pkg/44263: ViewVC 1.0.10 has a cross-site-scripting vulnerability

To: pkg-manager%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,pkgsrc-bugs%netbsd.org@localhost
Subject: pkg/44263: ViewVC 1.0.10 has a cross-site-scripting vulnerability
From: cfuhrman%panix.com@localhost
Date: Wed, 22 Dec 2010 17:55:00 +0000 (UTC)

>Number:         44263
>Category:       pkg
>Synopsis:       ViewVC 1.0.10 has a cross-site-scripting vulnerability
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Dec 22 17:55:00 +0000 2010
>Originator:     Christopher M. Fuhrman
>Release:        5.0.2
>Organization:
>Environment:
NetBSD scuzzbuilder 5.0.2 NetBSD 5.0.2 (GENERIC) #0: Sat Feb  6 13:44:19 UTC 
2010  
builds%b8.netbsd.org@localhost:/home/builds/ab/netbsd-5-0-2-RELEASE/amd64/201002061851Z-obj/home/builds/ab/netbsd-5-0-2-RELEASE/src/sys/arch/amd64/compile/GENERIC
 amd64
>Description:
ViewVC 1.0.10, as provided by pkgsrc, contains a cross-site-scripting 
vulnerability (see http://secunia.com/secunia_research/2010-26/).  Upgrade 
pkgsrc ViewVC version to at least 1.0.11. 

This problem impacts pkgsrc-current and pkgsrc-2010Q3

>How-To-Repeat:
Install viewvc from pkgsrc
>Fix:
Apply the following patch to update to viewvc-1.0.12.  Tarball located at 
http://viewvc.tigris.org/files/documents/3330/47621/viewvc-1.0.12.tar.gz

Index: distinfo
===================================================================
RCS file: /cvsroot/pkgsrc/www/viewvc/distinfo,v
retrieving revision 1.8
diff -u -r1.8 distinfo
--- distinfo    22 Mar 2010 06:55:20 -0000      1.8
+++ distinfo    22 Dec 2010 17:43:49 -0000
@@ -1,7 +1,7 @@
 $NetBSD: distinfo,v 1.8 2010/03/22 06:55:20 obache Exp $
 
-SHA1 (viewvc-1.0.10.tar.gz) = a07103549239f5e4d98ca097c47d186e164ea70f
-RMD160 (viewvc-1.0.10.tar.gz) = 08447309fdecd750200df26170a8a3815b5ba98b
-Size (viewvc-1.0.10.tar.gz) = 523078 bytes
+SHA1 (viewvc-1.0.12.tar.gz) = 069ae5239b3085136082fcd88bde57d9c6b784ac
+RMD160 (viewvc-1.0.12.tar.gz) = 787de2b623b0035de277af3de4eac5d383be4044
+Size (viewvc-1.0.12.tar.gz) = 523289 bytes
 SHA1 (patch-aa) = b4f5e36e5d744249aec8128d6ccaa670398afafe
 SHA1 (patch-ab) = cf4c56e5b4254d0deb1a7b51121b6b1d2113fd3e
Index: Makefile
===================================================================
RCS file: /cvsroot/pkgsrc/www/viewvc/Makefile,v
retrieving revision 1.13
diff -u -r1.13 Makefile
--- Makefile    22 Mar 2010 06:55:20 -0000      1.13
+++ Makefile    22 Dec 2010 17:43:49 -0000
@@ -1,9 +1,9 @@
 # $NetBSD: Makefile,v 1.13 2010/03/22 06:55:20 obache Exp $
 #
 
-DISTNAME=      viewvc-1.0.10
+DISTNAME=      viewvc-1.0.12
 CATEGORIES=    devel www
-MASTER_SITES=  http://viewvc.tigris.org/files/documents/3330/47428/
+MASTER_SITES=  http://viewvc.tigris.org/files/documents/3330/47621/
 
 MAINTAINER=    pkgsrc-users%NetBSD.org@localhost
 HOMEPAGE=      http://www.viewvc.org/

Prev by Date: Re: pkg/44257 (comms/asterisk18 fails to build on DragonFly)
Next by Date: Re: pkg/44263: ViewVC 1.0.10 has a cross-site-scripting vulnerability
Previous by Thread: PR/44257 CVS commit: pkgsrc/comms/asterisk18
Next by Thread: Re: pkg/44263: ViewVC 1.0.10 has a cross-site-scripting vulnerability
Indexes:

Home | Main Index | Thread Index | Old Index