Date: Wed, 5 Sep 2012 18:00:28 +0400 (MSK) From: Eygene Ryabinkin <rea@FreeBSD.org> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/171346: [vuln][patch] www/moinmoin: fix CVE-2012-4404 Message-ID: <20120905140028.951FEDA81F@void.codelabs.ru> Resent-Message-ID: <201209051410.q85EA2sX031585@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 171346 >Category: ports >Synopsis: [vuln][patch] www/moinmoin: fix CVE-2012-4404 >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Sep 05 14:10:02 UTC 2012 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 10.0-CURRENT amd64 >Organization: Code Labs >Environment: System: FreeBSD 10.0-CURRENT amd64 >Description: Vulnerability affecting MoinMoin 1.9 up to (and including) 1.9.4 was recently found and fixed: http://www.vuxml.org/freebsd/4f99e2ef-f725-11e1-8bd8-0022156e8794.html http://hg.moinmo.in/moin/1.9/rev/7b9f39289e16 >How-To-Repeat: Look at the above URLs. Try to create the group with "All" string in its name, restrict page's access rights like {{{ #acl AllGoodPersonsGroup:read all: }}} and visit the page under user who isn't in the AllGoodPersonsGroup. The page should be visible to that user. >Fix: The patch at http://codelabs.ru/fbsd/ports/moinmoin/1.9.4-fix-cve-2012-4404.diff applies upstream fix. I had tested it at my Tinderbox and MoinMoin instance: vulnerability was gone. QA page: http://codelabs.ru/fbsd/ports/qa/www/moinmoin/1.9.4_1 If this fix or update to 1.9.5 will be committed, one should use {{{ Security: http://www.vuxml.org/freebsd/4f99e2ef-f725-11e1-8bd8-0022156e8794.html }}} in the commit message. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120905140028.951FEDA81F>