CVE-2010-0736: Cross-site scripting (XSS) vulnerability

Debian Bug report logs - #575787
CVE-2010-0736: Cross-site scripting (XSS) vulnerability

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <iuculano@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2010-0736: Cross-site scripting (XSS) vulnerability

Date: Mon, 29 Mar 2010 11:06:00 +0200

Package: viewvc
Severity: serious
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for viewvc.

CVE-2010-0736[0]:
| Cross-site scripting (XSS) vulnerability in the view_queryform
| function in lib/viewvc.py in ViewVC before 1.0.10, and 1.1.x before
| 1.1.4, allows remote attackers to inject arbitrary web script or HTML
| via "user-provided input."

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0736
    http://security-tracker.debian.org/tracker/CVE-2010-0736


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkuwbXYACgkQNxpp46476arxJACdEaZcj/lgJJNJ1yRUDDyfPwYA
Ii0An2T6LiMIlY4I4oTpjUedX5vu4I2L
=T+nk
-----END PGP SIGNATURE-----

Message #10 received at 575787@bugs.debian.org (full text, mbox, reply):

From: John Zaitseff <J.Zaitseff@zap.org.au>

To: Debian bug 532611 <532611@bugs.debian.org>

Cc: 575777@bugs.debian.org, 575787@bugs.debian.org, 570573@bugs.debian.org

Subject: Please package viewvc 1.1.5

Date: Thu, 1 Apr 2010 15:18:01 +1100

[Message part 1 (text/plain, inline)]

Tags: patch

Dear David et al.,

Thank you for packaging ViewVC!

Rather a long time ago, I asked that viewvc 1.1.x be packaged.  At
that time, I promised I would have a go at it myself, since I
realised that the 1.1.x series represented some major changes.
Unfortunately, I've been rather busy... until now, that is.

I have finally created a completely-overhauled viewvc 1.1.x package,
based on your work and on Ender's patch.  Could you please package
the latest ViewVC, 1.1.5, using this patch (attached to this
e-mail)?  You can get the full debian directory by running:

  svn co http://svn.zap.org.au/svn/debian-packages/debian-updates/viewvc/tags/1.1.5-0.1zg4/debian

You can download the full source to the packages, if you wish, from:

  ftp://ftp.zap.org.au/pub/debian/dists/zapgroup-sid/main/source/viewvc_1.1.5-0.1zg4.dsc
  ftp://ftp.zap.org.au/pub/debian/dists/zapgroup-sid/main/source/viewvc_1.1.5-0.1zg4.diff.gz
  ftp://ftp.zap.org.au/pub/debian/dists/zapgroup-sid/main/source/viewvc_1.1.5.orig.tar.gz

Alternatively, you can use the following lines in /etc/apt/sources.list:

  deb     ftp://ftp.zap.org.au/pub/ubuntu zapgroup-sid main
  deb-src ftp://ftp.zap.org.au/pub/ubuntu zapgroup-sid main

You can replace "zapgroup-sid" with "zapgroup-lenny" or
"zapgroup-karmic" as appropriate.

I am successfully running this version on my own Debian Lenny-based
server, accessible at http://www.zap.org.au/viewvc/.


Highlights of my changes:

* ViewVC 1.1.5 closes some important cross-site scripting problems
  (Closes: #532611, #575777, #575787).  This solves CVE-2010-0004,
  CVE-2010-0005 and CVE-2010-0736.

* Updated all dependencies, based on what is required for ViewVC
  1.1.5.  In particular: the XS-Python-Version field is set to "all"
  (Closes: #570573); depend on apache2 | httpd-cgi, not apache |
  httpd (we need a CGI server); python-egenix-mxdatetime and
  enscript are no longer required/suggested (python-pygments is
  recommended instead of enscript).

* Packaged the Apache mod-python modules for optional use (in
  /usr/lib/viewvc/mod-python) and added instructions in
  README.Debian on how to access it.

* Wrote a manual page for /usr/bin/viewvc-standalone.

* Rewrote the README.Debian, NEWS and TODO files as appropriate.

* Moved to Debian policy 3.8.4 and Debhelper 7.  Dealt with as many
  Lintian warnings as possible.  Converted all files to UTF-8 as
  appropriate.

