Upstream MoinMoin version 1.6.3 fixed an issue with processing of hierarchic ACLs. Real security implications seems unclear from upstream notes. References: http://moinmo.in/SecurityFixes http://moinmo.in/MoinMoinBugs/AclHierarchicPageAclSupercededByAclRightsAfter Upstream fix: http://hg.moinmo.in/moin/1.6/rev/543ae9bdbe26 http://hg.moinmo.in/moin/1.7/rev/88356b3f849a
From moin 1.6.3 changelog: * Security fix: if acl_hierarchic=True was used (False is the default), ACL processing was wrong for some cases, see MoinMoinBugs/AclHierarchicPageAclSupercededByAclRightsAfter
Matthias, do you know if this affects 1.5.x as well?
CVE-2008-6603: MoinMoin 1.6.2 and 1.7 does not properly enforce ACL checks when acl_hierarchic is set to True, which might allow remote attackers to bypass intended access restrictions, a different vulnerability than CVE-2008-1937.
(In reply to comment #2) > Matthias, do you know if this affects 1.5.x as well? Replying as I'm the new moin maintainer. There are no hierarchic ACLs in 1.5 which means EL-4 and EL-5 with 1.5.9 shouldn't be affected.
And F-9 and F-9 already have 1.6.3, so this should be fixed there.
Yeah, thank you!