Debian Security Advisory

DSA-1754-1 roundup -- insufficient access checks

Date Reported:
09 Apr 2009
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 518768.
More information:

It was discovered that roundup, an issue tracker with a command-line, web and email interface, allows users to edit resources in unauthorized ways, including granting themselves admin rights.

This update introduces stricter access checks, actually enforcing the configured permissions and roles. This means that the configuration may need updating. In addition, user registration via the web interface has been disabled; use the program "roundup-admin" from the command line instead.

For the old stable distribution (etch), this problem has been fixed in version 1.2.1-10+etch1.

For the stable distribution (lenny), this problem has been fixed in version 1.4.4-4+lenny1.

We recommend that you upgrade your roundup package.

Fixed in:

Debian GNU/Linux 4.0 (etch)

Architecture-independent component:

Debian GNU/Linux 5.0 (lenny)

Architecture-independent component:

MD5 checksums of the listed files are available in the original advisory.