CVE-2009-2737 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2737): The EditCSVAction function in cgi/actions.py in Roundup 1.2 before 1.2.1, 1.4 through 1.4.6, and possibly other versions does not properly check permissions, which allows remote authenticated users with edit or create privileges for a class to modify arbitrary items within that class, as demonstrated by editing all queries, modifying settings, and adding roles to users.
Please remove versions <= 1.4.16. Investigation needed for 1.4.18
Upstream: http://issues.roundup-tracker.org/issue2550521 The method was rewritten in 1.4.8, 1.4.6 needs the (one-word) patch.
GLSA vote: no.
GLSA Vote: no too, closing.