Date: Fri, 28 Mar 2003 17:46:42 -0500 From: Garance A Drosihn <drosih@rpi.edu> To: Kris Kennaway <kris@obsecurity.org>, ports@freebsd.org Subject: Re: ViewCVS (FORBIDDEN ports scheduled for removal) Message-ID: <p05200f51baaa7f131f4d@[128.113.24.47]> In-Reply-To: <20030328013119.GA17944@rot13.obsecurity.org> References: <20030328013119.GA17944@rot13.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
At 5:31 PM -0800 3/27/03, Kris Kennaway wrote: > >The following ports have been marked FORBIDDEN for at least 4 months >and are scheduled for removal after May 1 2003. Please check for any >updates to your ports and/or discuss the vulnerabilities with the >developers. If I do not hear anything from you before May 1 these >ports will be removed as scheduled. > >devel/viewcvs Well, I don't work with ViewCVS, but it sounds like an interesting program. I notice that at: http://www.securityfocus.com/bid/4818/solution/ there are two different proposed patches for this problem. Also, if one checks revision 1.108 at: http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/viewcvs/viewcvs/lib/viewcvs.py they seem to have an alternate fix committed, which has been in "the head branch" of ViewCVS since April 2002. However, I do not know why they have not yet released something newer than 0.9.2. It does look like the project has been busy recently, so it's very likely that we'd want to add viewcvs back into ports once they *do* get a new version officially released. I'm not a ports committer, and I don't use ViewCVS, but I'm hoping that my little bit of investigation will inspire someone who does use it to test and send in an appropriate fix for the security issue. :-) -- Garance Alistair Drosehn = gad@gilead.netel.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?p05200f51baaa7f131f4d>