Your message dated Sat, 12 Sep 2009 18:53:19 +0200
with message-id <[email protected]>
and subject line This is not a security issue... it isn't even a bug.
has caused the Debian Bug report #533673,
regarding moin: heirarchical ACL vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
533673: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=533673
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
package: moin
version: 1.5.3-1.2etch2
severity: important
tags: security , patch
hello,
moin in stable/oldstable has a heirarchical ACL vulnerability. this
is fixed in upstream 1.8.4, which is already in unstable. see [1].
please coordinate fixes with the security team.
[1] http://hg.moinmo.in/moin/1.8/rev/897cdbe9e8f2
--- End Message ---
--- Begin Message ---
tags 533673 -security
thanks
There is no evidence that there is actually a security issue. I am
therefore removing the "security" tag, and I am closing this bug.
Clarification:
- *IF* the supposed "security" bug actually was actually present, it
would merely allow someone with edit rights on some wiki pages, to
edit to some other pages that he/she isn't supposed to be allowed
to edit. This bug would would only occur if hierarchical ACL were
enabled, and improperly used...
Anyway, there is no evidence of such bug.
- My understanding is that upstream have merely changed the behavior
of ACLs, but they tagged it as security issue, with no real resons.
- FYI, to understand what has changed, read:
http://master19.moinmo.in/HelpOnAccessControlLists
Regards.
Franklin
--- End Message ---
