ViewVC has been fixed upstream to fix CVE-2023-22464. Fixed in versions 1.1.30 and 1.2.3. https://github.com/viewvc/viewvc/security/advisories/GHSA-j4mx-f97j-gc5g
Whiteboard: (none) => MGA9TOOStatus comment: (none) => Fixed in versions 1.1.30 and 1.2.3CVE: (none) => CVE-2023-22464
We're running a nightly version, so this is invalid.
Status: NEW => RESOLVEDResolution: (none) => INVALID
The "nightly version" used in MGA9 and cauldron is from the year 2020! As the upstream source stays unclear if the nightly build from 2020 is also affected (but seems possible, as the fixed stable versions are from 2023 and lower versions are affected), an update to the 2024 nightly build is highly recommended when Mageia cares about security...
Indeed. If it's actually unaffected, the explanation provided here is insufficient.
Resolution: INVALID => (none)Status: RESOLVED => REOPENED
The master branch and nightly build of ViewVC got rolled back to version 1.2.x in March 2020. That means, the nightly build 20200516 which is used in MGA9 and cauldron is well affected by this CVE. Fixed versions are 1.1.30 and 1.2.3 released January 2023.
(In reply to David Walser from comment #3) > Indeed. If it's actually unaffected, the explanation provided here is > insufficient. Thanks for commenting; but I was unsure what you are pointing up: which version, what explanation is insufficient, and in what way. Are you happy with the following comment 4? All I can see in Caldron is v1.3.0 nightly (4y ago), so the new versions cited are in a different world. There are visible patches since.
Source RPM: (none) => viewvc
CC: (none) => lewyssmith
CVE-2023-22464 (as well as CVE-2023-22456) were fixed in bug 31417.
Resolution: (none) => FIXEDStatus: REOPENED => RESOLVEDCC: (none) => nicolas.salguero
In that case, this should be marked as a duplicate to link the bugs. *** This bug has been marked as a duplicate of bug 31417 ***
Resolution: FIXED => DUPLICATE