On Wed, 2009-06-24 at 13:29 -0400, Michael S. Gilbert wrote: > On Sat, 20 Jun 2009 18:15:16 +0200, Frank Lin PIAT wrote: > > I have analyzed the code, and made some test. It seems that there is no > > such "ACL vulnerability". Actually it doesn't even seems to be a bug: > > The developers seems to have decided to change the behavior of ACLs in > > moinmoin: > > redhat did issue a security update for this one, so you would think > that there is something to this. however, it is possible that they > overreacted based on the fact that the commit message says "security."
I couldn't find any announcement of such announcement on RedHat/Google. Do you have some pointer? Fedora[5] and Gentoo[7] have published an updated package for moin 1.8.4 (but Mandriva, OpenSUSE, Redhat[6] and Ubuntu disn't). Secunia has published a note (SA35407, secunia.com/advisories/35407 and SA35502), but CVE data base (http://web.nvd.nist.gov/view/vuln/search ) didn't published any CVE. > my interpretation is that this fixes some security test cases, but > doesn't actually fix a security problem itself. Upstream's changelog for this version (1.8.4) is: http://hg.moinmo.in/moin/1.8/shortlog/8b78ac8e8007 My understanding is that someone wrote a test [1], that expects a different (better?) behavior than the one vaguely documented in [2]. The maintainers then decided to adjust the behavior[3]. I have updated the documentation[4] to describe the new behavior, the maintainer haven't given any feedback yet. There is no vulnerability announcement for this bug yet, see: http://security-tracker.debian.net/tracker/redirect/533673 Thanks, Franklin [1] http://hg.moinmo.in/moin/1.8/rev/47c0ada5c1a2 [2] http://master18.moinmo.in/4ct10n/recall/HelpOnAccessControlLists?action=recall&rev=114 [3] http://hg.moinmo.in/moin/1.8/rev/897cdbe9e8f2 [4] http://master18.moinmo.in/4ct10n/info/HelpOnAccessControlLists?action=diff&rev2=115&rev1=114 [5] FEDORA-2009-6559, FEDORA-2009-6557, FEDORA-2009-6576 https://www.redhat.com/archives/fedora-package-announce/2009-June/msg00775.html https://admin.fedoraproject.org/updates/search/moin [6] https://bugzilla.redhat.com/buglist.cgi?query_format=advanced&bug_status=NEW&bug_status=ASSIGNED&bug_status=MODIFIED&bug_status=ON_DEV&bug_status=ON_QA&bug_status=VERIFIED&bug_status=FAILS_QA&bug_status=RELEASE_PENDING&bug_status=POST&bug_status=CLOSED&field0-0-0=product&type0-0-0=substring&value0-0-0=moinmoin&field0-0-1=component&type0-0-1=substring&value0-0-1=moinmoin&field0-0-2=short_desc&type0-0-2=substring&value0-0-2=moinmoin&field0-0-3=status_whiteboard&type0-0-3=substring&value0-0-3=moinmoin&field0-0-4=longdesc&type0-0-4=substring&value0-0-4=moinmoin [7] Gentoo bug:273858 http://bugs.gentoo.org/show_bug.cgi?id=273858 -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
