ViewCVS (FORBIDDEN ports scheduled for removal)
Garance A Drosihn
drosih at rpi.edu
Fri Mar 28 14:46:46 PST 2003
At 5:31 PM -0800 3/27/03, Kris Kennaway wrote:
>
>The following ports have been marked FORBIDDEN for at least 4 months
>and are scheduled for removal after May 1 2003. Please check for any
>updates to your ports and/or discuss the vulnerabilities with the
>developers. If I do not hear anything from you before May 1 these
>ports will be removed as scheduled.
>
>devel/viewcvs
Well, I don't work with ViewCVS, but it sounds like an interesting
program. I notice that at:
http://www.securityfocus.com/bid/4818/solution/
there are two different proposed patches for this problem. Also,
if one checks revision 1.108 at:
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/viewcvs/viewcvs/lib/viewcvs.py
they seem to have an alternate fix committed, which has been in
"the head branch" of ViewCVS since April 2002. However, I do not
know why they have not yet released something newer than 0.9.2.
It does look like the project has been busy recently, so it's
very likely that we'd want to add viewcvs back into ports once
they *do* get a new version officially released.
I'm not a ports committer, and I don't use ViewCVS, but I'm hoping
that my little bit of investigation will inspire someone who does
use it to test and send in an appropriate fix for the security
issue. :-)
--
Garance Alistair Drosehn = gad at gilead.netel.rpi.edu
Senior Systems Programmer or gad at freebsd.org
Rensselaer Polytechnic Institute or drosih at rpi.edu
More information about the freebsd-ports
mailing list