Обсуждение: gitweb security hole (CVE-2010-3906)
Just read this on the Fedora update feed: > Update to 1.7.3.4 release which fixes various issues, notably: > > * cross-site scripting (XSS) flaw was found in the web interface of Git distributed revision control system. A remote attackercould use this flaw to execute arbitrary HTML or scripting code by providing a certain URL with specially-craftedvalues of f and fp variables. (CVE-2010-3906) Not sure if that impacts the PG gitweb server, but seems like it merits prompt investigation. regards, tom lane
On Mon, Jan 3, 2011 at 21:07, Tom Lane <tgl@sss.pgh.pa.us> wrote: > Just read this on the Fedora update feed: > >> Update to 1.7.3.4 release which fixes various issues, notably: >> >> * cross-site scripting (XSS) flaw was found in the web interface of Git distributed revision control system. A remoteattacker could use this flaw to execute arbitrary HTML or scripting code by providing a certain URL with specially-craftedvalues of f and fp variables. (CVE-2010-3906) > > Not sure if that impacts the PG gitweb server, but seems like it merits > prompt investigation. Probably does, will investigate and upgrade. -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/
On Mon, Jan 3, 2011 at 21:11, Magnus Hagander <magnus@hagander.net> wrote: > On Mon, Jan 3, 2011 at 21:07, Tom Lane <tgl@sss.pgh.pa.us> wrote: >> Just read this on the Fedora update feed: >> >>> Update to 1.7.3.4 release which fixes various issues, notably: >>> >>> * cross-site scripting (XSS) flaw was found in the web interface of Git distributed revision control system. A remoteattacker could use this flaw to execute arbitrary HTML or scripting code by providing a certain URL with specially-craftedvalues of f and fp variables. (CVE-2010-3906) >> >> Not sure if that impacts the PG gitweb server, but seems like it merits >> prompt investigation. > > Probably does, will investigate and upgrade. Upgraded. -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/