Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 369077 (CVE-2009-5024) - <www-apps/viewvc-1.1.11: Denial of Service Vulnerability (CVE-2009-5024)
Summary: <www-apps/viewvc-1.1.11: Denial of Service Vulnerability (CVE-2009-5024)
Alias: CVE-2009-5024
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa]
Depends on:
Reported: 2011-05-28 18:52 UTC by Tim Sammut (RETIRED)
Modified: 2011-10-08 21:46 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2011-05-28 18:52:25 UTC
From the changelog at $URL:

Version 1.1.11 (released 17-May-2011)

  * security fix: remove user-reachable override of cvsdb row limit
  * fix broken -c and -d options handling
  * add --help option to
  * fix stack trace when asked to checkout a directory (issue #478)
  * improve memory usage and speed of revision log markup (issue #477)
  * fix broken annotation view in CVS keyword-bearing files (issue #479)
  * warn users when query results are incomplete (issue #443)
  * avoid parsing errors on RCS newphrases in the admin section (issue #483)
  * make rlog parsing code more robust in certain error cases (issue #444)

@web-apps, =www-apps/viewvc-1.1.11 is already in the tree. Can we move to stabilize that version? Thanks!
Comment 1 Andreas Schürch gentoo-dev 2011-06-20 06:34:14 UTC
Tested on x86, looks good over here.
Comment 2 Agostino Sarubbo gentoo-dev 2011-06-20 08:38:50 UTC
amd64 ok
Comment 3 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-06-20 09:29:02 UTC
x86 stable, thanks Andreas
Comment 4 Markos Chandras (RETIRED) gentoo-dev 2011-06-20 11:37:01 UTC
amd64 done. Thanks Agostino
Comment 5 Raúl Porcel (RETIRED) gentoo-dev 2011-06-24 11:41:51 UTC
sparc keyword dropped
Comment 6 Tim Sammut (RETIRED) gentoo-dev 2011-06-26 15:59:26 UTC
Thanks, folks. GLSA Vote: yes.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2011-07-10 02:05:46 UTC
CVE-2009-5024 (
  ViewVC before 1.1.11 allows remote attackers to bypass the cvsdb row_limit
  configuration setting, and consequently conduct resource-consumption
  attacks, via the limit parameter, as demonstrated by a "query revision
  history" request.
Comment 8 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 21:44:09 UTC
Vote: NO.
Comment 9 Pierre-Yves Rofes (RETIRED) gentoo-dev 2011-10-08 21:46:16 UTC
no too, and closing.