (Mon, 15 Feb 2010 15:39:05 GMT) Full text and rfc822 format available.

Reply sent to Jonas Smedegaard <dr@jones.dk>:
You have taken responsibility. (Mon, 01 Mar 2010 22:51:19 GMT) Full text and rfc822 format available.

Notification sent to John Goerzen <jgoerzen@complete.org>:
Bug acknowledged by developer. (Mon, 01 Mar 2010 22:51:20 GMT) Full text and rfc822 format available.

Message #19 received at 569975-close@bugs.debian.org (full text, mbox):

From: Jonas Smedegaard <dr@jones.dk>
To: 569975-close@bugs.debian.org
Subject: Bug#569975: fixed in moin 1.9.2-1
Date: Mon, 01 Mar 2010 22:47:27 +0000
Source: moin
Source-Version: 1.9.2-1

We believe that the bug you reported is fixed in the latest version of
moin, which is due to be installed in the Debian FTP archive:

moin_1.9.2-1.debian.tar.gz
  to main/m/moin/moin_1.9.2-1.debian.tar.gz
moin_1.9.2-1.dsc
  to main/m/moin/moin_1.9.2-1.dsc
moin_1.9.2.orig.tar.gz
  to main/m/moin/moin_1.9.2.orig.tar.gz
python-moinmoin_1.9.2-1_all.deb
  to main/m/moin/python-moinmoin_1.9.2-1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 569975@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonas Smedegaard <dr@jones.dk> (supplier of updated moin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Format: 1.8
Date: Mon, 01 Mar 2010 23:23:11 +0100
Source: moin
Binary: python-moinmoin
Architecture: source all
Version: 1.9.2-1
Distribution: unstable
Urgency: low
Maintainer: Jonas Smedegaard <dr@jones.dk>
Changed-By: Jonas Smedegaard <dr@jones.dk>
Description: 
 python-moinmoin - Python clone of WikiWiki - library
Closes: 559896 560172 567129 569975 571016
Changes: 
 moin (1.9.2-1) unstable; urgency=low
 .
   [ Frank Lin PIAT ]
   * New upstream release.
     + Fix broken with python-werkzeug 0.6-1, Closes: #571016
     + Fix CVE-2010-0668 and CVE-2010-0669, Closes: #569975
     + Fix action=diff Exception if a page doesn't exist/has no editlog,
       Closes: #567129
     + Fix incompatibility with old style configuration "cookie_lifetime = 1"
       Closes: #560172
     + Improve documentation of farmconfig.py, Closes: #559896
 .
   [ Jonas Smedegaard ]
   * Drop old conflicts/replaces needed for Etch transition.
   * Update copyright file:
     + Comma-separate files
     + merge some debian entries
     + bump some years
     + Add leading ./ to files
     + Improve wording of X-Copyright-Comment stanza
     + Use Maintainer stanza (not Contact)
     + Use Expat (not other-MIT) as license short-name
     + Fix GPL licenses to include verbatim license text, disclaimer and
       reference to FSF
     + Merge license other-ModifiedBSD with virtually identical other-
       ModifiedBSD-contributors
     + Declare copyright conformant with DEP5 rev. 135
   * Bump copyright years and add Frank Lin as owner in rules file.
   * Refer to FSF website (not postal address) in rules file header.
   * Drop DEB_AUTO_UPDATE_DEBIAN_CONTROL handling from rules file
     (included in main cdbs since 0.4.67). Drop now unneeded lintian-
     overrides.
   * Stop build-depending on (yet) unused help2man.
   * Simplify installation of desktop edition (both ours and that of the
     local user).
   * Drop workaround rules for cruft no longer shipped upstream.
   * Ensure variable-expanded files are not accidentally copyright-
     checked (double-colon rules may run in parallel).
   * Drop local CDBS snippets copyright-check.mk and buildinfo.mk,
     included with cdbs since 0.4.67.
     Tighten build-dependency on cdbs to versions providing the snippets.
   * Improve package-relationships.mk to strip unversioned build-
     dependency following same versioned.
   * Use source format "3.0 'quilt'":
     + Add format hint to source
     + Update README.source
     + Stop including patchsys-quilt.mk
     + Stop build-depending on quilt or patchutils
   * Drop local CDBS snippet python-distutils.mk, cdbs now mature enough.
     Relax build-dependencies on python-dev and python-support.
Checksums-Sha1: 
 0ab4a1e45d41ed4e4925f12f4e76d08063ef10eb 1234 moin_1.9.2-1.dsc
 fec7131ac679be160b8ff27a6ad1a74b6208bd3b 30111807 moin_1.9.2.orig.tar.gz
 d83bf5ea3233c6f8f1a322e977b8a0ebe9c311f7 116090 moin_1.9.2-1.debian.tar.gz
 bff71403e58c1bc53e5a099d36606d3b8a77523f 14601864 python-moinmoin_1.9.2-1_all.deb
Checksums-Sha256: 
 5c505380278a9d358438ac7a0f5d61d66a5004a6afe8d634ca88a7b6ea5c657d 1234 moin_1.9.2-1.dsc
 d6866c17a9952edd55a6d718b516382836b2410b5989ae8f324f8bc5fdd678e1 30111807 moin_1.9.2.orig.tar.gz
 f913ddf963e0efc9146070dd5317564e84c369fcdb869396274758a79a786ea1 116090 moin_1.9.2-1.debian.tar.gz
 67e725ab086d692cf842816a76ded66889be9ea71de984a40e424fcf148a5cc9 14601864 python-moinmoin_1.9.2-1_all.deb
Files: 
 436ffc4954996c7192aa1eee54aaf2cb 1234 net optional moin_1.9.2-1.dsc
 e464c474c3a56c803dc553b8ca13c37f 30111807 net optional moin_1.9.2.orig.tar.gz
 5d06da0867430b0923e5d03b6c529cd5 116090 net optional moin_1.9.2-1.debian.tar.gz
 a3b6c2cfcd9e66dad8dcfa38c591e366 14601864 python optional python-moinmoin_1.9.2-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEAREDAAYFAkuMQEkACgkQn7DbMsAkQLiq8gCgmWLCwYYEPHfU0GEMjXd1WWGq
nKwAoI5/ExaJeGw6Rw02g08jihop3+CB
=SI/g
-----END PGP SIGNATURE-----





