From ${URL} : An information leak in roundup, allowing authenticated attackers to see sensitive details about other users, including their hashed password. External Reference: http://www.roundup-tracker.org/docs/upgrading.html#user-data-visibility @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Per the CVE: "schema.py in Roundup before 1.5.1 does not properly limit attributes included in default user permissions, which might allow remote authenticated users to obtain sensitive user information by viewing user details." @maintainer(s), please bump package to >=www-apps/roundup-1.5.1 Additional python notes from upstream: "**IMPORTANT** The v1.5.x releases of Roundup were the last to support Python v2.5. Support for Python v2.5 is dropped starting with the v1.6.x releases of Roundup, at which point either Python v2.6 or v2.7 is required to run those releases of Roundup."
No rdeps... I figured this would be a popular one, but apparently not.
Treeclean then? If so, I'd rather do it today, and get rid of it along with distutils.eclass 30 days from now.
(In reply to Michał Górny from comment #3) > Treeclean then? If so, I'd rather do it today, and get rid of it along with > distutils.eclass 30 days from now. Yes, please proceed. Maybe someone who cares will respond when the mask appear...
# Thomas Deutschmann <whissi@gentoo.org> (17 Feb 2017) # Unpatched security vulnerability per bug #576868 # Removal in 30 days. www-apps/roundup
Indeed I care about it. I have two installations running it. I'm going to work on bumping to 1.5.1.
Bumped to 1.5.1
Stabilization requested at #593182
What should I do to remove the mask? There is a stable request at bug #593182 but it seems in conflict with the package mask. Is not the security team allowed to stabilize for such case?
To my knowledge, the mask was removed last month via https://gitweb.gentoo.org/repo/gentoo.git/commit/profiles/package.mask?id=f53a7d174f5bd8c52d865678c7348fc8b30a7468: # emerge --info | grep -i timestam Timestamp of repository gentoo: Sun, 16 Apr 2017 05:03:19 +0000 # eshowkw roundup Keywords for www-apps/roundup: | | u | | a a p s a n r | n | | l m h i p p r m m i i s | e u s | r | p d a p a p c a x m i 6 o s 3 | a s l | e | h 6 r p 6 p 6 r 8 6 p 8 s c 9 s | p e o | p | a 4 m a 4 c 4 c 6 4 s k 2 v 0 h | i d t | o ------+---------------------------------+-------+------- 1.5.1 | o ~ o o o + o ~ ~ o o o o o o o | 6 o 0 | gentoo Ignore the result from https://packages.gentoo.org/packages/www-apps/roundup -- the web application is known for showing invalid and or outdated information.
GLSA Vote: No. Package has a stable call in another bug and no vulnerable versions remain.