Description A security issue has been reported in MoinMoin, which can be exploited by malicious users to bypass certain security restrictions. The security issue is caused due to an incorrect evaluation of ACL rules when applied to a group that contains a virtual group (e.g. "All", "Known", or "Trusted"). This can be exploited to have incorrect permissions assigned and access restricted content. Successful exploitation requires that virtual group members exist within another group. The security issue is reported in version 1.9.4 and prior. Solution As a workaround the vendor recommends to apply the patch. Further details available in Customer Area Provided and/or discovered by Reported by the vendor. Original Advisory http://moinmo.in/SecurityFixes
CVE-2012-4404 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4404): security/__init__.py in MoinMoin 1.9 through 1.9.4 does not properly handle group names that contain virtual group names such as "All," "Known," or "Trusted," which allows remote authenticated users with virtual group membership to be treated as a member of the group.
1.9.5 added to CVS which fixes the issue.
Feel free to start the stabilization process to overrule bug #339295.
Arches, please test and mark stable: =www-apps/moinmoin-1.9.5 Target keywords : "amd64 ppc x86"
amd64 stable
stable ppc
x86 done, last arch!
Thanks, everyone. GLSA vote: no.
GLSA Vote: no too. Closing noglsa.