This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours

Bug 565604 (CVE-2010-0668, CVE-2010-0669, CVE-2010-0717)

Summary: CVE-2010-0668 CVE-2010-0669 CVE-2010-0717 Moin: Security fixes in v1.8.7, v1.9.2
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: matthias, vdanen, vpvainio
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://moinmo.in/MoinMoinRelease1.8
Whiteboard: impact=moderate,source=secunia,reported=20100201,public=20100201
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-29 04:58:39 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:

Description Jan Lieskovsky 2010-02-15 13:10:52 EST
Multiple security issues have been reported in Moin:
  [1] http://moinmo.in/SecurityFixes
  [2] http://secunia.com/advisories/38444/

Upstream Moin v1.8.7 version was released:
  [3] http://moinmo.in/

Addressing "major security issues in miscellaneous
parts of moin.":
  [4] http://moinmo.in/MoinMoinRelease1.8
  [5] http://hg.moinmo.in/moin/1.8/raw-file/1.8.7/docs/CHANGES

CVE Request:
  [6] http://www.openwall.com/lists/oss-security/2010/02/15/2

Other references:
  [7] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=569975

As mentioned in [7]:
  "<ThomasWaldmann> 2) it's not just a single patch,
   it is quite much, you don't want to apply them
   manually. if you need it now, do a repo checkout
   and you'll have 1.9.2pre kind of"
Comment 1 Jan Lieskovsky 2010-02-15 13:18:10 EST
These issues affect the versions of the Moin package,
as shipped within Fedora release of 11 and 12. Please
rebase to v1.8.7.

These issues affect the versions of the Moin package,
as present in EPEL-4 and EPEL-5 repositories (see [1]
for list of affected versions of Moin). Please try
to rebase EPEL versions of Moin to v1.8.7 version
too, if possible.
Comment 2 Ville-Pekka Vainio 2010-02-15 17:17:35 EST
OK, a few points:

1) I'll try to get a 1.8.7 update out in a few days for Fedora 11 and 12.

2) I've orphaned the Moin packages in EPEL, currently those have no maintainer. I'm not interested in trying to do any security fixes for them, 1.5 is not maintained by upstream anymore and the wiki data format is different from 1.8. The EPEL packages are pretty much a security nightmare, but so is trying to release an update to 1.8.7, as that would break all wikis which are possibly still running on the EPEL packages.

3) I won't go hunting for "1.9.2pre" patches from the mercurial repositories. If upstream does not want to disclose any more details on the 1.9.1 vulnerabilities, then I'll just wait for them to release 1.9.2. As 1.9.1 is only in Rawhide, I think (and hope) no one is running production wikis on it yet.
Comment 3 Jan Lieskovsky 2010-02-16 04:45:19 EST
Hi Ville, 

  thanks for tracking the plan. 

(In reply to comment #2)
> OK, a few points:
> 
> 1) I'll try to get a 1.8.7 update out in a few days for Fedora 11 and 12.

OK.

> 
> 2) I've orphaned the Moin packages in EPEL, currently those have no maintainer.
> I'm not interested in trying to do any security fixes for them, 1.5 is not
> maintained by upstream anymore and the wiki data format is different from 1.8.
> The EPEL packages are pretty much a security nightmare, but so is trying to
> release an update to 1.8.7, as that would break all wikis which are possibly
> still running on the EPEL packages.

OK.

> 
> 3) I won't go hunting for "1.9.2pre" patches from the mercurial repositories.
> If upstream does not want to disclose any more details on the 1.9.1
> vulnerabilities, then I'll just wait for them to release 1.9.2. As 1.9.1 is
> only in Rawhide, I think (and hope) no one is running production wikis on it
> yet.    

Sure, no point in searching for relevant concrete patches, 
better to upgrade in Rawhide to 1.9.2, once it is released.

Thanks, Jan.
Comment 4 Fedora Update System 2010-02-18 07:46:35 EST
moin-1.8.7-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/moin-1.8.7-1.fc12
Comment 5 Fedora Update System 2010-02-18 07:47:54 EST
moin-1.8.7-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/moin-1.8.7-1.fc11
Comment 6 Fedora Update System 2010-02-19 19:15:49 EST
moin-1.8.7-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2010-02-19 19:30:07 EST
moin-1.8.7-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2010-03-01 03:31:00 EST
moin-1.9.2-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/moin-1.9.2-1.fc13
Comment 9 Vincent Danen 2010-03-02 11:11:21 EST
For completeness, 1.9.2 is released and fixes CVE-2010-0668, CVE-2010-0669 and CVE-2010-0717:

http://hg.moinmo.in/moin/1.9/raw-file/1.9.2/docs/CHANGES

I see from the above it has already been submitted as an update for Fedora 13.  Thank you.
Comment 10 Fedora Update System 2010-03-10 01:43:39 EST
moin-1.9.2-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.