Reply sent to Giuseppe Iuculano <iuculano@debian.org>:
You have taken responsibility. (Fri, 12 Mar 2010 13:57:11 GMT) Full text and rfc822 format available.

Notification sent to John Goerzen <jgoerzen@complete.org>:
Bug acknowledged by developer. (Fri, 12 Mar 2010 13:57:11 GMT) Full text and rfc822 format available.

Message #24 received at 569975-close@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <iuculano@debian.org>
To: 569975-close@bugs.debian.org
Subject: Bug#569975: fixed in moin 1.7.1-3+lenny3
Date: Fri, 12 Mar 2010 13:52:40 +0000
Source: moin
Source-Version: 1.7.1-3+lenny3

We believe that the bug you reported is fixed in the latest version of
moin, which is due to be installed in the Debian FTP archive:

moin_1.7.1-3+lenny3.diff.gz
  to main/m/moin/moin_1.7.1-3+lenny3.diff.gz
moin_1.7.1-3+lenny3.dsc
  to main/m/moin/moin_1.7.1-3+lenny3.dsc
python-moinmoin_1.7.1-3+lenny3_all.deb
  to main/m/moin/python-moinmoin_1.7.1-3+lenny3_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 569975@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <iuculano@debian.org> (supplier of updated moin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 11 Mar 2010 23:09:05 +0100
Source: moin
Binary: python-moinmoin
Architecture: source all
Version: 1.7.1-3+lenny3
Distribution: stable-security
Urgency: high
Maintainer: Jonas Smedegaard <dr@jones.dk>
Changed-By: Giuseppe Iuculano <iuculano@debian.org>
Description: 
 python-moinmoin - Python clone of WikiWiki - library
Closes: 569975
Changes: 
 moin (1.7.1-3+lenny3) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fixed CVE-2010-0668: Multiple security issue related to configurations that
     have a non-empty superuser list, the xmlrpc action enabled, the SyncPages
     action enabled, or OpenID configured. (Closes: #569975)
   * Fixed CVE-2010-0669: MoinMoin does not properly sanitize user profiles
   * Fixed CVE-2010-0717: The default configuration of
     cfg.packagepages_actions_excluded does not prevent unsafe package actions
   * hierarchical ACL security fix: error when processing hierarchical ACLs,
     which can be exploited to access restricted sub-pages.
Checksums-Sha1: 
 b38a7db1a28783271eb8aab3b87b149396340ada 1259 moin_1.7.1-3+lenny3.dsc
 e8a9216e5e3a479ec724df147928ef9bed72c494 89391 moin_1.7.1-3+lenny3.diff.gz
 4684e8e06a0387caddc30cfb820f71946f44cebb 4510584 python-moinmoin_1.7.1-3+lenny3_all.deb
Checksums-Sha256: 
 adf6f2e99c531ec0c775b09da396db36c871a14e7b9a480ff8a7f6ff1d2342d1 1259 moin_1.7.1-3+lenny3.dsc
 0bbbe860209eda16de306bd9cd062cb4f758cf336410680769efcbf872caca2b 89391 moin_1.7.1-3+lenny3.diff.gz
 4234eb2594a0a4b6ee5f30a8e374d92740c2ae5f4f13a50e602c2e5b59c6a8f2 4510584 python-moinmoin_1.7.1-3+lenny3_all.deb
Files: 
 66683a3699687a13f1d814e24bc46dbd 1259 net optional moin_1.7.1-3+lenny3.dsc
 38256114fbb76fcb388ce5ca148acbac 89391 net optional moin_1.7.1-3+lenny3.diff.gz
 a9440eb4eccc639f5dc1c7e2f27a9857 4510584 python optional python-moinmoin_1.7.1-3+lenny3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkuaAbMACgkQNxpp46476ap5TgCghZvI1nIomv9SBsl6yzBkRC2p
EmcAoIERWqAP94z57o3tg2ZpJ2bQ7Hv3
=xOG/
-----END PGP SIGNATURE-----





Bug Marked as found in versions moin/1.5.3-1.2. Request was from Frank Lin PIAT <fpiat@klabs.be> to control@bugs.debian.org. (Wed, 31 Mar 2010 22:51:09 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 27 Jun 2010 07:41:16 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 06:26:21 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.