Debian: DSA-2563-1 Critical: ViewVC Remote Attack Mitigations
debian
October 23, 2012
Several vulnerabilities were found in ViewVC, a web interface for CVS and Subversion repositories
Topics Covered
Summary
CVE-2009-5024: remote attackers can bypass the cvsdb row_limit
configuration setting, and consequently conduct resource-consumption
attacks via the limit parameter.
CVE-2012-3356: the remote SVN views functionality does not properly
perform authorization, which allows remote attackers to bypass intended
access restrictions.
CVE-2012-3357: the SVN revision view does not properly handle log
messages when a readable path is copied from an unreadable path, which
allows remote attackers to obtain sensitive information.
CVE-2012-4533: "function name" lines returned by diff are not properly
escaped, allowing attackers with commit access to perform cross site
scripting.
For the stable distribution (squeeze), these problems have been fixed in
version 1.1.5-1.1+squeeze2.
For the testing distribution (wheezy), these problems will be fixed soon.
For the unstable distribution (sid), these problems have been fixed in
version 1.1.5-1.4.
We recommend that you upgrade your viewvc packages.
Further information about D...
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: viewvc
CVE ID: CVE-2009-5024 CVE-2012-3356 CVE-2012-3357 CVE-2012-4533
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!