On Fri, Mar 22, 2019 at 01:41:27AM +0100, Ingo Schwarze wrote:
> I committed the patches from both of you to
>
> http://mandoc.bsd.lv/cgi-bin/cvsweb/?cvsroot=cvsweb
> http://mandoc.bsd.lv/cvsweb/
Thanks! I hadn't actually realized there was an upstream past the
OpenBSD ports tree. Good to
Hi,
Peter J. Philipp wrote on Sat, Mar 16, 2019 at 07:52:23AM +0100:
> On Fri, Mar 15, 2019 at 05:22:47PM -0700, Andrew Hewus Fresh wrote:
>> I looked this over and updated the patch to be against the port. It
>> seems to be good and I only found a couple other places that needed to
>> be
On Fri, Mar 15, 2019 at 05:22:47PM -0700, Andrew Hewus Fresh wrote:
> > I have produced the patch with 'diff -u cvsweb.orig cvsweb' directly in the
> > /var/www/cgi-bin directory. Credit goes to Ezio Paglia for finding this XSS
> > vuln. Also the cvsweb at openbsd.org is affected and can be
On Fri, Mar 15, 2019 at 02:25:35PM +0100, Peter J. Philipp wrote:
> I have have created a patch for cvsweb port that needs review and help in
> getting it into the port itself. I'd like to apologize to Marc Espie for
> contacting him regarding this port based on his last check-in on this port,
On 2019/03/15 16:28, Peter J. Philipp wrote:
> would this help any?
>
> https://people.freebsd.org/~scop/cvsweb/
>
> There is subsequent versions.
Those are the 13 year old ones that Ingo mentioned.
> Regards,
>
> -peter
>
> On 3/15/19 4:05 PM, Ingo Schwarze wrote:
> > Hi,
> >
> > the
would this help any?
https://people.freebsd.org/~scop/cvsweb/
There is subsequent versions.
Regards,
-peter
On 3/15/19 4:05 PM, Ingo Schwarze wrote:
Hi,
the trouble with cvsweb is that it is important OpenBSD project
infrastructure (consider cvsweb.openbsd.org) that has been abandoned
On 2019/03/15 16:05, Ingo Schwarze wrote:
> Hi,
>
> the trouble with cvsweb is that it is important OpenBSD project
> infrastructure (consider cvsweb.openbsd.org) that has been abandoned
> upstream 13 years ago, our version is 16 years old, and the port
> has no maintainer. Does anybody consider
Hi,
the trouble with cvsweb is that it is important OpenBSD project
infrastructure (consider cvsweb.openbsd.org) that has been abandoned
upstream 13 years ago, our version is 16 years old, and the port
has no maintainer. Does anybody consider it funny to run a software
in production that is
:
-peter
- Forwarded message from Stuart Henderson -
Date: Fri, 15 Mar 2019 12:16:06 - (UTC)
From: Stuart Henderson
To: m...@openbsd.org
Subject: Re: XSS vuln in cvsweb
User-Agent: slrn/1.0.2 (OpenBSD)
On 2019-03-15, Peter J. Philipp wrote:
> Hi all,
>
> I have been