* Refreshed all files in debian/patches: most no longer apply,
  although support for robots.txt (01-robots-support), changes to
  viewvc-install (90-viewvc-install-debian-paths) and to
  viewvc.conf.dist (91-viewvc-conf-debian-custom) still do.  Tweaked
  some file modes as used by viewvc-install.  All patch files now
  use -p1, making the future move to source version 3.0 (quilt) much
  easier.

* The file /etc/viewvc/viewvc.conf is a conffile: maintainer scripts
  must NOT modify it (as previous versions of the ViewVC package
  do!).  For this version, I've removed all Debconf scripts, since I
  don't particularly like my configuration files modified!  A better
  solution would be to use something like ucf(1)...


I'm hoping you will be able to take my changes more or less en-mass
and release an official ViewVC package quickly.  I look forward to
hearing from you!

Yours truly,

John Zaitseff

-- 
John Zaitseff                    ,--_|\    The ZAP Group
Phone:  +61 2 9643 7737         /      \   Sydney, Australia
E-mail: J.Zaitseff@zap.org.au   \_,--._*   http://www.zap.org.au/
                                      v

[viewvc-1.1.5-0.1zg4.diff (text/x-diff, attachment)]

Message #15 received at 575787@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: John Zaitseff <J.Zaitseff@zap.org.au>, ender@debian.org

Cc: Debian bug 532611 <532611@bugs.debian.org>, 575777@bugs.debian.org, 575787@bugs.debian.org, 570573@bugs.debian.org

Subject: Re: Please package viewvc 1.1.5

Date: Fri, 2 Apr 2010 22:47:03 +0200

On Thu, Apr 01, 2010 at 03:18:01PM +1100, John Zaitseff wrote:
> Tags: patch
> 
> Dear David et al.,
> 
> Thank you for packaging ViewVC!
> 
> Rather a long time ago, I asked that viewvc 1.1.x be packaged.  At
> that time, I promised I would have a go at it myself, since I
> realised that the 1.1.x series represented some major changes.
> Unfortunately, I've been rather busy... until now, that is.
> 
> I have finally created a completely-overhauled viewvc 1.1.x package,
> based on your work and on Ender's patch.  Could you please package
> the latest ViewVC, 1.1.5, using this patch (attached to this
> e-mail)?  You can get the full debian directory by running:
> 
>   svn co http://svn.zap.org.au/svn/debian-packages/debian-updates/viewvc/tags/1.1.5-0.1zg4/debian
> 
> You can download the full source to the packages, if you wish, from:
> 
>   ftp://ftp.zap.org.au/pub/debian/dists/zapgroup-sid/main/source/viewvc_1.1.5-0.1zg4.dsc
>   ftp://ftp.zap.org.au/pub/debian/dists/zapgroup-sid/main/source/viewvc_1.1.5-0.1zg4.diff.gz
>   ftp://ftp.zap.org.au/pub/debian/dists/zapgroup-sid/main/source/viewvc_1.1.5.orig.tar.gz
> 
> Alternatively, you can use the following lines in /etc/apt/sources.list:
> 
>   deb     ftp://ftp.zap.org.au/pub/ubuntu zapgroup-sid main
>   deb-src ftp://ftp.zap.org.au/pub/ubuntu zapgroup-sid main
> 
> You can replace "zapgroup-sid" with "zapgroup-lenny" or
> "zapgroup-karmic" as appropriate.
> 
> I am successfully running this version on my own Debian Lenny-based
> server, accessible at http://www.zap.org.au/viewvc/.
> 
> 
> Highlights of my changes:
> 
> * ViewVC 1.1.5 closes some important cross-site scripting problems
>   (Closes: #532611, #575777, #575787).  This solves CVE-2010-0004,
>   CVE-2010-0005 and CVE-2010-0736.
> 
> * Updated all dependencies, based on what is required for ViewVC
>   1.1.5.  In particular: the XS-Python-Version field is set to "all"
>   (Closes: #570573); depend on apache2 | httpd-cgi, not apache |
>   httpd (we need a CGI server); python-egenix-mxdatetime and
>   enscript are no longer required/suggested (python-pygments is
>   recommended instead of enscript).
> 
> * Packaged the Apache mod-python modules for optional use (in
>   /usr/lib/viewvc/mod-python) and added instructions in
>   README.Debian on how to access it.
> 
> * Wrote a manual page for /usr/bin/viewvc-standalone.
> 
> * Rewrote the README.Debian, NEWS and TODO files as appropriate.
> 
> * Moved to Debian policy 3.8.4 and Debhelper 7.  Dealt with as many
>   Lintian warnings as possible.  Converted all files to UTF-8 as
>   appropriate.
> 
> * Refreshed all files in debian/patches: most no longer apply,
>   although support for robots.txt (01-robots-support), changes to
>   viewvc-install (90-viewvc-install-debian-paths) and to
>   viewvc.conf.dist (91-viewvc-conf-debian-custom) still do.  Tweaked
>   some file modes as used by viewvc-install.  All patch files now
>   use -p1, making the future move to source version 3.0 (quilt) much
>   easier.
> 
> * The file /etc/viewvc/viewvc.conf is a conffile: maintainer scripts
>   must NOT modify it (as previous versions of the ViewVC package
>   do!).  For this version, I've removed all Debconf scripts, since I
>   don't particularly like my configuration files modified!  A better
>   solution would be to use something like ucf(1)...
> 
> 
> I'm hoping you will be able to take my changes more or less en-mass
> and release an official ViewVC package quickly.  I look forward to
> hearing from you!

