The xml-rpc server in Roundup 1.4.4 does not check property permissions, which allows attackers to bypass restrictions and edit or read restricted properties via the (1) list, (2) display, and (3) set methods.
Created attachment 147233 [details, diff] patch
maintainers - please provide an updated ebuild
1.4.4-r1 in cvs
Arches, please test and mark stable www-apps/roundup-1.4.4-r1 target : "amd64 ppc release sparc x86"
x86 stable
amd64 stable
Sparc stable.
ppc stable
Removed vulnerable version. webapps done.
Time for GLSA decision. I vote YES.
Fixed in release snapshot.
Voting YES and filing request.
GLSA 200805-21