Some security issues have been reported in ViewVC, which can be exploited by malicious people to bypass certain security restrictions. 1) An error can be exploited to list CVS or SVN commits on "all-forbidden" files via a ViewVC query. 2) An error can be exploited to directly access hidden CVSROOT folders via custom URLs. 3) An error can be exploited to expose restricted content via the revision view, the log history, or the diff view. The security issues are reported in versions prior to 1.0.5. Solution: Update to version 1.0.5.
Web-apps, please bump as needed.
in cvs, please stabilize
x86 stable
Sparc stable. Christian, I am adding you in CC because one of us got the wrong version.
Thanks Ferris, I really did the wrong version. Fixed it.
ppc stable
amd64 stable
Fixed in release snapshot.
Ready for vote. I vote YES.
yes too, request filed.
GLSA 200803-29