The Security Team contacted David three weeks ago about the viewvc
maintenance status and didn't receive a reply. 

David, please consider handing maintenance over to John or move
viewvc to group maintenance.

Cheers,
        Moritz

Message #20 received at 575787@bugs.debian.org (full text, mbox, reply):

From: Hideki Yamane <henrich@debian.or.jp>

To: John Zaitseff <J.Zaitseff@zap.org.au>, ender@debian.org, Moritz Muehlenhoff <jmm@inutil.org>

Cc: Debian bug 532611 <532611@bugs.debian.org>, 575777@bugs.debian.org, 575787@bugs.debian.org, 570573@bugs.debian.org

Subject: Re: Please package viewvc 1.1.5

Date: Tue, 4 May 2010 06:21:49 +0900

On Fri, 2 Apr 2010 22:47:03 +0200
Moritz Muehlenhoff <jmm@inutil.org> wrote:
> The Security Team contacted David three weeks ago about the viewvc
> maintenance status and didn't receive a reply. 
> 
> David, please consider handing maintenance over to John or move
> viewvc to group maintenance.

 Ping.

 It was 1 month ago. 2 months is enough time for waiting...
 Maybe David has his own important issue, but provide security update for users is 
 important as well.


-- 
Regards,

 Hideki Yamane     henrich @ debian.or.jp/iijmio-mail.jp
 http://wiki.debian.org/HidekiYamane

Message #25 received at 575787@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Hideki Yamane <henrich@debian.or.jp>

Cc: John Zaitseff <J.Zaitseff@zap.org.au>, ender@debian.org, Debian bug 532611 <532611@bugs.debian.org>, 575777@bugs.debian.org, 575787@bugs.debian.org, 570573@bugs.debian.org

Subject: Re: Please package viewvc 1.1.5

Date: Fri, 4 Jun 2010 00:45:47 +0200

On Tue, May 04, 2010 at 06:21:49AM +0900, Hideki Yamane wrote:
> On Fri, 2 Apr 2010 22:47:03 +0200
> Moritz Muehlenhoff <jmm@inutil.org> wrote:
> > The Security Team contacted David three weeks ago about the viewvc
> > maintenance status and didn't receive a reply. 
> > 
> > David, please consider handing maintenance over to John or move
> > viewvc to group maintenance.
> 
>  Ping.
> 
>  It was 1 month ago. 2 months is enough time for waiting...
>  Maybe David has his own important issue, but provide security update for users is 
>  important as well.

Agreed, given that there's no reaction from David feel free to hijack
viewvc. Maybe you can sponsor the upload prepared by John, making him
the new maintainer?

Cheers,
        Moritz

Message #30 received at 575787@bugs.debian.org (full text, mbox, reply):

From: David Martínez Moreno <ender@debian.org>

To: Moritz Muehlenhoff <jmm@inutil.org>, 575787@bugs.debian.org

Cc: Hideki Yamane <henrich@debian.or.jp>, John Zaitseff <J.Zaitseff@zap.org.au>, Debian bug 532611 <532611@bugs.debian.org>, 575777@bugs.debian.org, 570573@bugs.debian.org

Subject: Re: Bug#575787: Please package viewvc 1.1.5

Date: Fri, 4 Jun 2010 07:08:56 +0100

[Message part 1 (text/plain, inline)]

