Bug 706274 (CVE-2009-5024)

Summary: CVE-2009-5024 viewvc: remote user can cause excessive CPU usage and memory consumption
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bjohnson, bojan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: viewvc 1.1.11 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-10 18:06:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 706275, 706276    
Bug Blocks:    

Description Vincent Danen 2011-05-19 22:07:32 UTC
A bug in viewvc could allow remote users to obtain a really large request that could cause the server to use up excessive amounts of CPU and memory while processing the request [1].  This has been corrected upstream [2] in v1.1.11 [3].

This affects current versions of viewvc as provided by Fedora and EPEL.

[1] http://viewvc.tigris.org/issues/show_bug.cgi?id=433
[2] http://viewvc.tigris.org/source/browse/viewvc?diff_format=u&view=rev&revision=2551
[3] http://viewvc.tigris.org/source/browse/*checkout*/viewvc/tags/1.1.11/CHANGES

Comment 1 Vincent Danen 2011-05-19 22:09:24 UTC
Created viewvc tracking bugs for this issue

Affects: fedora-all [bug 706275]
Affects: epel-all [bug 706276]

Comment 2 Vincent Danen 2012-08-10 18:06:42 UTC
All supported versions of Fedora and EPEL currently provide viewvc 1.1.15, so this flaw has been resolved.