Summary: | <www-apps/websvn-2.3.3-r1: XSS vulnerability (CVE-2016-1236) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | web-apps |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1333673 | ||
Whiteboard: | B4 [noglsa cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 552684 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2016-05-06 08:43:36 UTC
Upstream is dead; Patches come from Debian commit: 196fa9022f136bcbd82ab6f52a8d4c617b0603d6 Author: Brian Evans <grknight <AT> gentoo <DOT> org> AuthorDate: Thu Aug 11 18:21:29 2016 +0000 Commit: Brian Evans <grknight <AT> gentoo <DOT> org> CommitDate: Thu Aug 11 18:26:27 2016 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=196fa902 www-apps/websvn: Non-maintainer security revision bump and EAPI cleanup Remove the deprecated depend.php wrt bug 552838 Include Debian security patches wrt bug 552684, bug 575486, and bug 582234 Package-Manager: portage-2.3.0 .../websvn/files/13_security_CVE-2013-6892.patch | 39 ++++++++++++++ www-apps/websvn/files/30_CVE-2016-2511.patch | 11 ++++ www-apps/websvn/files/31_CVE-2016-1236.patch | 61 ++++++++++++++++++++++ www-apps/websvn/websvn-2.3.3-r1.ebuild | 54 +++++++++++++++++++ 4 files changed, 165 insertions(+) CVE-2016-1236 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1236): Multiple cross-site scripting (XSS) vulnerabilities in (1) revision.php, (2) log.php, (3) listing.php, and (4) comp.php in WebSVN allow context-dependent attackers to inject arbitrary web script or HTML via the name of a (a) file or (b) directory in a repository. GLSA Vote: No tree is clean: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=804196e1f28457f9538c4b234b43e21befb83dcf |