El viernes, 4 de junio de 2010, Moritz Muehlenhoff escribió:
> On Tue, May 04, 2010 at 06:21:49AM +0900, Hideki Yamane wrote:
> > On Fri, 2 Apr 2010 22:47:03 +0200
> >
> > Moritz Muehlenhoff <jmm@inutil.org> wrote:
> > > The Security Team contacted David three weeks ago about the viewvc
> > > maintenance status and didn't receive a reply.
> > >
> > > David, please consider handing maintenance over to John or move
> > > viewvc to group maintenance.
> >
> >  Ping.
> >
> >  It was 1 month ago. 2 months is enough time for waiting...
> >  Maybe David has his own important issue, but provide security update for
> > users is important as well.
> 
> Agreed, given that there's no reaction from David feel free to hijack
> viewvc. Maybe you can sponsor the upload prepared by John, making him
> the new maintainer?

	Hi there.  As Hideki Yamane said, I had sadly a very important issue.

	I'm currently reviewing the backlog, but please feel free to tell me how I 
can help in this issue.

	Best regards,


		Ender.
-- 
Network engineer - System administrator
Debian Developer

[signature.asc (application/pgp-signature, inline)]

Message #35 received at 575787@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: David Martínez Moreno <ender@debian.org>

Cc: 575787@bugs.debian.org, Hideki Yamane <henrich@debian.or.jp>, John Zaitseff <J.Zaitseff@zap.org.au>, Debian bug 532611 <532611@bugs.debian.org>, 575777@bugs.debian.org, 570573@bugs.debian.org

Subject: Re: Bug#575787: Please package viewvc 1.1.5

Date: Fri, 4 Jun 2010 19:38:01 +0200

On Fri, Jun 04, 2010 at 07:08:56AM +0100, David Martínez Moreno wrote:
> El viernes, 4 de junio de 2010, Moritz Muehlenhoff escribió:
> > On Tue, May 04, 2010 at 06:21:49AM +0900, Hideki Yamane wrote:
> > > On Fri, 2 Apr 2010 22:47:03 +0200
> > >
> > > Moritz Muehlenhoff <jmm@inutil.org> wrote:
> > > > The Security Team contacted David three weeks ago about the viewvc
> > > > maintenance status and didn't receive a reply.
> > > >
> > > > David, please consider handing maintenance over to John or move
> > > > viewvc to group maintenance.
> > >
> > >  Ping.
> > >
> > >  It was 1 month ago. 2 months is enough time for waiting...
> > >  Maybe David has his own important issue, but provide security update for
> > > users is important as well.
> > 
> > Agreed, given that there's no reaction from David feel free to hijack
> > viewvc. Maybe you can sponsor the upload prepared by John, making him
> > the new maintainer?
> 
> 	Hi there.  As Hideki Yamane said, I had sadly a very important issue.
> 
> 	I'm currently reviewing the backlog, but please feel free to tell me how I 
> can help in this issue.

I suggest to move viewvc to group maintenance; this way John and other
interested people can join efforts and the package isn't unmaintained
in times when your busy. What do you think?

Cheers,
        Moritz

Message #40 received at 575787@bugs.debian.org (full text, mbox, reply):

From: David Martínez Moreno <ender@debian.org>

To: Moritz Muehlenhoff <jmm@inutil.org>, 532611@bugs.debian.org

Cc: 575787@bugs.debian.org, Hideki Yamane <henrich@debian.or.jp>, John Zaitseff <J.Zaitseff@zap.org.au>, 575777@bugs.debian.org, 570573@bugs.debian.org, David Martínez Moreno <ender@debian.org>

Subject: Re: Bug#532611: Bug#575787: Please package viewvc 1.1.5

Date: Fri, 4 Jun 2010 21:11:44 +0200

[Message part 1 (text/plain, inline)]

