ID FEDORA:3606F21308 Type fedora Reporter Fedora Modified 2012-07-11T23:58:08
Description
ViewVC is a browser interface for CVS and Subversion version control repositories. It generates templatized HTML to present navigable directory, revision, and change log listings. It can display specific versions of files as well as diffs between those versions. Basically, ViewVC provides the bulk of the report-like functionality you expect out of your version control too l, but much more prettily than the average textual command-line program output.
{"id": "FEDORA:3606F21308", "type": "fedora", "bulletinFamily": "unix", "title": "[SECURITY] Fedora 16 Update: viewvc-1.1.15-1.fc16", "description": "ViewVC is a browser interface for CVS and Subversion version control repositories. It generates templatized HTML to present navigable directory, revision, and change log listings. It can display specific versions of files as well as diffs between those versions. Basically, ViewVC provides the bulk of the report-like functionality you expect out of your version control too l, but much more prettily than the average textual command-line program output. ", "published": "2012-07-11T23:58:08", "modified": "2012-07-11T23:58:08", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "href": "", "reporter": "Fedora", "references": [], "cvelist": ["CVE-2012-3356", "CVE-2012-3357"], "lastseen": "2020-12-21T08:17:51", "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2012-3356", "CVE-2012-3357"]}, {"type": "openvas", "idList": ["OPENVAS:864545", "OPENVAS:136141256231072534", "OPENVAS:864541", "OPENVAS:1361412562310864545", "OPENVAS:1361412562310864541", "OPENVAS:72534"]}, {"type": "nessus", "idList": ["FEDORA_2012-9371.NASL", "OPENSUSE-2012-363.NASL", "DEBIAN_DSA-2563.NASL", "FEDORA_2012-9433.NASL", "MANDRIVA_MDVSA-2013-134.NASL"]}, {"type": "fedora", "idList": ["FEDORA:ACB5821316"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12674", "SECURITYVULNS:DOC:28690"]}, {"type": "debian", "idList": ["DEBIAN:DSA-2563-1:F7A08"]}], "modified": "2020-12-21T08:17:51", "rev": 2}, "score": {"value": 6.2, "vector": "NONE", "modified": "2020-12-21T08:17:51", "rev": 2}, "vulnersScore": 6.2}, "affectedPackage": [{"OS": "Fedora", "OSVersion": "16", "arch": "any", "packageName": "viewvc", "packageVersion": "1.1.15", "packageFilename": "UNKNOWN", "operator": "lt"}], "immutableFields": []}
{"cve": [{"lastseen": "2021-02-02T05:59:51", "description": "The remote SVN views functionality (lib/vclib/svn/svn_ra.py) in ViewVC before 1.1.15 does not properly perform authorization, which allows remote attackers to bypass intended access restrictions via unspecified vectors.", "edition": 6, "cvss3": {}, "published": "2012-07-22T16:55:00", "title": "CVE-2012-3356", "type": "cve", "cwe": ["CWE-287"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-3356"], "modified": "2018-08-13T21:47:00", "cpe": ["cpe:/a:viewvc:viewvc:1.1.2", "cpe:/a:viewvc:viewvc:1.0.2", "cpe:/a:viewvc:viewvc:1.1.0", "cpe:/a:viewvc:viewvc:1.1.3", "cpe:/a:viewvc:viewvc:1.1.10", "cpe:/a:viewvc:viewvc:1.0.7", "cpe:/a:viewvc:viewvc:0.8", "cpe:/a:viewvc:viewvc:1.0.5", "cpe:/a:viewvc:viewvc:1.1.7", "cpe:/a:viewvc:viewvc:1.1.1", "cpe:/a:viewvc:viewvc:0.9.1", "cpe:/a:viewvc:viewvc:0.9.2", "cpe:/a:viewvc:viewvc:1.0.11", "cpe:/a:viewvc:viewvc:1.0.3", "cpe:/a:viewvc:viewvc:1.0.6", "cpe:/a:viewvc:viewvc:1.1.11", "cpe:/a:viewvc:viewvc:1.0.10", "cpe:/a:viewvc:viewvc:0.9.3", "cpe:/a:viewvc:viewvc:1.1.5", "cpe:/a:viewvc:viewvc:1.0.9", "cpe:/a:viewvc:viewvc:1.1.4", "cpe:/a:viewvc:viewvc:1.1.14", "cpe:/a:viewvc:viewvc:1.1.9", "cpe:/a:viewvc:viewvc:1.1.13", "cpe:/a:viewvc:viewvc:1.0.1", "cpe:/a:viewvc:viewvc:1.0.0", "cpe:/a:viewvc:viewvc:1.0.4", "cpe:/a:viewvc:viewvc:0.9.4", "cpe:/a:viewvc:viewvc:1.0.8", "cpe:/a:viewvc:viewvc:1.1.8", "cpe:/a:viewvc:viewvc:1.1.12", "cpe:/a:viewvc:viewvc:1.1.6", "cpe:/a:viewvc:viewvc:0.9"], "id": "CVE-2012-3356", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3356", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:viewvc:viewvc:0.9.1:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.0.10:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.1.14:