Red Hat Bugzilla – Bug 443949
CVE-2008-6603 moin: incorrect processing of hierarchic ACLs
Last modified: 2009-04-16 03:56:50 EDT
Upstream MoinMoin version 1.6.3 fixed an issue with processing of hierarchic
ACLs. Real security implications seems unclear from upstream notes.
From moin 1.6.3 changelog:
* Security fix: if acl_hierarchic=True was used (False is the default),
ACL processing was wrong for some cases, see
Matthias, do you know if this affects 1.5.x as well?
MoinMoin 1.6.2 and 1.7 does not properly enforce ACL checks when
acl_hierarchic is set to True, which might allow remote attackers to
bypass intended access restrictions, a different vulnerability than
(In reply to comment #2)
> Matthias, do you know if this affects 1.5.x as well?
Replying as I'm the new moin maintainer. There are no hierarchic ACLs in 1.5 which means EL-4 and EL-5 with 1.5.9 shouldn't be affected.
And F-9 and F-9 already have 1.6.3, so this should be fixed there.
Yeah, thank you!