Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 57913

Summary: net-www/moinmoin 1.2.3 - major security fixes (reloaded :-/)
Product: Gentoo Security Reporter: Carsten Lohrke (RETIRED) <carlo>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: g2boojum, web-apps
Priority: Highest    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 58381    
Bug Blocks:    

Description Carsten Lohrke (RETIRED) gentoo-dev 2004-07-21 16:40:38 UTC
This release fixes 2 security critical bugs: one when using ACLs and one when not using ACLs at all (so you really want to upgrade in any case). It also fixes some minor bugs.

Changelog: https://sourceforge.net/project/shownotes.php?group_id=8482&release_id=254801
(can't reach sf.net atm though)
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-07-22 02:36:30 UTC
From Changelog :

    * reverts done by bots or leechers
      There was a bad, old bug that triggered if you did not use ACLs. In that
      case, moin used some simple (but wrong and incomplete) function to
      determine what a user (or bot) may do or may not do. The function is now
      fixed to allow only read and write to anon users, and only delete and
      revert to known users additionally - and disallow everything else.

    * ACL security fix for PageEditor, thanks to Dr. Pleger for reporting

web-apps or Grant : please bump to 1.2.3
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2004-08-04 00:33:32 UTC
*** Bug 59338 has been marked as a duplicate of this bug. ***
Comment 3 Renat Lumpau (RETIRED) gentoo-dev 2004-08-04 03:30:39 UTC
See bug #58381 for moinmoin-1.2.3.ebuild, updated to use webapp.eclass.
Comment 4 Grant Goodyear (RETIRED) gentoo-dev 2004-08-16 12:14:39 UTC
Fixed, but w/o the webapp rewrite (see note in 58381).
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-16 14:26:49 UTC
Reopening for GLSA

We released a GLSA for version 1.2.2. Security please draft or vote no.

Thx Grant.
Comment 6 Renat Lumpau (RETIRED) gentoo-dev 2004-08-27 15:05:10 UTC
1.2.3-r1 is in CVS, rewritten with webapp.eclass. It is ~ on all arches.
Comment 7 Renat Lumpau (RETIRED) gentoo-dev 2004-08-27 15:06:03 UTC
And by that I mean ~x86 ~sparc ~amd64 ~ppc, not ALL arches.
Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-28 15:58:44 UTC
Closed with GLSA 200408-25.
Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-28 15:59:39 UTC
And now the bug is also closed:-/