Your message dated Fri, 02 Feb 2007 23:17:06 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#397669: fixed in viewvc 1.0.3-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: viewcvs
Version: 0.9.4+svn20060318-1
Severity: grave
Tags: security
Justification: user security hole
Version 1.0.3 (released 13-Oct-2006)
* security fix: declare charset for views to avoid IE UTF7 XSS attack
Version 0.9.4 (released 17-Aug-2005)
* security fix: omit forbidden/hidden modules from query results.
Version 0.9.3 (released 17-May-2005)
* security fix: disallow bad "sortby" and "cvsroot" input [CAN-2002-0771]
This next two I think are solved:
* security fix: disallow bad "content-type" input [CAN-2004-1062]
* security fix: omit forbidden/hidden modules from tarballs [CAN-2004-0915]
-- System Information:
Debian Release: 4.0
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1,
'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-1-686
Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8)
Versions of packages viewcvs depends on:
ii viewvc 0.9.4+svn20060318-1 view CVS/SVN repositories via HTTP
viewcvs recommends no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: viewvc
Source-Version: 1.0.3-1
We believe that the bug you reported is fixed in the latest version of
viewvc, which is due to be installed in the Debian FTP archive:
viewcvs_1.0.3-1_all.deb
to pool/main/v/viewvc/viewcvs_1.0.3-1_all.deb
viewvc-query_1.0.3-1_all.deb
to pool/main/v/viewvc/viewvc-query_1.0.3-1_all.deb
viewvc_1.0.3-1.diff.gz
to pool/main/v/viewvc/viewvc_1.0.3-1.diff.gz
viewvc_1.0.3-1.dsc
to pool/main/v/viewvc/viewvc_1.0.3-1.dsc
viewvc_1.0.3-1_all.deb
to pool/main/v/viewvc/viewvc_1.0.3-1_all.deb
viewvc_1.0.3.orig.tar.gz
to pool/main/v/viewvc/viewvc_1.0.3.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David MartÃnez Moreno <[EMAIL PROTECTED]> (supplier of updated viewvc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 2 Feb 2007 18:29:19 +0100
Source: viewvc
Binary: viewvc viewcvs viewvc-query
Architecture: source all
Version: 1.0.3-1
Distribution: unstable
Urgency: low
Maintainer: David MartÃnez Moreno <[EMAIL PROTECTED]>
Changed-By: David MartÃnez Moreno <[EMAIL PROTECTED]>
Description:
viewcvs - dummy package to migrate to ViewVC
viewvc - view CVS/SVN repositories via HTTP
viewvc-query - utility to query CVS commit database
Closes: 150214 178999 181888 189544 190975 191455 194472 200691 204595 217049
217070 229906 232847 241545 245181 245550 251762 263268 264110 265271 270331
274422 280877 282718 291358 293301 294242 295031 296191 304680 305130 307092
307789 319250 321584 324076 324077 332137 332555 339537 344941 354752 363972
369744 372655 380981 386990 386992 388527 397669
Changes:
viewvc (1.0.3-1) unstable; urgency=low
.
* Sorry for the enormous delay. Viewvc was in a bad shape and I was not in
the mood. Let's try finally viewvc in unstable.
* New upstream release (closes: #388527, #397669). Main changes since the
last snapshot are:
- Fixed issues with Subversion tarballs.
- Fixed annotate in several cases.
- Security fix: declare charset for views to avoid IE UTF7 XSS attacks.
- Minor documentation fixes.
- Lots of other fixes in RSS, CVS and XHTML code.
* debian/control:
- Build-Depends on quilt (closes: #386990).
- Added gawk to Depends in viewvc, in order to fix error when no roots are
present, and replaced awk by gawk in debian/viewvc.postinst.
* Renamed debian/README to debian/README.Debian. Thanks, Romain Francoise
(closes: #386992).
* Included some parts of the diff from NMU 0.9.2+cvs.1.0.dev.2004.07.28-4.1
by Joey Hess to fix #384750 (already included with the fix for #380981).
* debian/patches: Removed 03_ValueErrorException_and_commitid patch, as it
was included in 1.0.3.
.
viewvc (0.9.4+svn20060318-1) experimental; urgency=low
.
