Date: Thu, 14 Jan 2010 13:02:53 +0100 From: Nico Golde <oss-security+ml@...lde.de> To: oss-security@...ts.openwall.com Subject: Re: CVE Request: viewvc Hi, * Josh Bressers <bressers@...hat.com> [2010-01-13 22:14]: > ----- "Ludwig Nussel" <ludwig.nussel@...e.de> wrote: > > > > viewvc 1.1.3 was released with security fixes according to the changelog: > > http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2242&r2=2313&pathrev=HEAD > > > > More explanations are in this commit: > > http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2300 > > > > As best as I can tell, there are only two things that deserve CVE ids: > > * security fix: add root listing support of per-root authz config > Use CVE-2010-0004 In what sense is this a security fix? This looks just like an enhancement to allow admins to configure this behaviour but I see no security bug itself here. Please enlighten me :) Cheers Nico -- Nico Golde - http://www.ngolde.de - nion@...ber.ccc.de - GPG: 0xA0A0AAAA For security reasons, all text in this mail is double-rot13 encrypted. Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