Debian-LTS has issued an advisory on January 11: https://www.debian.org/lts/security/2023/dla-3266 The issues are fixed upstream in 1.2.3. Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOO
No choice but to assign this one globally.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated package fixes security vulnerabilities: ViewVC is vulnerable to cross-site scripting. The impact of these vulnerabilities is mitigated by the need for an attacker to have commit privileges to a Subversion repository exposed by an otherwise trusted ViewVC instance. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. (CVE-2023-22456, CVE-2023-22464) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22456 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22464 https://www.debian.org/lts/security/2023/dla-3266 ======================== Updated package in core/updates_testing: ======================== viewvc-1.3.0-0.dev20200516.1.1.mga8 from SRPM: viewvc-1.3.0-0.dev20200516.1.1.mga8.src.rpm
Source RPM: viewvc-1.3.0-0.dev20200516.1.mga9.src.rpm => viewvc-1.3.0-0.dev20200516.1.mga8.src.rpmAssignee: pkg-bugs => qa-bugsStatus: NEW => ASSIGNEDVersion: Cauldron => 8CC: (none) => nicolas.salgueroCVE: (none) => CVE-2023-22456, CVE-2023-22464Whiteboard: MGA8TOO => (none)
MGA8-64 MATE on Acer Aspire 5253 No installation issues Found simple test in bug 20262 Comment 3, so $ /usr/share/viewvc/bin/standalone.py server ready at http://localhost:49152/viewvc and then pointed browser at http://localhost:49152/viewvc. That doesn't show much, but at least there is an installed help link and using that and a few steps further gave me feedbacks on the CLI: 127.0.0.1 - - [19/Jan/2023 11:50:48] "GET /viewvc HTTP/1.1" 200 - 127.0.0.1 - - [19/Jan/2023 11:50:48] ViewVC exited ok ---------------------------------------- Exception happened during processing of request from ('127.0.0.1', 60226) ValueError: I/O operation on closed file. ---------------------------------------- 127.0.0.1 - - [19/Jan/2023 11:50:49] "GET /viewvc/*docroot*/styles.css HTTP/1.1" 200 - 127.0.0.1 - - [19/Jan/2023 11:50:49] ViewVC exited ok 127.0.0.1 - - [19/Jan/2023 11:50:49] "GET /viewvc/*docroot*/scripts.js HTTP/1.1" 200 - 127.0.0.1 - - [19/Jan/2023 11:50:49] ViewVC exited ok 127.0.0.1 - - [19/Jan/2023 11:50:49] "GET /viewvc/*docroot*/images/viewvc-logo.png HTTP/1.1" 200 - 127.0.0.1 - - [19/Jan/2023 11:50:49] ViewVC exited ok 127.0.0.1 - - [19/Jan/2023 11:50:49] code 404, message Not Found 127.0.0.1 - - [19/Jan/2023 11:50:49] "GET /favicon.ico HTTP/1.1" 404 - 127.0.0.1 - - [19/Jan/2023 11:51:04] "GET /viewvc HTTP/1.1" 200 - 127.0.0.1 - - [19/Jan/2023 11:51:04] ViewVC exited ok Interpretation ????? Setting up a real subversion server is beyond me. But the link Thomas provided in bug 26628 Comment 11 displays nicely and allows navigation, so as on this bug, I OK this update.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA8-64-OK
Validating. Advisory in comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0019.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED