thr3ads.net - Secure testing team - [Secure-testing-team] Bug#545779: XSS and illegal characters while printing name-value pairs [Sep 2009]

If this information is useful, please help other people find it:
Share via:

Twitter
Facebook
Email

Steffen Joeris

2009-Sep-09 06:14 UTC

[Secure-testing-team] Bug#545779: XSS and illegal characters while printing name-value pairs

Package: viewvc
Severity: grave
Tags: security patch

Hi

According to upstream:

Version 1.1.2 (released 11-Aug-2009)

  * security fix: validate the ''view'' parameter to avoid XSS
attack
  * security fix: avoid printing illegal parameter names and values

http://viewvc.tigris.org/source/browse/*checkout*/viewvc/tags/1.1.2/CHANGES

The two upstream patches appear to be:
http://viewvc.tigris.org/source/browse/viewvc/branches/1.0.x/lib/viewvc.py?r1=2214&r2=2213&pathrev=2214
http://viewvc.tigris.org/source/browse/viewvc/branches/1.0.x/lib/viewvc.py?r1=2219&r2=2218&pathrev=2219

Could you test the patches and prepare updated packages for unstable/stable?

A CVE id has been requested and we''ll forward it to this bugreport once
it''s allocated.

Cheers
Steffen

Secure testing team - Sep 2009 - Bug#545779: XSS and illegal characters while printing name-value pairs

[Secure-testing-team] Bug#545779: XSS and illegal characters while printing name-value pairs