Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 238077 - www-apps/viewvc-1.0.6 version bump request
Summary: www-apps/viewvc-1.0.6 version bump request
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: High enhancement (vote)
Assignee: Gentoo Web Application Packages Maintainers
URL: http://viewvc.tigris.org/servlets/New...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-09-19 07:45 UTC by Andrei Ivanov
Modified: 2008-10-11 20:27 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andrei Ivanov 2008-09-19 07:45:01 UTC
A new release is available, please update.
It even contains a security fix.

Thank you
Comment 1 Wormo (RETIRED) gentoo-dev 2008-09-19 22:16:58 UTC
Thanks for the report, in particular the heads-up about including a security fix -- that was not apparent from the release announcement!
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-09-20 09:57:24 UTC
  * security fix: ignore arbitrary user-provided MIME types (issue #354)
http://viewvc.tigris.org/issues/show_bug.cgi?id=354

I would not consider this a security issue. It allows an attacker to create a URL setting an arbitrary mime-type on a file in the repository, and entice a user to retrieve that file. This might render the link useless, or at worst case crash the browser. But I do not see how this might result in, say, code execution.
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2008-10-04 15:32:17 UTC
Isn't Denail of Service also security relevant?
CVE-2008-4325
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-10-04 15:52:54 UTC
Not if it needs a user's assistance and crashes a client application.
Comment 5 Gunnar Wrobel (RETIRED) gentoo-dev 2008-10-11 20:27:18 UTC
in cvs.