Your message dated Sun, 11 Oct 2009 00:17:30 +0000
with message-id <e1mwm7u-0003et...@ries.debian.org>
and subject line Bug#545779: fixed in viewvc 1.0.9-1
has caused the Debian Bug report #545779,
regarding XSS and illegal characters while printing name-value pairs
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
545779: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545779
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: viewvc
Severity: grave
Tags: security patch
Hi
According to upstream:
Version 1.1.2 (released 11-Aug-2009)
* security fix: validate the 'view' parameter to avoid XSS attack
* security fix: avoid printing illegal parameter names and values
http://viewvc.tigris.org/source/browse/*checkout*/viewvc/tags/1.1.2/CHANGES
The two upstream patches appear to be:
http://viewvc.tigris.org/source/browse/viewvc/branches/1.0.x/lib/viewvc.py?r1=2214&r2=2213&pathrev=2214
http://viewvc.tigris.org/source/browse/viewvc/branches/1.0.x/lib/viewvc.py?r1=2219&r2=2218&pathrev=2219
Could you test the patches and prepare updated packages for unstable/stable?
A CVE id has been requested and we'll forward it to this bugreport once it's
allocated.
Cheers
Steffen
--- End Message ---
--- Begin Message ---
Source: viewvc
Source-Version: 1.0.9-1
We believe that the bug you reported is fixed in the latest version of
viewvc, which is due to be installed in the Debian FTP archive:
viewvc-query_1.0.9-1_all.deb
to pool/main/v/viewvc/viewvc-query_1.0.9-1_all.deb
viewvc_1.0.9-1.diff.gz
to pool/main/v/viewvc/viewvc_1.0.9-1.diff.gz
viewvc_1.0.9-1.dsc
to pool/main/v/viewvc/viewvc_1.0.9-1.dsc
viewvc_1.0.9-1_all.deb
to pool/main/v/viewvc/viewvc_1.0.9-1_all.deb
viewvc_1.0.9.orig.tar.gz
to pool/main/v/viewvc/viewvc_1.0.9.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 545...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Martínez Moreno <en...@debian.org> (supplier of updated viewvc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 28 Sep 2009 05:24:27 +0200
Source: viewvc
Binary: viewvc viewvc-query
Architecture: source all
Version: 1.0.9-1
Distribution: unstable
Urgency: high
Maintainer: David Martínez Moreno <en...@debian.org>
Changed-By: David Martínez Moreno <en...@debian.org>
Description:
viewvc - view CVS/SVN repositories via HTTP
viewvc-query - utility to query CVS commit database
Closes: 440188 482323 485187 500779 502257 545779
Changes:
viewvc (1.0.9-1) unstable; urgency=high
.
* New upstream release (closes: #502257):
- Ignore arbitrary user-provided MIME types (closes: #500779).
- Fixed bug in regexp searches.
- Fixed bug in handling of certain 'co' output.
- Fixed annotate code syntax error.
- Fixed mod_python import cycle.
- Fixed directory view sorting UI.
- Tolerate malformed Accept-Language headers.
- Fixed directory log views in revision-less Subversion repositories.
- Fixed exception in rev-sorted remote Subversion directory views.
- Security fixes: validate the 'view' parameter to avoid XSS attack
and avoid printing illegal parameter names and values (closes:
#545779).
* debian/control:
- Moved docbook-to-man from B-D-I to B-D, as it is in build target
(closes: #440188).
- Added B-D on quilt (>= 0.46-7) in order to have dh_quilt_*.
- Upgraded Standards-Version to 3.8.3.
- Added ${misc:Depends} to viewvc and viewvc-query.
- Bumped dependency on debhelper to >=6.
- Added Homepage.
* debian/rules:
- Moved patch targets into the XXI century: removed lots of old lines
by a couple of calls to dh_quilt_* helpers.
* debian/patches:
- Refreshed everything to get rid of errors and removed additional
options like -p0 (closes: #485187).
- 04_tarball_permission_fix: Added to series, closes: #482323.
* debian/viewvc.config: Removed prepended path to debconf-show.
* debian/compat: Upgraded to v6.
* debian/viewvc.postinst: Added set -e to catch up errors.
Checksums-Sha1:
f618627d1aba16561743201141c69d4dc102fa78 1152 viewvc_1.0.9-1.dsc
a985496ad577e2c4c75bac915eb203da790d7f3e 522905 viewvc_1.0.9.orig.tar.gz
933dcf44cf9117ef829143eaf79c65e1dabbf569 41961 viewvc_1.0.9-1.diff.gz
7403570e842a4783ca1c7551810ddc578b52309c 518312 viewvc_1.0.9-1_all.deb
3e9186a2bf5142204637ac0e5209111e729320b7 23630 viewvc-query_1.0.9-1_all.deb
Checksums-Sha256:
13496713e173c27322f97e904a6e6220d54a62c81426bbb46e8821948b948cdc 1152
viewvc_1.0.9-1.dsc
399f2813d89457c1dcd9056af2db8c693bfe4ebf801b4c8bb2e4928667b4e322 522905
viewvc_1.0.9.orig.tar.gz
50cac0328b542bcde99ff3f6aace2cdfe5c3be6e58b0f685c715b082fabd69e5 41961
viewvc_1.0.9-1.diff.gz
0098967cfa5f3b30d3d58f43a57ebf9f00f4046a310bce3ff4b42a5f2e080902 518312
viewvc_1.0.9-1_all.deb
ddd2a77974b7a39ab0eb103c556a780fe397b426bc910c8a0f314899a5f9b9c8 23630
viewvc-query_1.0.9-1_all.deb
Files:
b9c947f9fc813bc5d71e6a42b7b15fe0 1152 devel optional viewvc_1.0.9-1.dsc
5aa48bb866f65bfcf32aa0cd581bf7d3 522905 devel optional viewvc_1.0.9.orig.tar.gz
352f4d83751db575358b642b3f7559dd 41961 devel optional viewvc_1.0.9-1.diff.gz
d3d68d0935d755bc6cab733281c9792f 518312 devel optional viewvc_1.0.9-1_all.deb
7b0a599c94de3d4d22de5b041dfe6923 23630 devel optional
viewvc-query_1.0.9-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkrBQoUACgkQWs/EhA1iABtnzACgnaaLIMlfk1OVteW6o8J6WFT2
dsgAoM1Fbvph3QEmH2/j2LD98HBLqLlk
=sKeZ
-----END PGP SIGNATURE-----
--- End Message ---
