Debian Security Advisory

DSA-605-1 viewcvs -- settings not honored

Date Reported:
06 Dec 2004
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2004-0915.
More information:

Haris Sehic discovered several vulnerabilities in viewcvs, a utility for viewing CVS and Subversion repositories via HTTP. When exporting a repository as a tar archive the hide_cvsroot and forbidden settings were not honoured enough.

When upgrading the package for woody, please make a copy of your /etc/viewcvs/viewcvs.conf file if you have manually edited this file. Upon upgrade the debconf mechanism may alter it in a way so that viewcvs doesn't understand it anymore.

For the stable distribution (woody) these problems have been fixed in version 0.9.2-4woody1.

For the unstable distribution (sid) these problems have been fixed in version

We recommend that you upgrade your viewcvs package.

Fixed in:

Debian GNU/Linux 3.0 (woody)

Architecture-independent component:

MD5 checksums of the listed files are available in the original advisory.