lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <45E38D15.7090305@moritz-naumann.com>
Date: Tue, 27 Feb 2007 02:44:53 +0100
From: Moritz Naumann <security@...itz-naumann.com>
Cc: users@...wvc.tigris.org, dev@...wvc.tigris.org,
	Full Disclosure <full-disclosure@...ts.grok.org.uk>,
	bugtraq@...urityfocus.com, security@...ian.org,
	security@...too.org, moderators@...db.org
Subject: Re: ViewCVS 0.9.4 issues

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Moritz Naumann wrote:
> This was previously considered a HTTP response splitting vulnerability
> by Jose Antonio Coret (Joxean Koret)
> http://lists.grok.org.uk/pipermail/full-disclosure/2005-January/030514.html
> (BID 12112, couldn't find a CVE, AFAICT it is _not_ CAN-2004-1062)
> and, according to him, a patch has been stored on the 1.0-dev CVS
> branch. The 0.9.4 release on viewvc.tigris.org seems to be unpatched and
> it's possible that some Linux distributions and whoever would normally
> care were never patched against this.

I was wrong when I assumed that the 0.9.4 release on viewvc.tigris.org
was unpatched against the issues discovered by Jose Antonio Coret
(Joxean Koret). This issue was actually fixed by the ViewCVS developers
in version 0.9.3. I am sorry for the misconception and the confusion
this has caused.

This does not impact  how much the rest of my report applies. My
findings are now being discussed on the ViewVC developers mailing list
[1]. They apparently also impact ViewVC. Whether and to which degree
what I am reporting can be considered a security issue is, however,
currently subject to discussion.

For now, please follow up there only. I will be back to the security
mailing lists as soon as this has been sufficiently discussed and there
is something noteworthy to be said.

Moritz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFF440Vn6GkvSd/BgwRApdwAKCL+aPccWHsmq4Y6MP/SzrjMDtpVACbBVUE
bh85P5I1agzH5TdDwk8KxiM=
=Gsp7
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