Summary: | <www-apps/viewvc-1.1.3: Security vulnerabilities (CVE-2010-{0004,0005}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Arfrever Frehtes Taifersar Arahesis (RETIRED) <arfrever> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | web-apps |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
URL: | http://viewvc.tigris.org/source/browse/viewvc/tags/1.1.3/CHANGES?revision=HEAD | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Arfrever Frehtes Taifersar Arahesis (RETIRED)
2009-12-23 18:51:42 UTC
Stabilize www-apps/viewvc-1.1.3. sparc/x86 stable amd64 stable Marked ppc stable. CVE-2010-0004 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0004): ViewVC before 1.1.3 composes the root listing view without using the authorizer for each root, which might allow remote attackers to discover private root names by reading this view. All arches done, I vote NO. CVE-2010-0005 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0005): query.py in the query interface in ViewVC before 1.1.3 does not reject configurations that specify an unsupported authorizer for a root, which might allow remote attackers to bypass intended access restrictions via a query. NO, too. Closing noglsa. |