From owner-freebsd-ports@FreeBSD.ORG Fri Mar 28 14:46:45 2003 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 161EC37B401 for ; Fri, 28 Mar 2003 14:46:45 -0800 (PST) Received: from smtp4.server.rpi.edu (smtp4.server.rpi.edu [128.113.2.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6B83843F3F for ; Fri, 28 Mar 2003 14:46:44 -0800 (PST) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.netel.rpi.edu [128.113.24.47]) by smtp4.server.rpi.edu (8.12.8/8.12.7) with ESMTP id h2SMkguF026314; Fri, 28 Mar 2003 17:46:43 -0500 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: <20030328013119.GA17944@rot13.obsecurity.org> References: <20030328013119.GA17944@rot13.obsecurity.org> Date: Fri, 28 Mar 2003 17:46:42 -0500 To: Kris Kennaway , ports@freebsd.org From: Garance A Drosihn Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Scanned-By: MIMEDefang 2.28 X-Spam-Status: No, hits=-24.5 required=5.0 tests=AWL,EMAIL_ATTRIBUTION,IN_REP_TO,REFERENCES, REPLY_WITH_QUOTES autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) Subject: Re: ViewCVS (FORBIDDEN ports scheduled for removal) X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Mar 2003 22:46:46 -0000 At 5:31 PM -0800 3/27/03, Kris Kennaway wrote: > >The following ports have been marked FORBIDDEN for at least 4 months >and are scheduled for removal after May 1 2003. Please check for any >updates to your ports and/or discuss the vulnerabilities with the >developers. If I do not hear anything from you before May 1 these >ports will be removed as scheduled. > >devel/viewcvs Well, I don't work with ViewCVS, but it sounds like an interesting program. I notice that at: http://www.securityfocus.com/bid/4818/solution/ there are two different proposed patches for this problem. Also, if one checks revision 1.108 at: http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/viewcvs/viewcvs/lib/viewcvs.py they seem to have an alternate fix committed, which has been in "the head branch" of ViewCVS since April 2002. However, I do not know why they have not yet released something newer than 0.9.2. It does look like the project has been busy recently, so it's very likely that we'd want to add viewcvs back into ports once they *do* get a new version officially released. I'm not a ports committer, and I don't use ViewCVS, but I'm hoping that my little bit of investigation will inspire someone who does use it to test and send in an appropriate fix for the security issue. :-) -- Garance Alistair Drosehn = gad@gilead.netel.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu