Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 575486 - <www-apps/websvn-2.3.3-r1: reflected cross-site scripting
Summary: <www-apps/websvn-2.3.3-r1: reflected cross-site scripting
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B4 [blocked]
Keywords:
Depends on: CVE-2013-6892
Blocks:
  Show dependency tree
 
Reported: 2016-02-23 15:10 UTC by Agostino Sarubbo
Modified: 2017-01-16 04:39 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-02-23 15:10:46 UTC
From ${URL} :

A reflected cross-site scripting vulnerability was found in WebSVN.

External references:

http://seclists.org/fulldisclosure/2016/Feb/99


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Brian Evans Gentoo Infrastructure gentoo-dev 2016-02-23 15:16:21 UTC
Kill this package.

Second security bug since upstream cared.
It also relies on PHP which may not even work today and won't in the near future with PHP 7.
Comment 2 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-07-17 12:55:20 UTC
@web-apps, any reservations with tree cleaning this package?
Comment 3 Anthony Basile gentoo-dev 2016-07-17 14:28:39 UTC
(In reply to Aaron Bauman from comment #2)
> @web-apps, any reservations with tree cleaning this package?

I'm not taking care of it so I don't know its state.  x-site scripting can easily be fixed, but if its moribund because of php, then there's no saving it without serious effort.

Let's see if any other dev wants it else last rite it.
Comment 4 Brian Evans Gentoo Infrastructure gentoo-dev 2016-08-11 18:34:36 UTC
Upstream is dead; Patches come from Debian

commit:     196fa9022f136bcbd82ab6f52a8d4c617b0603d6
Author:     Brian Evans <grknight <AT> gentoo <DOT> org>
AuthorDate: Thu Aug 11 18:21:29 2016 +0000
Commit:     Brian Evans <grknight <AT> gentoo <DOT> org>
CommitDate: Thu Aug 11 18:26:27 2016 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=196fa902

www-apps/websvn: Non-maintainer security revision bump and EAPI cleanup

Remove the deprecated depend.php wrt bug 552838
Include Debian security patches wrt bug 552684, bug 575486, and bug 582234

Package-Manager: portage-2.3.0

 .../websvn/files/13_security_CVE-2013-6892.patch   | 39 ++++++++++++++
 www-apps/websvn/files/30_CVE-2016-2511.patch       | 11 ++++
 www-apps/websvn/files/31_CVE-2016-1236.patch       | 61 ++++++++++++++++++++++
 www-apps/websvn/websvn-2.3.3-r1.ebuild             | 54 +++++++++++++++++++
 4 files changed, 165 insertions(+)
Comment 5 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-01-16 04:39:37 UTC
GLSA Vote: No

tree is clean:

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=804196e1f28457f9538c4b234b43e21befb83dcf