From the changelog at $URL: Version 1.1.11 (released 17-May-2011) * security fix: remove user-reachable override of cvsdb row limit * fix broken standalone.py -c and -d options handling * add --help option to standalone.py * fix stack trace when asked to checkout a directory (issue #478) * improve memory usage and speed of revision log markup (issue #477) * fix broken annotation view in CVS keyword-bearing files (issue #479) * warn users when query results are incomplete (issue #443) * avoid parsing errors on RCS newphrases in the admin section (issue #483) * make rlog parsing code more robust in certain error cases (issue #444) @web-apps, =www-apps/viewvc-1.1.11 is already in the tree. Can we move to stabilize that version? Thanks!
Tested on x86, looks good over here.
amd64 ok
x86 stable, thanks Andreas
amd64 done. Thanks Agostino
sparc keyword dropped
Thanks, folks. GLSA Vote: yes.
CVE-2009-5024 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5024): ViewVC before 1.1.11 allows remote attackers to bypass the cvsdb row_limit configuration setting, and consequently conduct resource-consumption attacks, via the limit parameter, as demonstrated by a "query revision history" request.
Vote: NO.
no too, and closing.