-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Moritz Naumann wrote: > This was previously considered a HTTP response splitting vulnerability > by Jose Antonio Coret (Joxean Koret) > http://lists.grok.org.uk/pipermail/full-disclosure/2005-January/030514.html > (BID 12112, couldn't find a CVE, AFAICT it is _not_ CAN-2004-1062) > and, according to him, a patch has been stored on the 1.0-dev CVS > branch. The 0.9.4 release on viewvc.tigris.org seems to be unpatched and > it's possible that some Linux distributions and whoever would normally > care were never patched against this. I was wrong when I assumed that the 0.9.4 release on viewvc.tigris.org was unpatched against the issues discovered by Jose Antonio Coret (Joxean Koret). This issue was actually fixed by the ViewCVS developers in version 0.9.3. I am sorry for the misconception and the confusion this has caused. This does not impact how much the rest of my report applies. My findings are now being discussed on the ViewVC developers mailing list [1]. They apparently also impact ViewVC. Whether and to which degree what I am reporting can be considered a security issue is, however, currently subject to discussion. For now, please follow up there only. I will be back to the security mailing lists as soon as this has been sufficiently discussed and there is something noteworthy to be said. Moritz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFF440Vn6GkvSd/BgwRApdwAKCL+aPccWHsmq4Y6MP/SzrjMDtpVACbBVUE bh85P5I1agzH5TdDwk8KxiM= =Gsp7 -----END PGP SIGNATURE-----
