No details know, opening bug to keep track of the issue.
It's a XSS issue in the ViewCVSException handling of 404 Not Found pages.
lynx -source 'http://yourserverhere/viewcvs.cgi/<script>alert("BOO"+document.cookie)</script>' | grep BOO
http://www.gentoo.org/cgi-bin/viewcvs.cgi is not affected, but others on the net (including 1.0-dev) are (?!)
Found by Michael Krax from RedHat, waiting for a disclosure date (and hopefully patches) from him.
Created attachment 46129 [details, diff]
Here is the patch, it's still unclear on diclosure policy though. Keeping it
private for the time being.
This is now public.
web-apps, could you quickly bump viewcvs with the provided patch, so that we can issue a grouped GLSA with bug 72461.
Created attachment 46541 [details, diff]
This one (from SuSE) applies more cleanly.
web-apps/Stuart : please apply latest patch and bump. I checked that this one applies cleanly, and it's a very minor patch.
Patch applied, and in Portage. New package is viewcvs-0.9.2_p20041207-r1. Keywords are ~x86 and ~ppc. Needs marking stable on both arches. I can't test it (don't have a CVS repository setup myself atm), but the patch itself looks very safe.
x86,ppc : please mark stable
stable on ppc
stable on x86 by Stuart