ViewVC 1.1.15 was released [1] with the following fixes: * security fix: complete authz support for remote SVN views (issue #353) * security fix: log msg leak in SVN revision view with unreadable copy source The SUSE bug report [2] notes some possible source fixes for these issues: The first one: http://viewvc.tigris.org/issues/show_bug.cgi?id=353 http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2755 http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2756 http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2757 http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2759 http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2760 The second flaw: http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2758 [1] http://viewvc.tigris.org/source/browse/*checkout*/viewvc/tags/1.1.15/CHANGES [2] https://bugzilla.novell.com/show_bug.cgi?id=768680 Reproducible: Always
CVE-2012-3357 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3357): The SVN revision view (lib/vclib/svn/svn_repos.py) in ViewVC before 1.1.15 does not properly handle log messages when a readable path is copied from an unreadable path, which allows remote attackers to obtain sensitive information, related to a "log msg leak." CVE-2012-3356 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3356): The remote SVN views functionality (lib/vclib/svn/svn_ra.py) in ViewVC before 1.1.15 does not properly perform authorization, which allows remote attackers to bypass intended access restrictions via unspecified vectors.
web-apps: ping Please bump for this bug and bug 440774.
Bumped to viewvc-1.1.17. This should also take care of bug 440774.
(In reply to comment #3) > Bumped to viewvc-1.1.17. This should also take care of bug 440774. Thanks, Anthony.
GLSA vote: no.
GLSA Vote: no, too. Closing noglsa.