* New SVN snapshot. ViewCVS project has become ViewVC, under tigris.org's
umbrella. Fresh SVN checkout as of 18-03-2006, closes: #339537. Main
changes were:
- All the files related to ViewCVS (viewcvs.conf, viewcvs.cgi and so on)
have been renamed to viewvc.whatever.
- Templates are Apache-agnostic, so this addresses part of #263268.
- There is no diff_font_face setting, thus closes: #229906.
- The templates no longer include invalid SGML comments. Closes: #245550.
- The URLs are properly escaped now (closes: #363972).
- URLs in commit messages are no longer truncated (closes: #190975).
- I am not able to leave any lock in repositories, so I suppose this
closes: #280877.
- I suspect that #200691 was produced by problems with python-subversion.
Now it is working for me, so closes: #200691.
- I have no problems to see markup in log or annotate views. Closes:
#204595.
- hide_attic shows or hides files inside the Attic always, including
subdirectories (closes: #178999).
- The layout is correct now (closes: #189544).
- Coloring works with diffs (closes: #344941).
- File size now appears in the detailed view (closes: #319250).
- svn_parent_path has been removed in favour of a wider 'root_parents'
parameter, valid for either CVS or Subversion. Added to NEWS.Debian.
Closes: #264110.
- markup_stream_enscript does not longer exist as individual method.
Closes: #191455.
- Disabling annotation works now. Closes: #321584.
- Fixed tarball generator so it doesn't include forbidden modules.
Closes: #295031.
- CVS branches now show correct information. Closes: #217070.
- As far as I understood in #217049, the problem is that certain files
does not have Attic/ in their URL. Now the file in Attic are shown as
every other file, but with proper FILE REMOVED labels, so this closes:
#217049.
- Added integrated RSS feeds.
- Make "default_root" option optional. When no root is specified, it shows
a page listing all available repositories.
- Added stricter parameter validation to lower likelihood of cross-site
scripting vulnerabilities.
- Added support for cvsweb's "mime_type=text/x-cvsweb-markup" URLs.
- Fixed incompatibility with enscript 1.6.3.
- Output "404 Not Found" errors instead of "403 Forbidden" errors to not
reveal whether forbidden paths exist.
- Cleaned up zombie processes from running enscript.
- Results from viewvc-query give now a correct path. Closes: #181888.
- Lots of other fixes.
* This release is very close to ViewVC 1.0, and all the requests that
Richard A. Nelson made are in current snapshot, so I suppose that it
closes: #369744.
* Altered drastically the way that patches are stored. Added infrastructure
to manage them with quilt. This will cause for sure some headaches, as it
will be regressions and already fixed bugs in the present code, but the
old package was unmanageable. Sorry for the annoyance. If I made this, it
was for a better future. :-)
* "And now, the continuation!"
* I pushed several things present in unreleased packages to upstream, so the
diff size is small again. :-)
* debian/TODO: Added.
* debian/copyright: Clarified the difference between license and copyright,
and added some words about the name change.
* debian/rules: Changed DH_COMPAT=3 to debian/compat(=4).
* debian/po/*po: Replaced 'ViewCVS' by 'ViewVC'.
* debian/templates: All the templates now belong to viewvc/whatever. Removed
svnparentpath, as it was not supported in the old packages and I prefer to
keep this situation for now.
* debian/po/vi.po: Added Vietnamese translation. Thanks, Clytie Siddall!
(closes: #324077).
* debian/po/sv.po: Added Swedish translation. Thanks, Daniel Nylander!
(closes: #332555).
* debian/po/es.po: Added Spanish translation.
* Created viewvc.config in order to transfer all the existing debconf
answers to the new hierarchy, and added code to viewcvs.postrm in order to
remove such questions when purged. Thanks to Joey Hess for advice in this
situation. Altered viewvc-config in order to use the new config file.
Robustified several routines that deal with debconf entries. The
configuration system now is able to uncomment an entry. I am not able to
reproduce several related bugs, so this closes: #296191, #270331.
* Fixed a greedy regular expression in viewvc-config that made full lines
disappear from the config file when at least an option was empty.
* Unified methods of obtaining list of roots in postinst and config scripts.
* debian/control:
- Renamed viewcvs to viewvc, and added a dummy viewcvs package for
upgrades.
- Rewrote some descriptions, and this surprisingly closes: #354752.
- Added '| debconf-2.0' to Depends in viewvc. Closes: #332137.
