Upstream MoinMoin version 1.6.3 fixed an issue allowing privilege escalation to wiki superuser privileges in certain configs. References: http://moinmo.in/SecurityFixes http://bugs.gentoo.org/show_bug.cgi?id=218752 Upstream fix: http://hg.moinmo.in/moin/1.6/rev/f405012e67af According to upstream page, only 1.6.x versions are affected, hence F9/rawhide packages.
From moin 1.6.3 changelog: * Security fix: a check in the user form processing was not working as expected, leading to a major ACL and superuser priviledge escalation problem. If you use ACL entries other than "Known:" or "All:" and/or a non-empty superuser list, you need to urgently install this upgrade.
Looks pretty bad. Working on pushing an updated package right now.
CVE-2008-1937: The user form processing (userform.py) in MoinMoin before 1.6.3, when using ACLs or a non-empty superusers list, does not properly manage users, which allows remote attackers to gain privileges.
Matthias, are you doing to request freeze break for moin-1.6.3-1.fc9 so it gets to F9 final?
I don't know how deep we are in the freeze. If there's still time, feel free to poke rel-eng to get it in if you want (I'll be really short on time for the next few days).
I've taken over as the new moin maintainer. This bug could probably be closed, as 1.6.3 is in F-9 and F-10 now?
Yes, closing this.
(In reply to comment #0) > According to upstream page, only 1.6.x versions are affected, hence F9/rawhide > packages. For full disclosure, I'm not actually certain whether this only affected 1.6 versions. Moin upstream announced this vulnerability on 2008-04-20, but the upstream release of 1.5.9 happened before that, on 2008-03-09 and it was announced to be the final release of the 1.5 series in any case. I've asked the moin developers whether they think 1.5.9 is vulnerable but they haven't answered yet. Debian doesn't carry a patch for this vulnerability, see <http://patch-tracking.debian.net/package/moin/1.5.3-1.2etch2>, which could imply that this is not a problem on 1.5.9.