CVE-2010-0669

Advisory

Moin versions 1.8.7 and 1.9.2 include a fix for CVE-2010-0669: MoinMoin before 1.8.7 and 1.9.x before 1.9.2 does not properly sanitize user profiles, which has unspecified impact and attack vectors.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

Fixes:
* Fixed CVE-2010-0668: major security issues were discovered in misc. parts
of moin.
HINT: if you have removed superuser configuration to workaround the issue
(following our security advisory), you may re-add it after installing this
moin release. If you don't need superuser capabilities often, it might be
wise to not have superusers configured all the time, though.
* Fixed CVE-2010-0669: potential security issue due to incomplete user profile
input sanitizing.
* Improved package security: cfg.packagepages_actions_excluded excludes
unsafe or otherwise questionable package actions by default now.
* wiki parser: fixed transclusion of (e.g. video) attachments from other
pages.
* Fixed edit locking for non-logged in editors and cfg.log_remote_addr=False.
* mailimport: fix missing wikiutil import for normalize_pagename
* SubProcess: fix "timeout" AttributeError
* "standalone" wikiserver.py: fixed calling non-existing os.getuid on win32
* HTTPAuth deprecation warning moved from class level to __init__
* Fixed MoinMoinBugs/1.9DiffActionThrowsException.
* Fixed misc. session related problems, avoid unneccessary session file
updates.
* Fix/improve rename-related problems on Win32 (depending on Windows version).
* Fixed spider / user agent detection.
* Make sure to use language_default when language_ignore_browser is set.
* diff action: fix for case when user can't revert page.
* Fix trail size (was off by one).
* Updated bundled flup middleware (upstream repo checkout), avoids
socket.fromfd AttributeError on win32 if cgi is forced, gives helpful
exception msg.
* wikiutil: Fixed required_arg handling (no exception when trying to raise
exception that choice is wrong).
* Do not use MoinMoin.support.* to import 3rd party code, give dist packages
a chance.
* wikiutil.clean_input: avoid crash if it gets str type
* request: fixed for werkzeug 0.6 and 0.5.1 compatibility. Please note that
we didn't do much testing with 0.6 yet. So, if you use 0.6, please do some
testing and provide feedback to us.
* AttachFile._build_filelist: verifies readonly flag for unzip file link
* attachUrl: fix wrongly generated tickets (e.g. for AttachList macro)
* http headers: fix duplicated http headers (e.g. content-type)

New features:
* info action: added pagination ability to revision history viewer.
Use cfg.history_paging = True [default] / False to enable/disable it.
* ldap_login auth: add report_invalid_credentials param to control wrong
credentials error message (this is typically used when using multiple
ldap authenticators).
* Add RenderAsDocbook to actions_excluded if we have no python-xml.
* Upgraded pygments to 1.2.2 (some fixes, some new lexers).
* Text editor: if edit_rows==0 (user profile or config), we dynamically size
the text editor height. This avoids double sliders for the editor page
in most cases.

Other changes:
* New docs/REQUIREMENTS.
* Added a less magic cgi/fcgi driver (moin.fcgi), added fixer middleware
for apache2/win32 to it.

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0669
• http://moinmo.in/MoinMoinRelease1.8
• http://secunia.com/advisories/38444
• http://www.openwall.com/lists/oss-security/2010/02/15/4
• http://www.openwall.com/lists/oss-security/2010/02/15/2
• http://hg.moinmo.in/moin/1.8/raw-file/1.8.7/docs/CHANGES
• http://www.securityfocus.com/bid/38023
• http://www.openwall.com/lists/oss-security/2010/02/21/2
• http://moinmo.in/SecurityFixes
• http://www.vupen.com/english/advisories/2010/0600
• http://www.debian.org/security/2010/dsa-2014
• http://secunia.com/advisories/38903