ports/171346: [vuln][patch] www/moinmoin: fix CVE-2012-4404
Eygene Ryabinkin
rea at FreeBSD.org
Wed Sep 5 14:10:02 UTC 2012
>Number: 171346
>Category: ports
>Synopsis: [vuln][patch] www/moinmoin: fix CVE-2012-4404
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Sep 05 14:10:02 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator: Eygene Ryabinkin
>Release: FreeBSD 10.0-CURRENT amd64
>Organization:
Code Labs
>Environment:
System: FreeBSD 10.0-CURRENT amd64
>Description:
Vulnerability affecting MoinMoin 1.9 up to (and including) 1.9.4 was
recently found and fixed:
http://www.vuxml.org/freebsd/4f99e2ef-f725-11e1-8bd8-0022156e8794.html
http://hg.moinmo.in/moin/1.9/rev/7b9f39289e16
>How-To-Repeat:
Look at the above URLs. Try to create the group with "All" string in
its name, restrict page's access rights like
{{{
#acl AllGoodPersonsGroup:read all:
}}}
and visit the page under user who isn't in the AllGoodPersonsGroup. The
page should be visible to that user.
>Fix:
The patch at
http://codelabs.ru/fbsd/ports/moinmoin/1.9.4-fix-cve-2012-4404.diff
applies upstream fix. I had tested it at my Tinderbox and MoinMoin instance:
vulnerability was gone. QA page:
http://codelabs.ru/fbsd/ports/qa/www/moinmoin/1.9.4_1
If this fix or update to 1.9.5 will be committed, one should use
{{{
Security: http://www.vuxml.org/freebsd/4f99e2ef-f725-11e1-8bd8-0022156e8794.html
}}}
in the commit message.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list