Date: Tue, 30 Mar 2010 07:03:44 -0500 From: Reed Loden <reed@...dloden.com> To: oss-security@...ts.openwall.com Cc: "Steven M. Christey" <coley@...us.mitre.org> Subject: Re: CVE Request: ViewVC 1.1.5 / 1.0.11 -- XSS via user-provided 'search_re' input On Mon, 29 Mar 2010 17:52:46 -0500 Reed Loden <reed@...dloden.com> wrote: > Just received an announcement stating ViewVC 1.1.5 and 1.0.11 were > released today (right on the heels of 1.1.4 and 1.0.10, for which I > still haven't received a CVE). Looks like they fix an XSS that needs > a CVE assigned. > > "security fix: escape user-provided search_re input to avoid XSS > attack" Apparently, Secunia has already assigned this CVE-2010-0132, as per their advisory that just came out... http://secunia.com/secunia_research/2010-26/ Again, still need a CVE for the XSS fix in ViewVC 1.1.4 and 1.1.10, however. ~reed -- Reed Loden - <reed@...dloden.com> Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.