ViewVC 1.1.15 fixes two security issues: * security fix: complete authz support for remote SVN views (issue #353) * security fix: log msg leak in SVN revision view with unreadable copy source We could consider updating this for Mageia 1 and Mageia 2.
CC: (none) => guillomovitchWhiteboard: (none) => MGA2TOO, MGA1TOO
Updated in Cauldron by Damien. Thanks. Damien, could you provide an update for Mageia 1 and Mageia 2?
CC: (none) => mageiaVersion: Cauldron => 2Whiteboard: MGA2TOO, MGA1TOO => MGA1TOO
OpenSuSE has an issued advisory for this today (July 4): http://lists.opensuse.org/opensuse-updates/2012-07/msg00011.html They have updated to 1.1.15. Also, CVEs have been issued for the security issues (CVE-2012-3356 and CVE-2012-3357).
URL: (none) => http://lwn.net/Vulnerabilities/505119/Summary: viewvc 1.1.15 fixes minor security issues => viewvc 1.1.15 fixes minor security issues (CVE-2012-3356 CVE-2012-3357)
Updated packages uploaded. Also added a suggests on python-svn, so it might require linking. Advisory: ======================== Updated viewvc packages fix security vulnerabilities: - complete authz support for remote SVN views (CVE-2012-3356) - log msg leak in SVN revision view with unreadable copy source (CVE-2012-3357) Several other bugs were fixed as well. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3356 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3357 http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?rev=HEAD http://lists.opensuse.org/opensuse-updates/2012-07/msg00011.html ======================== Updated packages in core/updates_testing: ======================== viewvc-1.1.15-1.mga1 viewvc-1.1.15-1.mga2 from SRPMS: viewvc-1.1.15-1.mga1.src.rpm viewvc-1.1.15-1.mga2.src.rpm
Assignee: bugsquad => qa-bugs
I've added a depends on bug 6714. Since python-svn will be in updates when that is pushed it won't need linking. Other then viewing http://127.0.0.1/viewvc/help_dirview.html (There should be an index.html in the directory, I think), I'm not clear on how this package is used. Any ideas for a test procedure?
CC: (none) => davidwhodginsDepends on: (none) => 6714
http://svnweb.mageia.org/ for an example of what this can give you. You could set up a local SVN repository and point viewvc at it, look at it through your web browser and see how it looks. What to use for your local SVN repository? Anything really I guess, but maybe you could use rsvndump to clone a small piece of the Mageia repository. Just an idea.
Testing complete mga1 64 Installed subversion and subversion-tools Followed the procedure here to create an svn repository called test with something in it, checked it out and committed back to add a version. http://www.guyrutenberg.com/2007/10/29/creating-local-svn-repository-home-repository/ You need to add a trailing / on the trunk when importing or it renames the file to trunk and if you check it out it complains that it is a file and not a directory. Edited /etc/viewvc/viewvc.conf and set svn_roots = test: /home/me/svnrep/test Installed python-svn Browsing to http://localhost/cgi-bin/viewvc.cgi shows the test repository. I can browse it and see diff's of the changes I made earlier. Testing mga2 64 too in a moment
Whiteboard: MGA1TOO => MGA1TOO mga1-64-OK
Testing complete mga2 64 Found that it's not just a trailing / that's needed, if importing a file you have to name the destination file too.
Hardware: i586 => AllWhiteboard: MGA1TOO mga1-64-OK => MGA1TOO mga1-64-OK mga2-64-OK
Thanks for the procedure Claire! Testing complete on Mageia 1 i586. I'll test Mageia 2 i586 shortly.
Whiteboard: MGA1TOO mga1-64-OK mga2-64-OK => MGA1TOO mga1-64-OK mga2-64-OK MGA1-32-OK
Testing complete on Mageia 2 i586. If the Mageia 2 64 bit testing for bug 6714 can be completed tomorrow (later today for most of you :-), this bug should be validated and pushed right after it. If it will take longer, then this bug should be validated and python-svn should be linked from Core Release to Core Updates for Mageia 2. python-svn is already in updates in Mageia 1.
Whiteboard: MGA1TOO mga1-64-OK mga2-64-OK MGA1-32-OK => MGA1TOO mga1-64-OK mga2-64-OK MGA1-32-OK MGA2-32-OK
(In reply to comment #9) > Testing complete on Mageia 2 i586. > > If the Mageia 2 64 bit testing for bug 6714 can be completed tomorrow (later > today for most of you :-), this bug should be validated and pushed right after > it. > > If it will take longer, then this bug should be validated and python-svn > should be linked from Core Release to Core Updates for Mageia 2. > > python-svn is already in updates in Mageia 1. Theoretically it should at least be possible to test 6714 fairly quickly, as all that really needs to be done is what you did here: https://bugs.mageia.org/show_bug.cgi?id=6678#c16
python-svn isn't actually a require of viewvc as there are various ways of configuring it, so shouldn't need linking. These do though.. ---------------------------------------- Running checks for "viewvc" using media "Core Release" and "Core Updates Testing". ---------------------------------------- Mageia release 2 (Official) for x86_64 Latest version found in "Core Release" is viewvc-1.1.13-1.mga2 Latest version found in "Core Updates Testing" is viewvc-1.1.15-1.mga2 ---------------------------------------- The following packages will require linking: lib64neon0.27-0.29.6-1.mga2 (Core Release) ---------------------------------------- Done. ---------------------------------------- Running checks for "viewvc" using media "Core Release" and "Core Updates Testing". ---------------------------------------- Mageia release 1 (Official) for x86_64 Latest version found in "Core Release" is viewvc-1.1.11-1.mga1 Latest version found in "Core Updates Testing" is viewvc-1.1.15-1.mga1 ---------------------------------------- The following packages will require linking: lib64neon0.27-0.29.5-2.mga1 (Core Release) lib64serf0-0.7.0-4.mga1 (Core Release) ---------------------------------------- Done.
Validating & adding depends on bug 2317. Could sysadmin please push from core/updates_testing to core/updates and make the links in comment 11. Could you please push this after pushing the apache modules in bug 6714. Advisory: ======================== Updated viewvc packages fix security vulnerabilities: - complete authz support for remote SVN views (CVE-2012-3356) - log msg leak in SVN revision view with unreadable copy source (CVE-2012-3357) Several other bugs were fixed as well. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3356 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3357 http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?rev=HEAD http://lists.opensuse.org/opensuse-updates/2012-07/msg00011.html ======================== SRPMS: viewvc-1.1.15-1.mga1.src.rpm viewvc-1.1.15-1.mga2.src.rpm Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsDepends on: (none) => 2317
Packages linked and update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0175
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED