Package: viewvc
Version: 1.0.5-0.2
Severity: normal
Tags: patch
Dear David et al.,
Thank you for packaging ViewVC! Could you possibly update this
package to the latest released version, 1.0.7? This version fixes
CVE-2008-4325, as mentioned in this bug report.
I have already created a Debian patch that will do this for you, and
am successfully using it on my machine at www.zap.org.au. The patch
also incorporates the two NMUs since the last "official" release:
1.0.5-0.1 and 1.0.5-0.2.
Please apply this patch (or your own variant); alternatively, could
someone with Debian developer privileges do an appropriate NMU?
Actually, all that really needs to be done for this version is:
* Unpack the original sources for viewvc 1.0.7
* Apply the NMU patch for 1.0.5-0.2 using patch as appropriate
* Add an entry to debian/changelog to indicate the new version
Yours truly,
John Zaitseff
--
John Zaitseff ,--_|\ The ZAP Group
Phone: +61 2 9643 7737 / \ Sydney, Australia
E-mail: [EMAIL PROTECTED] \_,--._* http://www.zap.org.au/
v
diff -ruNa viewvc-1.0.5/debian/changelog viewvc-1.0.7-0.1zg1/debian/changelog
--- viewvc-1.0.5/debian/changelog 2008-10-15 12:04:57.000000000 +1100
+++ viewvc-1.0.7-0.1zg1/debian/changelog 2008-10-15 12:05:14.000000000 +1100
@@ -1,24 +1,17 @@
-viewvc (1.0.5-0.2) unstable; urgency=low
+viewvc (1.0.7-0.1zg1) unstable; urgency=low
- * Non-maintainer upload.
- * Fix pending l10n bugs. Debconf translations:
- - Portuguese. Closes: #489388
-
- -- Christian Perrier <[EMAIL PROTECTED]> Thu, 25 Sep 2008 07:03:03 +0200
+ * New upstream release, packaged for the ZAP Group package repository
+ (Closes: #500779). This solves CVE-2008-4325.
+ * Incorporated the non-maintainer upload (NMU) 1.0.5-0.2: mainly debconf
+ translations.
-viewvc (1.0.5-0.1) unstable; urgency=medium
+ -- John Zaitseff <[EMAIL PROTECTED]> Wed, 15 Oct 2008 10:52:11 +1100
- * Non-maintainer upload to fix security, and pending l10n, issues
+viewvc (1.0.5-0.1zg1) unstable; urgency=medium
- [ John Zaitseff ]
- * New upstream release, originally packaged by the ZAP Group
- (Closes: #471380, #463195). Thanks to John Zaitseff for the patch
- Fixed:
- - CVE-2008-1290 - list CVS or SVN commits on "all-forbidden"
- files
- - CVE-2008-1291 - directly access hidden CVSROOT folders
- - CVE-2008-1292 - expose restricted content via the revision
- view, the log history, or the diff view
+ * New upstream release, packaged for the ZAP Group package repository
+ (Closes: #471380). This solves CVE-2008-1290, CVE-2008-1291 and
+ CVE-2008-1292.
* Updated the following files in the debian/patches subdirectory:
series
02_py2html_activation
@@ -27,16 +20,20 @@
* Updated debian/rules to install documentation in the docs directory
and example templates in templates-contrib.
- [ Christian Perrier ]
- * Debconf translations:
- - Vietnamese. Closes: #426876
- * [Lintian] Fix syntax in NEWS.Debian
- * [Lintian] Replace obsolete ${Source-Version} variable by
- ${source:Version}
- * Finnish. Closes: #473466
- * Basque. Closes: #476172
+ -- John Zaitseff <[EMAIL PROTECTED]> Wed, 26 Mar 2008 15:10:10 +1100
+
+viewvc (1.0.4-0.1zg1) unstable; urgency=low
+
+ * New upstream release, packaged for the ZAP Group package repository.
+ * Updated patches/101_viewvc-install_Debian_paths for this release.
+
+ -- John Zaitseff <[EMAIL PROTECTED]> Wed, 30 Jan 2008 09:23:10 +1100
+
+viewvc (1.0.3-2.1zg1) unstable; urgency=low
+
+ * Imported the upstream package into the ZAP Group package repository.
- -- Christian Perrier <[EMAIL PROTECTED]> Mon, 31 Mar 2008 08:42:29 +0200
+ -- John Zaitseff <[EMAIL PROTECTED]> Thu, 24 Jan 2008 14:39:57 +1100
viewvc (1.0.3-2.1) unstable; urgency=medium
@@ -63,7 +60,7 @@
- Added Russian (closes: #409958). Thanks, Yuri Kozlov.
- Added German (closes: #409979). Thanks, Henrik Kröger.
- Updated Dutch (closes: #410034). Thanks, Thijs Kinkhorst.
- - Added Romanian (closes: #410136). Thanks, Eddy Petri?or.
+ - Added Romanian (closes: #410136). Thanks, Eddy Petrișor.
* debian/viewvc-config: Added -c/--config in order to have the possibility
to query a different config file.
* debian/viewvc.config, debian/viewvc.postinst: Rewrote the migration code
