Debian DSA-1514-1 : moin - several vulnerabilities

medium Nessus Plugin ID 31425

Synopsis

The remote Debian host is missing a security-related update.

Description

Several remote vulnerabilities have been discovered in MoinMoin, a Python clone of WikiWiki. The Common Vulnerabilities and Exposures project identifies the following problems :

- CVE-2007-2423 A cross-site-scripting vulnerability has been discovered in attachment handling.

- CVE-2007-2637 Access control lists for calendars and includes were insufficiently enforced, which could lead to information disclosure.

- CVE-2008-0780 A cross-site-scripting vulnerability has been discovered in the login code.

- CVE-2008-0781 A cross-site-scripting vulnerability has been discovered in attachment handling.

- CVE-2008-0782 A directory traversal vulnerability in cookie handling could lead to local denial of service by overwriting files.

- CVE-2008-1098 Cross-site-scripting vulnerabilities have been discovered in the GUI editor formatter and the code to delete pages.

- CVE-2008-1099 The macro code validates access control lists insufficiently, which could lead to information disclosure.

Solution

Upgrade the moin package.

For the stable distribution (etch), these problems have been fixed in version 1.5.3-1.2etch1. This update also includes a bugfix with respect to the encoding of password reminder mails, which doesn't have security implications.

The old stable distribution (sarge) will not be updated due to the many changes and support for Sarge ending end of this month anyway.
You're advised to upgrade to the stable distribution if you run moinmoin.

See Also

https://security-tracker.debian.org/tracker/CVE-2007-2423

https://security-tracker.debian.org/tracker/CVE-2007-2637

https://security-tracker.debian.org/tracker/CVE-2008-0780

https://security-tracker.debian.org/tracker/CVE-2008-0781

https://security-tracker.debian.org/tracker/CVE-2008-0782

https://security-tracker.debian.org/tracker/CVE-2008-1098

https://security-tracker.debian.org/tracker/CVE-2008-1099

https://www.debian.org/security/2008/dsa-1514

Plugin Details

Severity: Medium

ID: 31425

File Name: debian_DSA-1514.nasl

Version: 1.17

Type: local

Agent: unix

Published: 3/13/2008

Updated: 1/4/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:moin, cpe:/o:debian:debian_linux:4.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Patch Publication Date: 3/9/2008

Reference Information

CVE: CVE-2007-2423, CVE-2007-2637, CVE-2008-0780, CVE-2008-0781, CVE-2008-0782, CVE-2008-1098, CVE-2008-1099

CWE: 22, 264, 79

DSA: 1514