El viernes, 4 de Junio je 2010, Moritz Muehlenhoff escribió:
> On Fri, Jun 04, 2010 at 07:08:56AM +0100, David Martínez Moreno wrote:
> > El viernes, 4 de junio de 2010, Moritz Muehlenhoff escribió:
> > > On Tue, May 04, 2010 at 06:21:49AM +0900, Hideki Yamane wrote:
> > > > On Fri, 2 Apr 2010 22:47:03 +0200
> > > >
> > > > Moritz Muehlenhoff <jmm@inutil.org> wrote:
> > > > > The Security Team contacted David three weeks ago about the viewvc
> > > > > maintenance status and didn't receive a reply.
> > > > >
> > > > > David, please consider handing maintenance over to John or move
> > > > > viewvc to group maintenance.
> > > >
> > > >  Ping.
> > > >
> > > >  It was 1 month ago. 2 months is enough time for waiting...
> > > >  Maybe David has his own important issue, but provide security update
> > > > for users is important as well.
> > >
> > > Agreed, given that there's no reaction from David feel free to hijack
> > > viewvc. Maybe you can sponsor the upload prepared by John, making him
> > > the new maintainer?
> >
> > 	Hi there.  As Hideki Yamane said, I had sadly a very important issue.
> >
> > 	I'm currently reviewing the backlog, but please feel free to tell me how
> > I can help in this issue.
> 
> I suggest to move viewvc to group maintenance; this way John and other
> interested people can join efforts and the package isn't unmaintained
> in times when your busy. What do you think?

	I agree, I'll setup a project in alioth for it.  I'll keep you posted.


		Ender.
-- 
Network engineer - System administrator
Debian Developer

[signature.asc (application/pgp-signature, inline)]

Message #45 received at 575787@bugs.debian.org (full text, mbox, reply):

From: Hideki Yamane <henrich@debian.or.jp>

To: David Martínez Moreno <ender@debian.org>

Cc: Moritz Muehlenhoff <jmm@inutil.org>, 575787@bugs.debian.org, John Zaitseff <J.Zaitseff@zap.org.au>, Debian bug 532611 <532611@bugs.debian.org>, 575777@bugs.debian.org, 570573@bugs.debian.org

Subject: Re: Bug#575787: Please package viewvc 1.1.5

Date: Sun, 6 Jun 2010 01:51:36 +0900

Hi,

On Fri, 4 Jun 2010 19:38:01 +0200
Moritz Muehlenhoff <jmm@inutil.org> wrote:
> > 	I'm currently reviewing the backlog, but please feel free to tell me how I 
> > can help in this issue.
> 
> I suggest to move viewvc to group maintenance; this way John and other
> interested people can join efforts and the package isn't unmaintained
> in times when your busy. What do you think?

 We're glad to hear ack from the maintainer :)
 But, first you should do is upload updated package to squash security bugs, 
 _then_ consider to move to group maintenance, IMO.


-- 
Regards,

 Hideki Yamane     henrich @ debian.or.jp/org
 http://wiki.debian.org/HidekiYamane

Message #50 received at 575787@bugs.debian.org (full text, mbox, reply):

From: David Martínez Moreno <ender@debian.org>

To: John Zaitseff <J.Zaitseff@zap.org.au>, 575777@bugs.debian.org

Cc: Debian bug 532611 <532611@bugs.debian.org>, 575787@bugs.debian.org, 570573@bugs.debian.org

Subject: Re: Bug#575777: Please package viewvc 1.1.5

Date: Thu, 17 Jun 2010 02:22:28 +0200

[Message part 1 (text/plain, inline)]

El jueves, 1 de abril de 2010, John Zaitseff escribió:
> Dear David et al.,
> 
> Thank you for packaging ViewVC!
> 
> Rather a long time ago, I asked that viewvc 1.1.x be packaged.  At
> that time, I promised I would have a go at it myself, since I
> realised that the 1.1.x series represented some major changes.
> Unfortunately, I've been rather busy... until now, that is.

	Hello, John.  I haven't got enough words to give you thanks for your work.

	I'm currently reviewing your changes and I'd like to merge them into the 
current structure.  I understand that you forked the tree long time ago, and 
I'd like to reconcile both trees.  Said that, I'd like to trim down all the 
internal releases you did in ZAP Group and merge them into a big changelog for 
1.1.5-1 (entirely devoted to you, by the way :-).  Given that I have the 
highest respect for you, do you mind if I do that?
 
> I have finally created a completely-overhauled viewvc 1.1.x package,
> based on your work and on Ender's patch.  Could you please package
> the latest ViewVC, 1.1.5, using this patch (attached to this
> e-mail)?  You can get the full debian directory by running:

[...]

> Highlights of my changes:
> 
> * ViewVC 1.1.5 closes some important cross-site scripting problems
>   (Closes: #532611, #575777, #575787).  This solves CVE-2010-0004,
>   CVE-2010-0005 and CVE-2010-0736.

	Of course, this is the most critical part.

