[Secure-testing-team] Bug#545779: XSS and illegal characters while printing name-value pairs
Steffen Joeris
steffen.joeris at skolelinux.de
Wed Sep 9 06:14:24 UTC 2009
Package: viewvc
Severity: grave
Tags: security patch
Hi
According to upstream:
Version 1.1.2 (released 11-Aug-2009)
* security fix: validate the 'view' parameter to avoid XSS attack
* security fix: avoid printing illegal parameter names and values
http://viewvc.tigris.org/source/browse/*checkout*/viewvc/tags/1.1.2/CHANGES
The two upstream patches appear to be:
http://viewvc.tigris.org/source/browse/viewvc/branches/1.0.x/lib/viewvc.py?r1=2214&r2=2213&pathrev=2214
http://viewvc.tigris.org/source/browse/viewvc/branches/1.0.x/lib/viewvc.py?r1=2219&r2=2218&pathrev=2219
Could you test the patches and prepare updated packages for unstable/stable?
A CVE id has been requested and we'll forward it to this bugreport once it's allocated.
Cheers
Steffen
More information about the Secure-testing-team
mailing list