| Summary: | www-apps/viewvc-1.0.6 version bump request | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Andrei Ivanov <andrei.ivanov> |
| Component: | New packages | Assignee: | Gentoo Web Application Packages Maintainers <web-apps> |
| Status: | RESOLVED FIXED | ||
| Severity: | enhancement | CC: | rbu |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://viewvc.tigris.org/servlets/NewsItemView?newsItemID=2175 | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
|
Description
Andrei Ivanov
2008-09-19 07:45:01 UTC
Thanks for the report, in particular the heads-up about including a security fix -- that was not apparent from the release announcement! * security fix: ignore arbitrary user-provided MIME types (issue #354) http://viewvc.tigris.org/issues/show_bug.cgi?id=354 I would not consider this a security issue. It allows an attacker to create a URL setting an arbitrary mime-type on a file in the repository, and entice a user to retrieve that file. This might render the link useless, or at worst case crash the browser. But I do not see how this might result in, say, code execution. Isn't Denail of Service also security relevant? CVE-2008-4325 Not if it needs a user's assistance and crashes a client application. in cvs. |
