Package: viewvc Version: 1.0.5-0.2 Severity: normal Tags: patch Dear David et al.,
Thank you for packaging ViewVC! Could you possibly update this package to the latest released version, 1.0.7? This version fixes CVE-2008-4325, as mentioned in this bug report. I have already created a Debian patch that will do this for you, and am successfully using it on my machine at www.zap.org.au. The patch also incorporates the two NMUs since the last "official" release: 1.0.5-0.1 and 1.0.5-0.2. Please apply this patch (or your own variant); alternatively, could someone with Debian developer privileges do an appropriate NMU? Actually, all that really needs to be done for this version is: * Unpack the original sources for viewvc 1.0.7 * Apply the NMU patch for 1.0.5-0.2 using patch as appropriate * Add an entry to debian/changelog to indicate the new version Yours truly, John Zaitseff -- John Zaitseff ,--_|\ The ZAP Group Phone: +61 2 9643 7737 / \ Sydney, Australia E-mail: [EMAIL PROTECTED] \_,--._* http://www.zap.org.au/ v
diff -ruNa viewvc-1.0.5/debian/changelog viewvc-1.0.7-0.1zg1/debian/changelog --- viewvc-1.0.5/debian/changelog 2008-10-15 12:04:57.000000000 +1100 +++ viewvc-1.0.7-0.1zg1/debian/changelog 2008-10-15 12:05:14.000000000 +1100 @@ -1,24 +1,17 @@ -viewvc (1.0.5-0.2) unstable; urgency=low +viewvc (1.0.7-0.1zg1) unstable; urgency=low - * Non-maintainer upload. - * Fix pending l10n bugs. Debconf translations: - - Portuguese. Closes: #489388 - - -- Christian Perrier <[EMAIL PROTECTED]> Thu, 25 Sep 2008 07:03:03 +0200 + * New upstream release, packaged for the ZAP Group package repository + (Closes: #500779). This solves CVE-2008-4325. + * Incorporated the non-maintainer upload (NMU) 1.0.5-0.2: mainly debconf + translations. -viewvc (1.0.5-0.1) unstable; urgency=medium + -- John Zaitseff <[EMAIL PROTECTED]> Wed, 15 Oct 2008 10:52:11 +1100 - * Non-maintainer upload to fix security, and pending l10n, issues +viewvc (1.0.5-0.1zg1) unstable; urgency=medium - [ John Zaitseff ] - * New upstream release, originally packaged by the ZAP Group - (Closes: #471380, #463195). Thanks to John Zaitseff for the patch - Fixed: - - CVE-2008-1290 - list CVS or SVN commits on "all-forbidden" - files - - CVE-2008-1291 - directly access hidden CVSROOT folders - - CVE-2008-1292 - expose restricted content via the revision - view, the log history, or the diff view + * New upstream release, packaged for the ZAP Group package repository + (Closes: #471380). This solves CVE-2008-1290, CVE-2008-1291 and + CVE-2008-1292. * Updated the following files in the debian/patches subdirectory: series 02_py2html_activation @@ -27,16 +20,20 @@ * Updated debian/rules to install documentation in the docs directory and example templates in templates-contrib. - [ Christian Perrier ] - * Debconf translations: - - Vietnamese. Closes: #426876 - * [Lintian] Fix syntax in NEWS.Debian - * [Lintian] Replace obsolete ${Source-Version} variable by - ${source:Version} - * Finnish. Closes: #473466 - * Basque. Closes: #476172 + -- John Zaitseff <[EMAIL PROTECTED]> Wed, 26 Mar 2008 15:10:10 +1100 + +viewvc (1.0.4-0.1zg1) unstable; urgency=low + + * New upstream release, packaged for the ZAP Group package repository. + * Updated patches/101_viewvc-install_Debian_paths for this release. + + -- John Zaitseff <[EMAIL PROTECTED]> Wed, 30 Jan 2008 09:23:10 +1100 + +viewvc (1.0.3-2.1zg1) unstable; urgency=low + + * Imported the upstream package into the ZAP Group package repository. - -- Christian Perrier <[EMAIL PROTECTED]> Mon, 31 Mar 2008 08:42:29 +0200 + -- John Zaitseff <[EMAIL PROTECTED]> Thu, 24 Jan 2008 14:39:57 +1100 viewvc (1.0.3-2.1) unstable; urgency=medium @@ -63,7 +60,7 @@ - Added Russian (closes: #409958). Thanks, Yuri Kozlov. - Added German (closes: #409979). Thanks, Henrik Kröger. - Updated Dutch (closes: #410034). Thanks, Thijs Kinkhorst. - - Added Romanian (closes: #410136). Thanks, Eddy Petri?or. + - Added Romanian (closes: #410136). Thanks, Eddy Petrișor. * debian/viewvc-config: Added -c/--config in order to have the possibility to query a different config file. * debian/viewvc.config, debian/viewvc.postinst: Rewrote the migration code