No details know, opening bug to keep track of the issue.
It's a XSS issue in the ViewCVSException handling of 404 Not Found pages. Example : lynx -source 'http://yourserverhere/viewcvs.cgi/<script>alert("BOO"+document.cookie)</script>' | grep BOO http://www.gentoo.org/cgi-bin/viewcvs.cgi is not affected, but others on the net (including 1.0-dev) are (?!) Found by Michael Krax from RedHat, waiting for a disclosure date (and hopefully patches) from him.
Created attachment 46129 [details, diff] viewcvs-CAN-2004-1062.patch Here is the patch, it's still unclear on diclosure policy though. Keeping it private for the time being.
This is now public. web-apps, could you quickly bump viewcvs with the provided patch, so that we can issue a grouped GLSA with bug 72461.
Created attachment 46541 [details, diff] New viewcvs-CAN-2004-1062.patch This one (from SuSE) applies more cleanly.
web-apps/Stuart : please apply latest patch and bump. I checked that this one applies cleanly, and it's a very minor patch.
Patch applied, and in Portage. New package is viewcvs-0.9.2_p20041207-r1. Keywords are ~x86 and ~ppc. Needs marking stable on both arches. I can't test it (don't have a CVS repository setup myself atm), but the patch itself looks very safe. Best regards, Stu
x86,ppc : please mark stable
stable on ppc
stable on x86 by Stuart GLSA 200412-26