A security issue has been reported in MoinMoin, which can be exploited by malicious users to bypass certain security restrictions.
The security issue is caused due to an incorrect evaluation of ACL rules when applied to a group that contains a virtual group (e.g. "All", "Known", or "Trusted"). This can be exploited to have incorrect permissions assigned and access restricted content.
Successful exploitation requires that virtual group members exist within another group.
The security issue is reported in version 1.9.4 and prior.
As a workaround the vendor recommends to apply the patch.
Further details available in Customer Area
Provided and/or discovered by
Reported by the vendor.
security/__init__.py in MoinMoin 1.9 through 1.9.4 does not properly handle
group names that contain virtual group names such as "All," "Known," or
"Trusted," which allows remote authenticated users with virtual group
membership to be treated as a member of the group.
1.9.5 added to CVS which fixes the issue.
Feel free to start the stabilization process to overrule bug #339295.
Arches, please test and mark stable:
Target keywords : "amd64 ppc x86"
x86 done, last arch!
GLSA vote: no.
GLSA Vote: no too. Closing noglsa.