Not sure if you guys want this or not, but I spotted something in the ChangeLog that caught my eye :) Version 1.1.4 (released 10-Mar-2010) * security fix: escape user-provided query form input to avoid XSS attack * fix standalone.py failure (when per-root options aren't used) (issue #445) * fix annotate failure caused by ignored svn_config_dir (issue #447)
@webapps-team: I committed this ebuild because it works for me and there is no change except for it now installs templates-contrib/ too. +*viewvc-1.1.4 (24 Mar 2010) + + 24 Mar 2010; Jeremy Olexa <darkside@gentoo.org> +viewvc-1.1.4.ebuild: + Version bump for bug 309195, fixes possible XSS security attack and now + installs templates-contrib as well + @security team, please advise on urgency of the "security fix" - Thanks.
Jeremy, thanks for the report and the bump. Arches, please test and mark stable: =www-apps/viewvc-1.1.4 Target keywords : "amd64 ppc sparc x86"
x86 stable
amd64 stable
There's been discovered another vulnerability and another version has been released. Remaining arches, please go for bug #312165 instead, thanks.
CVE-2010-0736 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0736): Cross-site scripting (XSS) vulnerability in the view_queryform function in lib/viewvc.py in ViewVC before 1.0.10, and 1.1.x before 1.1.4, allows remote attackers to inject arbitrary web script or HTML via "user-provided input."
XSS → noglsa.