While some grep in Changelog I found that: Version 1.0.3 (released 13-Oct-2006) * fix bug in path shown for Subversion deleted-under-copy items (issue #265) * security fix: declare charset for views to avoid IE UTF7 XSS attac (http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?rev=HEAD) noting that sources.g.o uses old viewcvs
setting status and cc'ing maintainer and infra liaisons since it's a possible breach. also, restricting bug for now until we have more infos.
This is already public for almost a year so I really see no point in restricting this one.
(In reply to comment #2) > This is already public for almost a year so I really see no point in > restricting this one. > Yeah probably, but with the other issue on p.g.o some weeks ago, I prefered to be cautious. Infra, are we affected by this?
can somebody with a PoC and IE7 please test it for existence on the sources.g.o? Alternatively give me the actual patch that fixed it, and i'll check against the live source.
Created attachment 131150 [details, diff] 0001-Merge-security-fix-made-in-r1446-from-1.0.x-to-trunk.patch
robbat2, any news here? is sources.g.o affected?
appears sources.g.o was patched some time ago.
(In reply to comment #7) > appears sources.g.o was patched some time ago. > ok so this can be unrestricted now. viewvc has 1.0.4 stable so it should be ok, but the viewcvs ebuilds are pre-releases so I don't know if it's affected. web-apps, please advise.
ups, actually viewcvs has been completely replaced with viewvc. In principle I'd suggest to mask viewcvs and let people migrate to viewvc. Nevertheless s.g.o still seems to use the older viewCVS. I'll write a mail to gentoo-dev
s.g.o uses a hacked up middle point, that needs a real upgrade at some point.
(In reply to comment #9) > ups, actually viewcvs has been completely replaced with viewvc. > > In principle I'd suggest to mask viewcvs and let people migrate to viewvc. > Nevertheless s.g.o still seems to use the older viewCVS. > > I'll write a mail to gentoo-dev > Ok so I guess we can proceed to the glsa-vote. XSS => no (maybe we could add a rule in the policy for this case).
Voting NO and ACK on the policy question.
