Bug 854730 (CVE-2012-4404)
Summary: | CVE-2012-4404 moin: Improper ACL rules enforcement due to a bug in the way virtual groups were handled previously during ACL evaluation | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | extras-orphan, imlinux+fedora, ivazqueznet, vpvainio |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-07-29 21:36:07 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 854733, 854739 | ||
Bug Blocks: |
Description
Jan Lieskovsky
2012-09-05 17:06:33 UTC
This issue affects the version of the moin package, as shipped with Fedora release of 16 and 17. Please schedule an update. Created moin tracking bugs for this issue Affects: fedora-all [bug 854733] It actually looks that despite of the fact MoinMoin upstream to claim that versions of moin prior to 1.9 not being affected by this issue: http://hg.moinmo.in/moin/1.9/rev/7b9f39289e16 that this problem affects also the version of the moin package, as shipped with Fedora EPEL 5 (moin-1.5.9-1.el5). Justification: The ACL rules / code implementation, that now resides in 'security/__init__.py' was before located in 'moin-1.5.9/MoinMoin/wikiacl.py'. From the 1.9.4 ChangeLog file: docs/CHANGES:1879: * Moved wikiacl.py to security/__init__.py. and the relevant routine in 'wikiacl.py', present in moin-1.5.9 version truly reminds the affected code from 1.9.4 version. Matthias, could you please check the provided testcase (test_security.py) from upstream patch [1] if it would work (probably after back port) against Fedora EPEL 5 moin 1.5.9 based version too? Thank you, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team Created moin tracking bugs for this issue Affects: epel-5 [bug 854739] Updates built and submitted for the Fedora versions. The EPEL 5 version is unmaintained, I won't be submitting updates for it. moin-1.9.4-3.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. moin-1.9.4-3.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. moin-1.9.4-3.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. |