Updated viewvc packages fix security vulnerability
Publication date: 24 May 2020Modification date: 24 May 2020
Type: security
Affected Mageia releases : 7
CVE: CVE-2020-5283
Description
Updated viewvc package fixes security vulnerability:
ViewVC before versions 1.1.28 has an XSS vulnerability in CVS
show_subdir_lastmod support. The impact of this vulnerability is mitigated
by the need for an attacker to have commit privileges to a CVS repository
exposed by an otherwise trusted ViewVC instance that also has the
`show_subdir_lastmod` feature enabled. The attack vector involves files
with unsafe names (names that, when embedded into an HTML stream, would
cause the browser to run unwanted code), which themselves can be
challenging to create (CVE-2020-5283).
The viewvc package has been updated to version 1.1.28, fixing this issue
and other bugs.
References
- https://bugs.mageia.org/show_bug.cgi?id=26628
- https://github.com/viewvc/viewvc/security/advisories/GHSA-xpxf-fvqv-7mfg
- https://github.com/viewvc/viewvc/releases/tag/1.1.27
- https://github.com/viewvc/viewvc/releases/tag/1.1.28
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2Q2STF2MKT24HXZ3YZIU7CN6F6QM67I5/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5283
SRPMS
7/core
- viewvc-1.1.28-1.mga7