Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 575486

Summary: <www-apps/websvn-2.3.3-r1: reflected cross-site scripting
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: grknight, web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1310758
Whiteboard: B4 [blocked]
Package list:
Runtime testing required: ---
Bug Depends on: 552684    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2016-02-23 15:10:46 UTC 
From ${URL} :

A reflected cross-site scripting vulnerability was found in WebSVN.

External references:

http://seclists.org/fulldisclosure/2016/Feb/99


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Brian Evans (RETIRED) gentoo-dev 2016-02-23 15:16:21 UTC 
Kill this package.

Second security bug since upstream cared.
It also relies on PHP which may not even work today and won't in the near future with PHP 7.
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2016-07-17 12:55:20 UTC 
@web-apps, any reservations with tree cleaning this package?
Comment 3 Anthony Basile gentoo-dev 2016-07-17 14:28:39 UTC 
(In reply to Aaron Bauman from comment #2)
> @web-apps, any reservations with tree cleaning this package?

I'm not taking care of it so I don't know its state.  x-site scripting can easily be fixed, but if its moribund because of php, then there's no saving it without serious effort.

Let's see if any other dev wants it else last rite it.
Comment 4 Brian Evans (RETIRED) gentoo-dev 2016-08-11 18:34:36 UTC 
Upstream is dead; Patches come from Debian

commit:     196fa9022f136bcbd82ab6f52a8d4c617b0603d6
Author:     Brian Evans <grknight <AT> gentoo <DOT> org>
AuthorDate: Thu Aug 11 18:21:29 2016 +0000
Commit:     Brian Evans <grknight <AT> gentoo <DOT> org>
CommitDate: Thu Aug 11 18:26:27 2016 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=196fa902

www-apps/websvn: Non-maintainer security revision bump and EAPI cleanup

Remove the deprecated depend.php wrt bug 552838
Include Debian security patches wrt bug 552684, bug 575486, and bug 582234

Package-Manager: portage-2.3.0

 .../websvn/files/13_security_CVE-2013-6892.patch   | 39 ++++++++++++++
 www-apps/websvn/files/30_CVE-2016-2511.patch       | 11 ++++
 www-apps/websvn/files/31_CVE-2016-1236.patch       | 61 ++++++++++++++++++++++
 www-apps/websvn/websvn-2.3.3-r1.ebuild             | 54 +++++++++++++++++++
 4 files changed, 165 insertions(+)
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2017-01-16 04:39:37 UTC 
GLSA Vote: No

tree is clean:

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=804196e1f28457f9538c4b234b43e21befb83dcf