Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 57913 - net-www/moinmoin 1.2.3 - major security fixes (reloaded :-/)
Summary: net-www/moinmoin 1.2.3 - major security fixes (reloaded :-/)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: Highest minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa]
Keywords:
: 59338 (view as bug list)
Depends on: 58381
Blocks:
  Show dependency tree
 
Reported: 2004-07-21 16:40 UTC by Carsten Lohrke (RETIRED)
Modified: 2011-10-30 22:38 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Carsten Lohrke (RETIRED) gentoo-dev 2004-07-21 16:40:38 UTC
This release fixes 2 security critical bugs: one when using ACLs and one when not using ACLs at all (so you really want to upgrade in any case). It also fixes some minor bugs.

Changelog: https://sourceforge.net/project/shownotes.php?group_id=8482&release_id=254801
(can't reach sf.net atm though)
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-07-22 02:36:30 UTC
From Changelog :

    * reverts done by bots or leechers
      There was a bad, old bug that triggered if you did not use ACLs. In that
      case, moin used some simple (but wrong and incomplete) function to
      determine what a user (or bot) may do or may not do. The function is now
      fixed to allow only read and write to anon users, and only delete and
      revert to known users additionally - and disallow everything else.

    * ACL security fix for PageEditor, thanks to Dr. Pleger for reporting

web-apps or Grant : please bump to 1.2.3
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2004-08-04 00:33:32 UTC
*** Bug 59338 has been marked as a duplicate of this bug. ***
Comment 3 Renat Lumpau (RETIRED) gentoo-dev 2004-08-04 03:30:39 UTC
See bug #58381 for moinmoin-1.2.3.ebuild, updated to use webapp.eclass.
Comment 4 Grant Goodyear (RETIRED) gentoo-dev 2004-08-16 12:14:39 UTC
Fixed, but w/o the webapp rewrite (see note in 58381).
Comment 5 Sune Kloppenborg Jeppesen gentoo-dev 2004-08-16 14:26:49 UTC
Reopening for GLSA

We released a GLSA for version 1.2.2. Security please draft or vote no.

Thx Grant.
Comment 6 Renat Lumpau (RETIRED) gentoo-dev 2004-08-27 15:05:10 UTC
1.2.3-r1 is in CVS, rewritten with webapp.eclass. It is ~ on all arches.
Comment 7 Renat Lumpau (RETIRED) gentoo-dev 2004-08-27 15:06:03 UTC
And by that I mean ~x86 ~sparc ~amd64 ~ppc, not ALL arches.
Comment 8 Sune Kloppenborg Jeppesen gentoo-dev 2004-08-28 15:58:44 UTC
Closed with GLSA 200408-25.
Comment 9 Sune Kloppenborg Jeppesen gentoo-dev 2004-08-28 15:59:39 UTC
And now the bug is also closed:-/