| Summary: | viewvc new security issues CVE-2023-22456 and CVE-2023-22464 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, herman.viaene, nicolas.salguero, smelror, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | viewvc-1.3.0-0.dev20200516.1.mga8.src.rpm | CVE: | CVE-2023-22456, CVE-2023-22464 |
| Status comment: | |||
|
Description
David Walser
2023-01-17 18:59:39 CET
David Walser
2023-01-17 18:59:51 CET
Whiteboard:
(none) =>
MGA8TOO No choice but to assign this one globally. Assignee:
bugsquad =>
pkg-bugs Suggested advisory: ======================== The updated package fixes security vulnerabilities: ViewVC is vulnerable to cross-site scripting. The impact of these vulnerabilities is mitigated by the need for an attacker to have commit privileges to a Subversion repository exposed by an otherwise trusted ViewVC instance. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. (CVE-2023-22456, CVE-2023-22464) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22456 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22464 https://www.debian.org/lts/security/2023/dla-3266 ======================== Updated package in core/updates_testing: ======================== viewvc-1.3.0-0.dev20200516.1.1.mga8 from SRPM: viewvc-1.3.0-0.dev20200516.1.1.mga8.src.rpm Source RPM:
viewvc-1.3.0-0.dev20200516.1.mga9.src.rpm =>
viewvc-1.3.0-0.dev20200516.1.mga8.src.rpm MGA8-64 MATE on Acer Aspire 5253 No installation issues Found simple test in bug 20262 Comment 3, so $ /usr/share/viewvc/bin/standalone.py server ready at http://localhost:49152/viewvc and then pointed browser at http://localhost:49152/viewvc. That doesn't show much, but at least there is an installed help link and using that and a few steps further gave me feedbacks on the CLI: 127.0.0.1 - - [19/Jan/2023 11:50:48] "GET /viewvc HTTP/1.1" 200 - 127.0.0.1 - - [19/Jan/2023 11:50:48] ViewVC exited ok ---------------------------------------- Exception happened during processing of request from ('127.0.0.1', 60226) ValueError: I/O operation on closed file. ---------------------------------------- 127.0.0.1 - - [19/Jan/2023 11:50:49] "GET /viewvc/*docroot*/styles.css HTTP/1.1" 200 - 127.0.0.1 - - [19/Jan/2023 11:50:49] ViewVC exited ok 127.0.0.1 - - [19/Jan/2023 11:50:49] "GET /viewvc/*docroot*/scripts.js HTTP/1.1" 200 - 127.0.0.1 - - [19/Jan/2023 11:50:49] ViewVC exited ok 127.0.0.1 - - [19/Jan/2023 11:50:49] "GET /viewvc/*docroot*/images/viewvc-logo.png HTTP/1.1" 200 - 127.0.0.1 - - [19/Jan/2023 11:50:49] ViewVC exited ok 127.0.0.1 - - [19/Jan/2023 11:50:49] code 404, message Not Found 127.0.0.1 - - [19/Jan/2023 11:50:49] "GET /favicon.ico HTTP/1.1" 404 - 127.0.0.1 - - [19/Jan/2023 11:51:04] "GET /viewvc HTTP/1.1" 200 - 127.0.0.1 - - [19/Jan/2023 11:51:04] ViewVC exited ok Interpretation ????? Setting up a real subversion server is beyond me. But the link Thomas provided in bug 26628 Comment 11 displays nicely and allows navigation, so as on this bug, I OK this update. CC:
(none) =>
herman.viaene Validating. Advisory in comment 2. Keywords:
(none) =>
validated_update
Dave Hodgins
2023-01-24 02:10:24 CET
CC:
(none) =>
davidwhodgins An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0019.html Resolution:
(none) =>
FIXED |