Package: viewvc
Severity: grave
Tags: security
Justification: user security hole
Viewvc 1.0.5 fixes several security issues:
* security fix: omit commits of all-forbidden files from query results
* security fix: disallow direct URL navigation to hidden CVSROOT folder
* security fix: strip forbidden paths from revision view
* security fix: don't traverse log history thru forbidden locations
* security fix: honor forbiddenness via diff view path parameters
Please mention the following CVE IDs when fixing this:
CVE-2008-1290 - list CVS or SVN commits on "all-forbidden"
files
CVE-2008-1291 - directly access hidden CVSROOT folders
CVE-2008-1292 - expose restricted content via the revision
view, the log history, or the diff view
Cheers,
Moritz
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.24-1-686 (SMP w/1 CPU core)
Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
