Bug 20262

Summary: viewvc security vulnerability CVE-2017-5938
Product: Mageia Reporter: Zombie Ryushu <zombie_ryushu>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, lists.jjorge, marja11, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://lwn.net/Vulnerabilities/714124/
Whiteboard: advisory MGA5-64-OK MGA5-32-OK
Source RPM: viewvc CVE:
Status comment:

Description Zombie Ryushu 2017-02-11 06:49:24 CET 
Thomas Gerbet discovered that viewvc, a web interface for CVS and
Subversion repositories, did not properly sanitize user input. This
problem resulted in a potential Cross-Site Scripting vulnerability.

this problem has been fixed in version 1.1.26
Comment 1 Marja Van Waes 2017-02-11 13:48:49 CET 
Thanks, Zombie

Assigning to all packagers collectively, since there is no registered maintainer for this package.

Btw, I don't see a freeze push request for 1.1.26, so setting version to Cauldron and "MGA5TOO"

CC: (none) => marja11
Version: 5 => Cauldron
Assignee: bugsquad => pkg-bugs
Source RPM: http://www.linuxsecurity.com/content/view/170725/170/ => viewvc
Whiteboard: (none) => MGA5TOO

Comment 2 José Jorge 2017-02-11 22:12:44 CET 
Done for Cauldron, and for MGA5.

Suggested advisory:
========================

Thomas Gerbet discovered that viewvc, a web interface for CVS and
Subversion repositories, did not properly sanitize user input. This
problem resulted in a potential Cross-Site Scripting vulnerability.

this problem has been fixed in version 1.1.26

========================

Updated packages in core/updates_testing:
viewvc-1.1.26-1.mga5.srpm

viewvc-1.1.26-1.mga5.noarch.rpm

Status: NEW => ASSIGNED
CC: (none) => lists.jjorge

José Jorge 2017-02-11 22:13:09 CET

Assignee: pkg-bugs => qa-bugs

Dave Hodgins 2017-02-11 23:04:22 CET

CC: (none) => davidwhodgins
Whiteboard: MGA5TOO => MGA5TOO advisory

David Walser 2017-02-12 14:58:38 CET

Version: Cauldron => 5
Whiteboard: MGA5TOO advisory => advisory

David Walser 2017-02-12 15:46:00 CET

URL: http://www.linuxsecurity.com/content/view/170725/170/ => https://lwn.net/Vulnerabilities/714124/

Comment 3 Dave Hodgins 2017-02-13 23:27:20 CET 
Just testing by running /usr/share/viewvc/bin/standalone.py and then using a
browser to connect to http://localhost/viewvc/

Keywords: (none) => validated_update
Whiteboard: advisory => advisory MGA5-64-OK MGA5-32-OK
CC: (none) => sysadmin-bugs

Comment 4 Mageia Robot 2017-02-18 17:29:43 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0048.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED