Debian has issued an advisory on October 23: http://www.debian.org/security/2012/dsa-2563 Patched packages uploaded for Mageia 1, Mageia 2, and Cauldron. Advisory: ======================== Updated viewvc package fixes security vulnerability: "function name" lines returned by diff are not properly escaped, allowing attackers with commit access to perform cross site scripting (CVE-2012-4533). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4533 http://www.debian.org/security/2012/dsa-2563 ======================== Updated packages in core/updates_testing: ======================== viewvc-1.1.15-1.1.mga1 viewvc-1.1.15-1.1.mga2 from SRPMS: viewvc-1.1.15-1.1.mga1.src.rpm viewvc-1.1.15-1.1.mga2.src.rpm
Whiteboard: (none) => MGA1TOO
More info about this is here: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-4533
Found some info at http://unspecified.wordpress.com/2008/06/10/viewvc/ Also, seems to need apache-mod_python installed. I have it to the point where http://127.0.0.1/cgi-bin/viewvc will load in Mageia 2 i586, but on Mageia 1, it's returning a 400 http status code. I'll dig into it more tomorrow.
CC: (none) => davidwhodgins
Created attachment 2991 [details] Testing procedure for viewvc On Mageia 2 i586, with the viewvc from viewvc-1.1.15-1.1.mga2.src.rpm installed, I'm still getting the pop-up showing XSS!, so it seems that the update is not fixing the problem. I'm attaching the testing procedure I used.
Whiteboard: MGA1TOO => MGA1TOO feedback
Try restarting the web server just in case, but if it persists, I'll try upgrading it to 1.1.17 next week and see if that fixes it (and if not, will have to report upstream). Thanks for testing.
Testing complete on Mageia 2 i586. I had restarted the web server, but it turns out I also had to clear the web browsers cache (I'm using opera). Still have to figure out why Mageia 1 is returning a 400 status code.
Whiteboard: MGA1TOO feedback => MGA1TOO MGA2-32-OK has_procedure
Testing complete on Mageia 1 x86-64. My 400 status code problem was caused by the updates testing version of drupal.
Whiteboard: MGA1TOO MGA2-32-OK has_procedure => MGA1TOO MGA2-32-OK has_procedure MGA1-64-OK
Testing complete on Mageia 1 i586.
Whiteboard: MGA1TOO MGA2-32-OK has_procedure MGA1-64-OK => MGA1TOO MGA2-32-OK has_procedure MGA1-64-OK MGA1-32-OK
Testing complete on Mageia 2 x86-64. Could someone from the sysadmin team push the srpm viewvc-1.1.15-1.1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates and the srpm viewvc-1.1.15-1.1.mga1.src.rpm from Mageia 1 Core Updates Testing to Core Updates. Advisory: Updated viewvc package fixes security vulnerability: "function name" lines returned by diff are not properly escaped, allowing attackers with commit access to perform cross site scripting (CVE-2012-4533). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4533 http://www.debian.org/security/2012/dsa-2563 https://bugs.mageia.org/show_bug.cgi?id=7896
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA1TOO MGA2-32-OK has_procedure MGA1-64-OK MGA1-32-OK => MGA1TOO MGA2-32-OK has_procedure MGA1-64-OK MGA1-32-OK MGA2-64-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0313
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED