Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 312165 (CVE-2010-0132) - <www-apps/viewvc-1.1.5: XSS attack (CVE-2010-0132)
Summary: <www-apps/viewvc-1.1.5: XSS attack (CVE-2010-0132)
Status: RESOLVED FIXED
Alias: CVE-2010-0132
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-03-30 18:38 UTC by Tobias Heinlein (RETIRED)
Modified: 2010-04-17 18:52 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tobias Heinlein (RETIRED) gentoo-dev 2010-03-30 18:38:01 UTC 
Version 1.1.5 (released 29-Mar-2010)

  * security fix: escape user-provided search_re input to avoid XSS attack
Comment 1 Tobias Heinlein (RETIRED) gentoo-dev 2010-03-30 18:39:16 UTC 
Arches, please test and mark stable:
=www-apps/viewvc-1.1.5
Target keywords : "amd64 ppc sparc x86"
Comment 2 Christian Faulhammer (RETIRED) gentoo-dev 2010-03-31 16:30:29 UTC 
x86 stable
Comment 3 Tiago Cunha (RETIRED) gentoo-dev 2010-04-03 02:15:46 UTC 
sparc stable
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2010-04-06 04:04:23 UTC 
CVE-2010-0132 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0132):
  Cross-site scripting (XSS) vulnerability in ViewVC 1.1 before 1.1.5
  and 1.0 before 1.0.11, when the regular expression search
  functionality is enabled, allows remote attackers to inject arbitrary
  web script or HTML via vectors related to "search_re input," a
  different vulnerability than CVE-2010-0736.
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2010-04-11 14:01:54 UTC 
CVE-2010-0132 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0132):
  Cross-site scripting (XSS) vulnerability in ViewVC 1.1 before 1.1.5
  and 1.0 before 1.0.11, when the regular expression search
  functionality is enabled, allows remote attackers to inject arbitrary
  web script or HTML via vectors related to "search_re input," a
  different vulnerability than CVE-2010-0736.
Comment 6 Brent Baude (RETIRED) gentoo-dev 2010-04-15 15:34:17 UTC 
ppc done
Comment 7 Markus Meier gentoo-dev 2010-04-15 20:47:50 UTC 
amd64 stable, all arches done.
Comment 8 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-04-17 18:52:09 UTC 
XSS in webapps → NO. Closing.