openSUSE Security Update: update for viewvc ______________________________________________________________________________
Announcement ID: openSUSE-SU-2012:0831-1 Rating: moderate References: #768680 Cross-References: CVE-2012-3356 CVE-2012-3357 Affected Products: openSUSE 12.1 openSUSE 11.4 ______________________________________________________________________________
An update that fixes two vulnerabilities is now available.
Description:
- update to 1.1.15 (bnc#768680): * security fix: complete authz support for remote SVN views (CVE-2012-3356) * security fix: log msg leak in SVN revision view with unreadable copy source (CVE-2012-3357)
Additionally the following non-security issues have been addressed:
* fix several instances of incorrect information in remote SVN views * increase performance of some revision metadata lookups in remote SVN views * fix RSS feed regression introduced in 1.1.14 * fix annotation of svn files with non-URI-safe paths * handle file:/// Subversion rootpaths as local roots * fix bug caused by trying to case-normalize anon usernames * speed up log handling by reusing tokenization results * add support for custom review log markup rules * fix svndbadmin failure on deleted paths under Subversion 1.7 * fix annotation of files in svn roots with non-URI-safe paths * fix stray annotation warning in markup display of images * more gracefully handle attempts to display binary content * fix path display in patch and certain diff views * fix broken cvsdb glob searching * allow svn revision specifiers to have leading r's * allow environmental override of configuration location * fix exception HTML-escaping non-string data under WSGI * add links to root logs from roots view * use Pygments lexer-guessing functionality
- add supplements for apache2/subversion-server
Patch Instructions:
To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product:
- openSUSE 12.1:
zypper in -t patch openSUSE-2012-363
- openSUSE 11.4:
zypper in -t patch openSUSE-2012-363
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE 12.1 (noarch):
viewvc-1.1.15-4.4.1
- openSUSE 11.4 (noarch):
viewvc-1.1.15-6.1
References:
http://support.novell.com/security/cve/CVE-2012-3356.html http://support.novell.com/security/cve/CVE-2012-3357.html https://bugzilla.novell.com/768680