> * Updated all dependencies, based on what is required for ViewVC
>   1.1.5.  In particular: the XS-Python-Version field is set to "all"
>   (Closes: #570573); depend on apache2 | httpd-cgi, not apache |
>   httpd (we need a CGI server); python-egenix-mxdatetime and
>   enscript are no longer required/suggested (python-pygments is
>   recommended instead of enscript).

	Agreed.

> * Packaged the Apache mod-python modules for optional use (in
>   /usr/lib/viewvc/mod-python) and added instructions in
>   README.Debian on how to access it.

	Great!

> * Wrote a manual page for /usr/bin/viewvc-standalone.
> 
> * Rewrote the README.Debian, NEWS and TODO files as appropriate.
> 
> * Moved to Debian policy 3.8.4 and Debhelper 7.  Dealt with as many
>   Lintian warnings as possible.  Converted all files to UTF-8 as
>   appropriate.
> 
> * Refreshed all files in debian/patches: most no longer apply,
>   although support for robots.txt (01-robots-support), changes to
>   viewvc-install (90-viewvc-install-debian-paths) and to
>   viewvc.conf.dist (91-viewvc-conf-debian-custom) still do.  Tweaked
>   some file modes as used by viewvc-install.  All patch files now
>   use -p1, making the future move to source version 3.0 (quilt) much
>   easier.

	Perfect.  I'll need to review again viewvc-install, as it's been the source 
of many nightmares months ago.

> * The file /etc/viewvc/viewvc.conf is a conffile: maintainer scripts
>   must NOT modify it (as previous versions of the ViewVC package
>   do!).  For this version, I've removed all Debconf scripts, since I
>   don't particularly like my configuration files modified!  A better
>   solution would be to use something like ucf(1)...

	Completely agree.  The configuration scripts are a complete nightmare as 
well, so probably using ucf would be the sanest option.

	Best regards,


		Ender.
-- 
Network engineer - System administrator
Debian Developer

[signature.asc (application/pgp-signature, inline)]

Message #57 received at 575787-close@bugs.debian.org (full text, mbox, reply):

From: David Martínez Moreno <ender@debian.org>

To: 575787-close@bugs.debian.org

Subject: Bug#575787: fixed in viewvc 1.1.5-1

Date: Fri, 02 Jul 2010 00:32:40 +0000

Source: viewvc
Source-Version: 1.1.5-1

We believe that the bug you reported is fixed in the latest version of
viewvc, which is due to be installed in the Debian FTP archive:

