Bug 565604 (CVE-2010-0668, CVE-2010-0669, CVE-2010-0717)

Summary:	CVE-2010-0668 CVE-2010-0669 CVE-2010-0717 Moin: Security fixes in v1.8.7, v1.9.2
Product:	[Other] Security Response	Reporter:	Jan Lieskovsky <jlieskov>
Component:	vulnerability	Assignee:	Red Hat Product Security <security-response-team>
Status:	CLOSED ERRATA	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	matthias, vdanen, vpvainio
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
URL:	http://moinmo.in/MoinMoinRelease1.8
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2010-03-29 08:58:39 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Jan Lieskovsky 2010-02-15 18:10:52 UTC

Multiple security issues have been reported in Moin:
  [1] http://moinmo.in/SecurityFixes
  [2] http://secunia.com/advisories/38444/

Upstream Moin v1.8.7 version was released:
  [3] http://moinmo.in/

Addressing "major security issues in miscellaneous
parts of moin.":
  [4] http://moinmo.in/MoinMoinRelease1.8
  [5] http://hg.moinmo.in/moin/1.8/raw-file/1.8.7/docs/CHANGES

CVE Request:
  [6] http://www.openwall.com/lists/oss-security/2010/02/15/2

Other references:
  [7] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=569975

As mentioned in [7]:
  "<ThomasWaldmann> 2) it's not just a single patch,
   it is quite much, you don't want to apply them
   manually. if you need it now, do a repo checkout
   and you'll have 1.9.2pre kind of"

Comment 1 Jan Lieskovsky 2010-02-15 18:18:10 UTC

These issues affect the versions of the Moin package,
as shipped within Fedora release of 11 and 12. Please
rebase to v1.8.7.

These issues affect the versions of the Moin package,
as present in EPEL-4 and EPEL-5 repositories (see [1]
for list of affected versions of Moin). Please try
to rebase EPEL versions of Moin to v1.8.7 version
too, if possible.

Comment 2 Ville-Pekka Vainio 2010-02-15 22:17:35 UTC

OK, a few points:

1) I'll try to get a 1.8.7 update out in a few days for Fedora 11 and 12.

2) I've orphaned the Moin packages in EPEL, currently those have no maintainer. I'm not interested in trying to do any security fixes for them, 1.5 is not maintained by upstream anymore and the wiki data format is different from 1.8. The EPEL packages are pretty much a security nightmare, but so is trying to release an update to 1.8.7, as that would break all wikis which are possibly still running on the EPEL packages.

3) I won't go hunting for "1.9.2pre" patches from the mercurial repositories. If upstream does not want to disclose any more details on the 1.9.1 vulnerabilities, then I'll just wait for them to release 1.9.2. As 1.9.1 is only in Rawhide, I think (and hope) no one is running production wikis on it yet.

Comment 3 Jan Lieskovsky 2010-02-16 09:45:19 UTC

Hi Ville, 

  thanks for tracking the plan. 

(In reply to comment #2)
> OK, a few points:
> 
> 1) I'll try to get a 1.8.7 update out in a few days for Fedora 11 and 12.

OK.

> 
> 2) I've orphaned the Moin packages in EPEL, currently those have no maintainer.
> I'm not interested in trying to do any security fixes for them, 1.5 is not
> maintained by upstream anymore and the wiki data format is different from 1.8.
> The EPEL packages are pretty much a security nightmare, but so is trying to
> release an update to 1.8.7, as that would break all wikis which are possibly
> still running on the EPEL packages.

OK.

> 
> 3) I won't go hunting for "1.9.2pre" patches from the mercurial repositories.
> If upstream does not want to disclose any more details on the 1.9.1
> vulnerabilities, then I'll just wait for them to release 1.9.2. As 1.9.1 is
> only in Rawhide, I think (and hope) no one is running production wikis on it
> yet.    

Sure, no point in searching for relevant concrete patches, 
better to upgrade in Rawhide to 1.9.2, once it is released.

Thanks, Jan.

Comment 4 Fedora Update System 2010-02-18 12:46:35 UTC

moin-1.8.7-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/moin-1.8.7-1.fc12

Comment 5 Fedora Update System 2010-02-18 12:47:54 UTC

moin-1.8.7-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/moin-1.8.7-1.fc11

Comment 6 Fedora Update System 2010-02-20 00:15:49 UTC

moin-1.8.7-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2010-02-20 00:30:07 UTC

moin-1.8.7-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2010-03-01 08:31:00 UTC

moin-1.9.2-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/moin-1.9.2-1.fc13

Comment 9 Vincent Danen 2010-03-02 16:11:21 UTC

For completeness, 1.9.2 is released and fixes CVE-2010-0668, CVE-2010-0669 and CVE-2010-0717:

http://hg.moinmo.in/moin/1.9/raw-file/1.9.2/docs/CHANGES

I see from the above it has already been submitted as an update for Fedora 13.  Thank you.

Comment 10 Fedora Update System 2010-03-10 06:43:39 UTC

moin-1.9.2-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.