[Moin-user] *** upcoming 1.6.3 release / major security fix for 1.6.x users ***

Thomas Waldmann tw-public at gmx.de
Sun Apr 20 15:06:46 EDT 2008 

Hi,

I just wanted to announce that we are currently in final testing of the
1.6.3 release - after having worked over the weekend to fix some
critical security issues.

If you use a previous 1.6 release, especially if you are using ACLs
(other than for Known: and All:) or if you have a non-empty superuser
list, please follow this advice:

a) clear your superuser list immediately NOW (e.g. in wikiconfig):

   superuser = []

Note: for farm-like setups with config inheritance it might be not
enough to comment it out - it could be set to a non-empty list in a
config your inherit from, so better assign the empty list.

b) if you have very sensitive content in your wiki (e.g. secret stuff
that must not be read by the unauthorized people or stuff were write
access is very critical, even if logged), it is suggested that you
either take away the critical access or shut the wiki down until you
have installed the fix.

E.g. if write access is critical, but reading is allowed for everybody:

    acl_rights_before = u"All:read" # everybody can read everything,
                                    # but noone can write

c) You have to restart your web server after making those changes.

d) Watch those pages (if you have an account on the moinmo.in wiki, you
can subscribe to the pages and you will be notified by email when they
are changed):

http://moinmo.in/     <-- used for release announcements

http://moinmo.in/SecurityFixes   <-- for security fix news

e) Download and upgrade to 1.6.3 as soon as it is available. After
installing the 1.6.3 code and restarting your web server (see SystemInfo
page), you can restore your previous acl_rights_* setup and also your
superuser list.

moin 1.5.x is (as far as we know) not affected by this bug, but if you
are still running 1.5.x you should also consider upgrading as 1.5.9 was
the last 1.5.x release and there won't be any updates/fixes for 1.5 any
more.

We are really sorry about this (the code change [it was a fix for
another bug] that caused this looked really harmless, but while fixing
that other bug, it poked a even bigger hole into security in a quite
unexpected way).

Thomas

More information about the Moin-user mailing list