Gentoo Archives: gentoo-announce

From: Tobias Heinlein <keytoaster@g.o>
To: gentoo-announce@g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200803-29 ] ViewVC: Multiple vulnerabilities
Date: Wed, 19 Mar 2008 23:12:03
Message-Id: 47E1991D.2050700@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200803-29
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: ViewVC: Multiple vulnerabilities
9 Date: March 19, 2008
10 Bugs: #212288
11 ID: 200803-29
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Multiple security issues have been reported in ViewVC, which can be
19 exploited by malicious people to bypass certain security restrictions.
20
21 Background
22 ==========
23
24 ViewVC is a browser interface for CVS and Subversion version control
25 repositories.
26
27 Affected packages
28 =================
29
30 -------------------------------------------------------------------
31 Package / Vulnerable / Unaffected
32 -------------------------------------------------------------------
33 1 www-apps/viewvc < 1.05 >= 1.05
34
35 Description
36 ===========
37
38 Multiple unspecified errors were reportedly fixed by the ViewVC
39 development team.
40
41 Impact
42 ======
43
44 A remote attacker could send a specially crafted URL to the server to
45 list CVS or SVN commits on "all-forbidden" files, access hidden CVSROOT
46 folders, and view restricted content via the revision view, the log
47 history, or the diff view.
48
49 Workaround
50 ==========
51
52 There is no known workaround at this time.
53
54 Resolution
55 ==========
56
57 All ViewVC users should upgrade to the latest version:
58
59 # emerge --sync
60 # emerge --ask --oneshot --verbose ">=www-apps/viewvc-1.05"
61
62 References
63 ==========
64
65 [ 1 ] CVE-2008-1290
66 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1290
67 [ 2 ] CVE-2008-1291
68 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1291
69 [ 3 ] CVE-2008-1292
70 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1292
71
72 Availability
73 ============
74
75 This GLSA and any updates to it are available for viewing at
76 the Gentoo Security Website:
77
78 http://security.gentoo.org/glsa/glsa-200803-29.xml
79
80 Concerns?
81 =========
82
83 Security is a primary focus of Gentoo Linux and ensuring the
84 confidentiality and security of our users machines is of utmost
85 importance to us. Any security concerns should be addressed to
86 security@g.o or alternatively, you may file a bug at
87 http://bugs.gentoo.org.
88
89 License
90 =======
91
92 Copyright 2008 Gentoo Foundation, Inc; referenced text
93 belongs to its owner(s).
94
95 The contents of this document are licensed under the
96 Creative Commons - Attribution / Share Alike license.
97
98 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature