Package: viewvc
Severity: normal
Tags: patch, security
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for viewvc.
CVE-2008-4325[0]:
| lib/viewvc.py in ViewVC 1.0.5 uses the content-type parameter in the
| HTTP request for the Content-Type header in the HTTP response, which
| allows remote attackers to cause content to be misinterpreted by the
| browser via a content-type parameter that is inconsistent with the
| requested object. NOTE: this issue might not be a vulnerability, since
| it requires attacker access to the repository that is being viewed.
The upstream bugreport[1] contains an explanation and also a patch[2].
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
I don't think it is really exploitable or a serious issue, but nonetheless,
I thought you'd like to know.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4325
http://security-tracker.debian.net/tracker/CVE-2008-4325
[1] http://viewvc.tigris.org/issues/show_bug.cgi?id=354
[2]
http://viewvc.tigris.org/source/browse/viewvc/trunk/lib/viewvc.py?rev=2011r1=1968r2=1978
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
