Re: [Full-disclosure] ViewCVS 0.9.4 issues

[Moritz Naumann <security@moritz-naumann.com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Moritz Naumann wrote:
> This was previously considered a HTTP response splitting vulnerability
> by Jose Antonio Coret (Joxean Koret)
> http://lists.grok.org.uk/pipermail/full-disclosure/2005-January/030514.html
> (BID 12112, couldn't find a CVE, AFAICT it is _not_ CAN-2004-1062)
> and, according to him, a patch has been stored on the 1.0-dev CVS
> branch. The 0.9.4 release on viewvc.tigris.org seems to be unpatched and
> it's possible that some Linux distributions and whoever would normally
> care were never patched against this.

I was wrong when I assumed that the 0.9.4 release on viewvc.tigris.org
was unpatched against the issues discovered by Jose Antonio Coret
(Joxean Koret). This issue was actually fixed by the ViewCVS developers
in version 0.9.3. I am sorry for the misconception and the confusion
this has caused.

This does not impact  how much the rest of my report applies. My
findings are now being discussed on the ViewVC developers mailing list
[1]. They apparently also impact ViewVC. Whether and to which degree
what I am reporting can be considered a security issue is, however,
currently subject to discussion.

For now, please follow up there only. I will be back to the security
mailing lists as soon as this has been sufficiently discussed and there
is something noteworthy to be said.

Moritz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFF440Vn6GkvSd/BgwRApdwAKCL+aPccWHsmq4Y6MP/SzrjMDtpVACbBVUE
bh85P5I1agzH5TdDwk8KxiM=
=Gsp7
-----END PGP SIGNATURE-----