openSUSE Security Update: update for viewvc ______________________________________________________________________________ Announcement ID: openSUSE-SU-2012:0831-1 Rating: moderate References: #768680 Cross-References: CVE-2012-3356 CVE-2012-3357 Affected Products: openSUSE 12.1 openSUSE 11.4 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: - update to 1.1.15 (bnc#768680): * security fix: complete authz support for remote SVN views (CVE-2012-3356) * security fix: log msg leak in SVN revision view with unreadable copy source (CVE-2012-3357) Additionally the following non-security issues have been addressed: * fix several instances of incorrect information in remote SVN views * increase performance of some revision metadata lookups in remote SVN views * fix RSS feed regression introduced in 1.1.14 * fix annotation of svn files with non-URI-safe paths * handle file:/// Subversion rootpaths as local roots * fix bug caused by trying to case-normalize anon usernames * speed up log handling by reusing tokenization results * add support for custom review log markup rules * fix svndbadmin failure on deleted paths under Subversion 1.7 * fix annotation of files in svn roots with non-URI-safe paths * fix stray annotation warning in markup display of images * more gracefully handle attempts to display binary content * fix path display in patch and certain diff views * fix broken cvsdb glob searching * allow svn revision specifiers to have leading r's * allow environmental override of configuration location * fix exception HTML-escaping non-string data under WSGI * add links to root logs from roots view * use Pygments lexer-guessing functionality - add supplements for apache2/subversion-server Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.1: zypper in -t patch openSUSE-2012-363 - openSUSE 11.4: zypper in -t patch openSUSE-2012-363 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 12.1 (noarch): viewvc-1.1.15-4.4.1 - openSUSE 11.4 (noarch): viewvc-1.1.15-6.1 References: http://support.novell.com/security/cve/CVE-2012-3356.html http://support.novell.com/security/cve/CVE-2012-3357.html https://bugzilla.novell.com/768680