viewvc-query_1.1.5-1_all.deb
  to main/v/viewvc/viewvc-query_1.1.5-1_all.deb
viewvc_1.1.5-1.diff.gz
  to main/v/viewvc/viewvc_1.1.5-1.diff.gz
viewvc_1.1.5-1.dsc
  to main/v/viewvc/viewvc_1.1.5-1.dsc
viewvc_1.1.5-1_all.deb
  to main/v/viewvc/viewvc_1.1.5-1_all.deb
viewvc_1.1.5.orig.tar.gz
  to main/v/viewvc/viewvc_1.1.5.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 575787@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
David Martínez Moreno <ender@debian.org> (supplier of updated viewvc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 02 Jul 2010 02:24:34 +0200
Source: viewvc
Binary: viewvc viewvc-query
Architecture: source all
Version: 1.1.5-1
Distribution: unstable
Urgency: medium
Maintainer: David Martínez Moreno <ender@debian.org>
Changed-By: David Martínez Moreno <ender@debian.org>
Description: 
 viewvc     - web interface for CVS and/or Subversion repositories
 viewvc-query - utility to query CVS and Subversion commit database
Closes: 434301 532611 570573 575777 575787 576307 585366
Changes: 
 viewvc (1.1.5-1) unstable; urgency=medium
 .
   [ John Zaitseff ]
   * New upstream release (closes: #532611, #575777, #575787, #576307).  This
     solves CVE-2010-0004, CVE-2010-0005, CVE-2010-0736 and CVE-2010-0132.
   * Extensive rewrite of files in the debian directory.  Updated to Debian
     policy 3.8.4, updated all control files to Debhelper 7, rewrote
     debian/rules for clarity (and to use Debhelper 7).
   * Removed all references to Debconf, as previous versions of this
     package violated Debian policy (section 10.7.3): /etc/viewvc/viewvc.conf
     is a conffile, and maintainer scripts must NOT modify it at any time.
   * Reorganised the installation files in /usr/lib/viewvc.  The CGI
     programs are now links to files in /usr/lib/viewvc/cgi-bin.
   * Packaged the Apache mod-python modules for optional use (in
     /usr/lib/viewvc/mod-python).  See README.Debian for more information.
   * Moved the static help documentation ("docroot") from /usr/share/viewvc
     to /usr/share/viewvc/docroot, as per Webapps Policy, section 3.1.
   * Updated the debian/patches subdirectory to remove patches no longer
     relevant to ViewVC 1.1.x and to update those that still apply.
   * debian/control:
     - Removed the dependency on gawk, as that was only required for Debconf
       configuration.
     - Demoted the dependency on mime-support to "Suggests": ViewVC can use
       it, if appropriately configured, but does not require it.
     - Added a suggestion for the python-tk package: viewvc-standalone(1)
       uses this when passed the "--gui" flag.
     - Modified all dependencies as appropriate.  Depend on httpd-cgi, not
       httpd, since the viewvc package needs a CGI server.  In addition,
       python-egenix-mxdatetime is no longer needed (since ViewVC 1.0.x).
     - Updated the XS-Python-Version field to "all" (Closes: #570573).
     - ViewVC 1.1.x supports only python-pygments as a syntax highlighter,
       not enscript.  Adjusted dependencies as appropriate.
 .
   [ David Martínez Moreno ]
   * Changed history and added the CVE entry to the changelog for 1.0.9-1.
   * debian/control:
     - Moved Section to vcs in order to match the overrides.
     - Make python-dev dependency just python.
     - Removed dummy package viewcvs, it was already dummy in lenny.
   * debian/viewcvs.*: Removed.
   * debian/NEWS: Fixed version in John's entry and removed old news from 0.9.4.
   * debian/README.source: Added.
   * The new release also addresses in a different way how to show long
     annotation messages (closes: #434301).
   * Added debian/patches/92-no_strings_in_raise for fixing a couple of
     occurrences of string exceptions in the code, no longer valid in Python
     2.6, the default now (closes: #585366).
Checksums-Sha1: 
 9b2a0d8dd38c31b5bff9026cbc7b368611d885c4 1091 viewvc_1.1.5-1.dsc
 988d7b9e13af194696db9cba5446510367720b91 593630 viewvc_1.1.5.orig.tar.gz
 afa41c5ef57c55231c32eab33bbb69490739182e 18822 viewvc_1.1.5-1.diff.gz
 7e528278a26f9638f2d05974b2d8a4fc2d34f19f 604768 viewvc_1.1.5-1_all.deb
 d7df1604cf1069d397e9addf6df76ccf268b4eb3 12106 viewvc-query_1.1.5-1_all.deb
Checksums-Sha256: 
 ebfe960119a949b6126553b191508efa60b52ed0989dee1dae072b0cfa5a25c1 1091 viewvc_1.1.5-1.dsc
 32ce717330fc780e9c2341cca800079078e9935581d4dfd526e4a15fc1d94919 593630 viewvc_1.1.5.orig.tar.gz
 4633adb209af1f3cfee6dfe18715424d012ffd6dd4d95f8346b03f8500064a99 18822 viewvc_1.1.5-1.diff.gz
 84d4ee674ea54541d34311a627d9b32878edb92eaf525c05879922e2307c7b9f 604768 viewvc_1.1.5-1_all.deb
 73a8d31910e6593b2a5990910c3f05d5c8d0944866d29db3969986a9ec4aea14 12106 viewvc-query_1.1.5-1_all.deb
Files: 
 f0a4f1a48f610824c450687fb070aef4 1091 vcs optional viewvc_1.1.5-1.dsc
 da7bbcf6800383ebb23405a064c6faf8 593630 vcs optional viewvc_1.1.5.orig.tar.gz
 d16f09f30db18e696bef79adeac49b79 18822 vcs optional viewvc_1.1.5-1.diff.gz
 c4543a69d946e3bee8adb88c4cfde267 604768 vcs optional viewvc_1.1.5-1_all.deb
 fab0d4e50e1b09202654c6edfff8ebda 12106 vcs optional viewvc-query_1.1.5-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkwtMlIACgkQWs/EhA1iABuLZQCg0L0h7eQF1I2AZbGlMsyD2tu1
7EIAoLn6D4g54q8+HDfRDdKxb6Njrepy
=URwR
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.