Mageia: 2020-0221 Moderate: Fix for ViewVC Cross-Site Scripting Issue
mageia
May 24, 2020
Updated viewvc package fixes security vulnerability: ViewVC before versions 1.1.28 has an XSS vulnerability in CVS show_subdir_lastmod support
Summary
Updated viewvc package fixes security vulnerability:
ViewVC before versions 1.1.28 has an XSS vulnerability in CVS
show_subdir_lastmod support. The impact of this vulnerability is mitigated
by the need for an attacker to have commit privileges to a CVS repository
exposed by an otherwise trusted ViewVC instance that also has the
`show_subdir_lastmod` feature enabled. The attack vector involves files
with unsafe names (names that, when embedded into an HTML stream, would
cause the browser to run unwanted code), which themselves can be
challenging to create (CVE-2020-5283).
The viewvc package has been updated to version 1.1.28, fixing this issue
and other bugs.
References
- https://bugs.mageia.org/show_bug.cgi?id=26628
- https://github.com/viewvc/viewvc/security/advisories/GHSA-xpxf-fvqv-7mfg
- https://github.com/viewvc/viewvc/releases/tag/1.1.27
- https://github.com/viewvc/viewvc/releases/tag/1.1.28
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2Q2STF2MKT24HXZ3YZIU7CN6F6QM67I5/
- https://www.cve.org/CVERecord?id=CVE-2020-5283
Topics Covered
Resolution
SRPMS
- 7/core/viewvc-1.1.28-1.mga7
PREVIOUS
NEXT
Publication date: 24 May 2020
URL: https://advisories.mageia.org/MGASA-2020-0221.html
Type: security
CVE: CVE-2020-5283
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!