U radu programskog paketa ViewVC otkriven je sigurnosni propust kojeg je moguće iskoristiti udaljeno za zaobilaženje "cvsdb row_limit" konfiguracijske postavke i izvođenje DoS napada.
| Paket: | viewvc 1.x |
| Operacijski sustavi: | Fedora 13, Fedora 14, Fedora 15 |
| Kritičnost: | 4.4 |
| Problem: | nepoznat |
| Iskorištavanje: | udaljeno |
| Posljedica: | uskraćivanje usluga (DoS), zaobilaženje postavljenih ograničenja |
| Rješenje: | programska zakrpa proizvođača |
| CVE: | CVE-2009-5024 |
| Izvorni ID preporuke: | FEDORA-2011-7198 |
| Izvor: | Fedora |
| Problem: | |
| Detalji oko uzroka ovog problema zasad nisu poznati. |
|
| Posljedica: | |
| Udaljenom napadaču nepravilnost omogućuje zaobilaženje cvsdb "row_limit" konfiguracijskih postavki i prekomjerno zauzeće resursa (CPU i memorije). |
|
| Rješenje: | |
| Korisnike se potiče na korištenje novih programskih rješenja. |
|
Izvorni tekst preporuke
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-7198
2011-05-19 01:36:32
--------------------------------------------------------------------------------
Name : viewvc
Product : Fedora 13
Version : 1.1.11
Release : 1.fc13
URL : http://www.viewvc.org/
Summary : Browser interface for CVS and SVN version control repositories
Description :
ViewVC is a browser interface for CVS and Subversion version control
repositories. It generates templatized HTML to present navigable directory,
revision, and change log listings. It can display specific versions of files
as well as diffs between those versions. Basically, ViewVC provides the bulk
of the report-like functionality you expect out of your version control tool,
but much more prettily than the average textual command-line program output.
--------------------------------------------------------------------------------
Update Information:
* security fix: remove user-reachable override of cvsdb row limit
* fix broken standalone.py -c and -d options handling
* add --help option to standalone.py
* fix stack trace when asked to checkout a directory (issue #478)
* improve memory usage and speed of revision log markup (issue #477)
* fix broken annotation view in CVS keyword-bearing files (issue #479)
* warn users when query results are incomplete (issue #443)
* avoid parsing errors on RCS newphrases in the admin section (issue #483)
* make rlog parsing code more robust in certain error cases (issue #444)
--------------------------------------------------------------------------------
ChangeLog:
* Wed May 18 2011 Bojan Smojver <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.1.11-1
- bump up to 1.1.11
* Wed Mar 16 2011 Bojan Smojver <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.1.10-1
- bump up to 1.1.10
* Mon Feb 21 2011 Bojan Smojver <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.1.9-1
- bump up to 1.1.9
* Mon Dec 6 2010 Bojan Smojver <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.1.8-1
- bump up to 1.1.8
* Fri Sep 10 2010 Bojan Smojver <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.1.7-1
- bump up to 1.1.7
- address bug #565805, allow access to templates from localhost
* Thu Jul 22 2010 David Malcolm <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.1.6-2
- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild
* Thu Jun 3 2010 Bojan Smojver <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.1.6-1
- bump up to 1.1.6
- drop patch for upstream issue #454
* Tue May 25 2010 Bojan Smojver <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.1.5-2
- patch upstream issue #454
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #706274 - CVE-2009-5024 viewvc: remote user can cause excessive CPU
usage and memory consumption
https://bugzilla.redhat.com/show_bug.cgi?id=706274
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update viewvc' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-7185
2011-05-18 18:38:31
--------------------------------------------------------------------------------
Name : viewvc
Product : Fedora 15
Version : 1.1.11
Release : 1.fc15
URL : http://www.viewvc.org/
Summary : Browser interface for CVS and SVN version control repositories
Description :
ViewVC is a browser interface for CVS and Subversion version control
repositories. It generates templatized HTML to present navigable directory,
revision, and change log listings. It can display specific versions of files
as well as diffs between those versions. Basically, ViewVC provides the bulk
of the report-like functionality you expect out of your version control tool,
but much more prettily than the average textual command-line program output.
--------------------------------------------------------------------------------
Update Information:
* security fix: remove user-reachable override of cvsdb row limit
* fix broken standalone.py -c and -d options handling
* add --help option to standalone.py
* fix stack trace when asked to checkout a directory (issue #478)
* improve memory usage and speed of revision log markup (issue #477)
* fix broken annotation view in CVS keyword-bearing files (issue #479)
* warn users when query results are incomplete (issue #443)
* avoid parsing errors on RCS newphrases in the admin section (issue #483)
* make rlog parsing code more robust in certain error cases (issue #444)
--------------------------------------------------------------------------------
ChangeLog:
* Wed May 18 2011 Bojan Smojver <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.1.11-1
- bump up to 1.1.11
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #706274 - CVE-2009-5024 viewvc: remote user can cause excessive CPU
usage and memory consumption
https://bugzilla.redhat.com/show_bug.cgi?id=706274
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update viewvc' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-7222
2011-05-19 01:37:20
--------------------------------------------------------------------------------
Name : viewvc
Product : Fedora 14
Version : 1.1.11
Release : 1.fc14
URL : http://www.viewvc.org/
Summary : Browser interface for CVS and SVN version control repositories
Description :
ViewVC is a browser interface for CVS and Subversion version control
repositories. It generates templatized HTML to present navigable directory,
revision, and change log listings. It can display specific versions of files
as well as diffs between those versions. Basically, ViewVC provides the bulk
of the report-like functionality you expect out of your version control tool,
but much more prettily than the average textual command-line program output.
--------------------------------------------------------------------------------
Update Information:
* security fix: remove user-reachable override of cvsdb row limit
* fix broken standalone.py -c and -d options handling
* add --help option to standalone.py
* fix stack trace when asked to checkout a directory (issue #478)
* improve memory usage and speed of revision log markup (issue #477)
* fix broken annotation view in CVS keyword-bearing files (issue #479)
* warn users when query results are incomplete (issue #443)
* avoid parsing errors on RCS newphrases in the admin section (issue #483)
* make rlog parsing code more robust in certain error cases (issue #444)
--------------------------------------------------------------------------------
ChangeLog:
* Wed May 18 2011 Bojan Smojver <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.1.11-1
- bump up to 1.1.11
* Wed Mar 16 2011 Bojan Smojver <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.1.10-1
- bump up to 1.1.10
* Mon Feb 21 2011 Bojan Smojver <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.1.9-1
- bump up to 1.1.9
* Mon Dec 6 2010 Bojan Smojver <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.1.8-1
- bump up to 1.1.8
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #706274 - CVE-2009-5024 viewvc: remote user can cause excessive CPU
usage and memory consumption
https://bugzilla.redhat.com/show_bug.cgi?id=706274
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update viewvc' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
Posljednje sigurnosne preporuke