Package: viewvc Severity: grave Tags: security patch Hi
According to upstream: Version 1.1.2 (released 11-Aug-2009) * security fix: validate the 'view' parameter to avoid XSS attack * security fix: avoid printing illegal parameter names and values http://viewvc.tigris.org/source/browse/*checkout*/viewvc/tags/1.1.2/CHANGES The two upstream patches appear to be: http://viewvc.tigris.org/source/browse/viewvc/branches/1.0.x/lib/viewvc.py?r1=2214&r2=2213&pathrev=2214 http://viewvc.tigris.org/source/browse/viewvc/branches/1.0.x/lib/viewvc.py?r1=2219&r2=2218&pathrev=2219 Could you test the patches and prepare updated packages for unstable/stable? A CVE id has been requested and we'll forward it to this bugreport once it's allocated. Cheers Steffen _______________________________________________ Secure-testing-team mailing list Secure-testing-team@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
