Summary: | <www-apps/viewvc-1.1.4: XSS attack (CVE-2010-0736) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Jeremy Olexa (darkside) (RETIRED) <darkside> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | web-apps |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Jeremy Olexa (darkside) (RETIRED)
2010-03-12 22:20:18 UTC
@webapps-team: I committed this ebuild because it works for me and there is no change except for it now installs templates-contrib/ too. +*viewvc-1.1.4 (24 Mar 2010) + + 24 Mar 2010; Jeremy Olexa <darkside@gentoo.org> +viewvc-1.1.4.ebuild: + Version bump for bug 309195, fixes possible XSS security attack and now + installs templates-contrib as well + @security team, please advise on urgency of the "security fix" - Thanks. Jeremy, thanks for the report and the bump. Arches, please test and mark stable: =www-apps/viewvc-1.1.4 Target keywords : "amd64 ppc sparc x86" x86 stable amd64 stable There's been discovered another vulnerability and another version has been released. Remaining arches, please go for bug #312165 instead, thanks. CVE-2010-0736 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0736): Cross-site scripting (XSS) vulnerability in the view_queryform function in lib/viewvc.py in ViewVC before 1.0.10, and 1.1.x before 1.1.4, allows remote attackers to inject arbitrary web script or HTML via "user-provided input." CVE-2010-0736 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0736): Cross-site scripting (XSS) vulnerability in the view_queryform function in lib/viewvc.py in ViewVC before 1.0.10, and 1.1.x before 1.1.4, allows remote attackers to inject arbitrary web script or HTML via "user-provided input." XSS → noglsa. |