Summary: | <www-apps/viewvc-1.1.17: two security flaws fixed in 1.1.15 (CVE-2012-{3356,3357}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | the_eccentric |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | web-apps |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://viewvc.tigris.org/issues/show_bug.cgi?id=353 | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 440774 | ||
Bug Blocks: |
Description
the_eccentric
2012-07-15 10:34:47 UTC
CVE-2012-3357 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3357): The SVN revision view (lib/vclib/svn/svn_repos.py) in ViewVC before 1.1.15 does not properly handle log messages when a readable path is copied from an unreadable path, which allows remote attackers to obtain sensitive information, related to a "log msg leak." CVE-2012-3356 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3356): The remote SVN views functionality (lib/vclib/svn/svn_ra.py) in ViewVC before 1.1.15 does not properly perform authorization, which allows remote attackers to bypass intended access restrictions via unspecified vectors. web-apps: ping Please bump for this bug and bug 440774. Bumped to viewvc-1.1.17. This should also take care of bug 440774. (In reply to comment #3) > Bumped to viewvc-1.1.17. This should also take care of bug 440774. Thanks, Anthony. GLSA vote: no. GLSA Vote: no, too. Closing noglsa. |