Bug 33187

Summary: ViewVC Security issue CVE-2023-22464
Product: Mageia Reporter: Stig-Ørjan Smelror <smelror>
Component: SecurityAssignee: Mageia Bug Squad <bugsquad>
Status: RESOLVED DUPLICATE QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: lewyssmith, nicolas.salguero
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://github.com/viewvc/viewvc/releases
Whiteboard: MGA9TOO
Source RPM: viewvc CVE: CVE-2023-22464
Status comment: Fixed in versions 1.1.30 and 1.2.3

Description Stig-Ørjan Smelror 2024-05-09 15:28:54 CEST 
ViewVC has been fixed upstream to fix CVE-2023-22464.

Fixed in versions 1.1.30 and 1.2.3.

https://github.com/viewvc/viewvc/security/advisories/GHSA-j4mx-f97j-gc5g
Stig-Ørjan Smelror 2024-05-09 15:29:42 CEST

Whiteboard: (none) => MGA9TOO
Status comment: (none) => Fixed in versions 1.1.30 and 1.2.3
CVE: (none) => CVE-2023-22464

Comment 1 Stig-Ørjan Smelror 2024-05-09 15:38:45 CEST 
We're running a nightly version, so this is invalid.

Status: NEW => RESOLVED
Resolution: (none) => INVALID

Comment 2 sturmvogel 2024-05-09 18:00:09 CEST 
The "nightly version" used in MGA9 and cauldron is from the year 2020! As the upstream source stays unclear if the nightly build from 2020 is also affected (but seems possible, as the fixed stable versions are from 2023 and lower versions are affected), an update to the 2024 nightly build is highly recommended when Mageia cares about security...
Comment 3 David Walser 2024-05-10 06:20:18 CEST 
Indeed.  If it's actually unaffected, the explanation provided here is insufficient.

Resolution: INVALID => (none)
Status: RESOLVED => REOPENED

Comment 4 sturmvogel 2024-05-10 15:40:35 CEST 
The master branch and nightly build of ViewVC got rolled back to version 1.2.x in March 2020. That means, the nightly build 20200516 which is used in MGA9 and cauldron is well affected by this CVE. Fixed versions are 1.1.30 and 1.2.3 released January 2023.
Comment 5 Lewis Smith 2024-05-12 21:01:16 CEST 
(In reply to David Walser from comment #3)
> Indeed.  If it's actually unaffected, the explanation provided here is
> insufficient.
Thanks for commenting; but I was unsure what you are pointing up: which version, what explanation is insufficient, and in what way. Are you happy with the following comment 4?

All I can see in Caldron is v1.3.0 nightly (4y ago), so the new versions cited are in a different world. There are visible patches since.

Source RPM: (none) => viewvc

Lewis Smith 2024-05-12 21:01:45 CEST

CC: (none) => lewyssmith

Comment 6 Nicolas Salguero 2024-05-30 14:07:05 CEST 
CVE-2023-22464 (as well as CVE-2023-22456) were fixed in bug 31417.

Resolution: (none) => FIXED
Status: REOPENED => RESOLVED
CC: (none) => nicolas.salguero

Comment 7 David Walser 2024-05-30 15:06:49 CEST 
In that case, this should be marked as a duplicate to link the bugs.

*** This bug has been marked as a duplicate of bug 31417 ***

Resolution: FIXED => DUPLICATE