Control: tag -1 pending On Mon, Sep 02, 2013 at 12:19:01AM +0200, Salvatore Bonaccorso wrote: >Package: python-moinmoin >Version: 1.9.4-8+deb7u1 >Severity: normal >Tags: upstream patch >Control: found -1 1.9.5-5 > >Hi Steve, > >We found to be affected by [1] at our workplace, which could in >principle be used to mount a minor denial of service attack on >moinmoin pages for users e.g. having a inode quota set (or in worst >case fill space in general, depending on protection for wiki >instance): > >"An attempt by an unauthorized user to create a page fails when they >attempt to edit it, but leaves a junk directory behind in data/pages. >It appears that the ACL is not checked at page creation time." > >I can confirm this behaviour: In both cases if > > - a user with no write permissions tries creating a new page > - a user with write permissions cancels creating a new page > >a data/pages/foo directory with an empty edit-log is created, >confirmed both for wheezy and unstable (squeeze not tested). > >Upstream patch at [2] solves this problem.
I've got a new 1.9.7-1 package built locally including this patch. I'm testing it now, hopefully ready to upload tomorrow. -- Steve McIntyre, Cambridge, UK. st...@einval.com Getting a SCSI chain working is perfectly simple if you remember that there must be exactly three terminations: one on one end of the cable, one on the far end, and the goat, terminated over the SCSI chain with a silver-handled knife whilst burning *black* candles. --- Anthony DeBoer -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