- Replaced in Build-Depends python2.3-subversion by new package
python-subversion.
- Moved python-subversion from Build-Depends to Depends.
- Upgraded Standards-Version to 3.7.2.1.
* Merged code from .diff.gz into debian/patches and with upstream in order to
deal with past bug reports. This is only to make sure that I did not drop
something in the way...:
- #196975: robots exclusion
- #261986: viewcvs: Exception enumerating branches
- #284237: NMU: Security update for CAN-2004-0915
- #287771: [CAN-2004-1062]: cross site scripting security problem
- #289466: viewcvs: breaks config file on upgrade
- #293426: viewcvs: split log info from file content so it can be
distinguished
- #293529: viewcvs: Please include svndbadmin
- #297032: viewcvs: Error message "UnknownReference: current_root"
- #303756: viewcvs: Unknown Reference: current_root (includes patch)
* Pushed to upstream an upgrade to embedded py2html to 0.8, and activated
processing for .py scripts. Closes: #282718.
* Call dh_python *before* dh_installdeb, so that *.py files are compiled
Closes: #245181.
* Applied patch fixing some typos in debian/templates. Thanks, Tobias
Toedter and Clytie Siddall (closes: #251762, #324076). While at it,
upstream replaced all the 'ViewCVS' strings by 'ViewVC' in the tree.
* Incorporate remaining pieces from doogie's NMU to packages, except the
setuid wrapper. Closes: #294242.
* debian/viewvc.links: Add a link from /usr/share/viewvc to
/etc/viewvc/templates/docroot.
* Changed default path in ViewVC to /etc/viewvc/templates. This change,
along with a commented out 'docroot' value in viewvc.conf by default,
allowed to simply make a symbolic link from /etc/viewvc/templates/docroot
to /usr/share/viewvc, and all the problems with CSS and images simply
vanished. Reading the policy I was unable to find anything against this.
Yes, this is a performance penalty, as viewvc is serving images that
otherwise you could get directly from the web server, but it avoids to
deal with web server configurations. Added a NEWS.Debian entry about this
subject. I am grateful to say that it closes: #305130, #263268, #307092,
#307789, #232847, #274422.
* We do not fiddle with Apache config, thus also closes: #291358, #304680.
* Added a README.Debian with information about solving the performance hit
of having viewvc serving all the content, and with basic information about
viewvc (closes: #150214). I think that adding this information also
closes: #241545 as well, because the other part is 'solved' as we do not
touch web server configurations anymore.
* Added a patch from 1.0.x branch to upgrade lib/vclib/bincvs/__init__.py:
- Fixed a ValueError exception raised (closes: #265271).
- Fixed parsing of recent CVS format (closes: #372655).
* Fixed building in order to support the new Python policy (closes: #380981):
- debian/control: Added python-support (>= 0.3) to B-D-I. Bumped
dependency on debhelper (>= 5.0.37.2).
- Added an 'XB-Python-Version: ${python:Versions}' field to viewvc and
viewvc-query.
- Added an 'XS-Python-Version: current' field to viewvc and viewvc-query.
- debian/rules: Insert dh_pysupport before dh_python.
- debian/pycompat: Created with a content of '2'.
* Improved description for viewvc-query. Closes: #293301.
* We do not rename query.cgi to viewvc-query.cgi (at least for the moment).
Closes: #194472.
Files:
25b121fe01d351faa52a269da928579a 721 devel optional viewvc_1.0.3-1.dsc
3d44ad485d38bf9f61d8111661260b4a 406570 devel optional viewvc_1.0.3.orig.tar.gz
33c3410e56180312da7dd5e8e5edbd7e 31693 devel optional viewvc_1.0.3-1.diff.gz
60d703d8d6b861c41c59f48ce750441c 193200 devel optional viewvc_1.0.3-1_all.deb
722e396a74cabe2cabd00e7e75182ad4 15494 devel optional viewcvs_1.0.3-1_all.deb
28843a3e1273a812652c855e1b87dc3a 20520 devel optional
viewvc-query_1.0.3-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFFw8RZWs/EhA1iABsRAgoLAKC7qQJBpBIGKWugIuSiodmO/OToCQCdFFBa
ObDGN9aObFqtPw8S3eC2vSM=
=Dtw0
-----END PGP SIGNATURE-----
--- End Message ---