ViewVC has released a new version, 1.0.5 which has several security fixes in it. Read the full announcement here: http://viewvc.tigris.org/servlets/ReadMsg?list=announce&msgNo=7 Changelog is here: http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?rev=HEAD Security fixes noted in 1.0.5 changelog: * security fix: omit commits of all-forbidden files from query results * security fix: disallow direct URL navigation to hidden CVSROOT folder * security fix: strip forbidden paths from revision view * security fix: don't traverse log history thru forbidden locations * security fix: honor forbiddenness via diff view path parameters
Yep, got the announcement from Tigris folks.
viewvc-1.0.5-1.fc8 has been submitted as an update for Fedora 8
CVE name has been requested.
viewvc-1.0.5-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
viewvc-1.0.5-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
*** Bug 438854 has been marked as a duplicate of this bug. ***
*** Bug 438855 has been marked as a duplicate of this bug. ***
*** Bug 438856 has been marked as a duplicate of this bug. ***