Re: ViewCVS vulnerability

[HIRAMATSU Yoshifumi <hiramatu%boreas.dti.ne.jp@localhost>]

At Wed, 03 Aug 2005 09:30:22 +0100,
Adrian Portelli <adrianp%stindustries.net@localhost> wrote:
> I dropped a digit off the end of that URL which is probably why you're
> getting sendmail instead of ViewCVS :).  I've updated the TODO with the
> correct URLs now.  Some of these may be duplicates but these are the
> issues I have so far that would need to be looked into before we can
> import it:
> 
> http://xforce.iss.net/xforce/xfdb/18369
> http://xforce.iss.net/xforce/xfdb/18718
> http://archives.neohapsis.com/archives/bugtraq/2002-05/0161.html

Thanks for clarification. According to CHANGES file, ViewCVS 0.9.3
has three security fixes. Does this solve any of TODO entries?


Version 0.9.3 (released 17-May-2005)

  * security fix: disallow bad "content-type" input [CAN-2004-1062]
  * security fix: disallow bad "sortby" and "cvsroot" input [CAN-2002-0771]
  * security fix: omit forbidden/hidden modules from tarballs [CAN-2002-0771]

-- 
// HIRAMATSU Yoshifumi
// hiramatu%boreas.dti.ne.jp@localhost


-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
pkgsrc-wip-discuss mailing list
pkgsrc-wip-discuss%lists.sourceforge.net@localhost
https://lists.sourceforge.net/lists/listinfo/pkgsrc-wip-discuss