Red Hat Bugzilla – Bug 435349
viewvc: multiple security fixes in upstream version 1.0.5 (CVE-2008-1290, CVE-2008-1291, CVE-2008-1292)
Last modified: 2008-03-31 03:00:14 EDT
ViewVC has released a new version, 1.0.5 which has several security fixes in it.
Read the full announcement here:
Changelog is here:
Security fixes noted in 1.0.5 changelog:
* security fix: omit commits of all-forbidden files from query results
* security fix: disallow direct URL navigation to hidden CVSROOT folder
* security fix: strip forbidden paths from revision view
* security fix: don't traverse log history thru forbidden locations
* security fix: honor forbiddenness via diff view path parameters
Yep, got the announcement from Tigris folks.
viewvc-1.0.5-1.fc8 has been submitted as an update for Fedora 8
CVE name has been requested.
viewvc-1.0.5-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
viewvc-1.0.5-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
*** Bug 438854 has been marked as a duplicate of this bug. ***
*** Bug 438855 has been marked as a duplicate of this bug. ***
*** Bug 438856 has been marked as a duplicate of this bug. ***