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:0.9.3:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.1.11:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.1.9:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:0.8:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.1.13:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:0.9.4:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.1.7:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.0.11:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.1.10:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.1.8:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.1.12:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:0.9:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:0.9.2:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.0.9:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:59:51", "description": "The SVN revision view (lib/vclib/svn/svn_repos.py) in ViewVC before 1.1.15 does not properly handle log messages when a readable path is copied from an unreadable path, which allows remote attackers to obtain sensitive information, related to a \"log msg leak.\"", "edition": 6, "cvss3": {}, "published": "2012-07-22T16:55:00", "title": "CVE-2012-3357", "type": "cve", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-3357"], "modified": "2017-08-29T01:31:00", "cpe": ["cpe:/a:viewvc:viewvc:1.1.2", "cpe:/a:viewvc:viewvc:1.0.2", "cpe:/a:viewvc:viewvc:1.1.0", "cpe:/a:viewvc:viewvc:1.1.3", "cpe:/a:viewvc:viewvc:1.1.10", "cpe:/a:viewvc:viewvc:1.0.7", "cpe:/a:viewvc:viewvc:0.8", "cpe:/a:viewvc:viewvc:1.0.5", "cpe:/a:viewvc:viewvc:1.1.7", "cpe:/a:viewvc:viewvc:1.1.1", "cpe:/a:viewvc:viewvc:0.9.1", "cpe:/a:viewvc:viewvc:0.9.2", "cpe:/a:viewvc:viewvc:1.0.11", "cpe:/a:viewvc:viewvc:1.0.3", "cpe:/a:viewvc:viewvc:1.0.6", "cpe:/a:viewvc:viewvc:1.1.11", "cpe:/a:viewvc:viewvc:1.0.10", "cpe:/a:viewvc:viewvc:0.9.3", "cpe:/a:viewvc:viewvc:1.1.5", "cpe:/a:viewvc:viewvc:1.0.9", "cpe:/a:viewvc:viewvc:1.1.4", "cpe:/a:viewvc:viewvc:1.1.14", "cpe:/a:viewvc:viewvc:1.1.9", "cpe:/a:viewvc:viewvc:1.1.13", "cpe:/a:viewvc:viewvc:1.0.1", "cpe:/a:viewvc:viewvc:1.0.0", "cpe:/a:viewvc:viewvc:1.0.4", "cpe:/a:viewvc:viewvc:0.9.4", "cpe:/a:viewvc:viewvc:1.0.8", "cpe:/a:viewvc:viewvc:1.1.8", "cpe:/a:viewvc:viewvc:1.1.12", "cpe:/a:viewvc:viewvc:1.1.6", "cpe:/a:viewvc:viewvc:0.9"], "id": "CVE-2012-3357", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3357", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:viewvc:viewvc:0.9.1:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.0.10:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.1.14:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:0.9.3:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.1.11:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.1.9:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:0.8:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.1.13:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:0.9.4:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.1.7:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.0.11:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.1.10:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.1.8:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.1.12:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:0.9:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:0.9.2:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:viewvc:viewvc:1.0.9:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2019-05-29T18:39:21", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-3356", "CVE-2012-3357"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2012-08-30T00:00:00", "id": "OPENVAS:1361412562310864545", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310864545", "type": "openvas", "title": "Fedora Update for viewvc FEDORA-2012-9433", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for viewvc FEDORA-2012-9433\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2012-July/083728.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.864545\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2012-08-30 11:52:03 +0530 (Thu, 30 Aug 2012)\");\n script_cve_id(\"CVE-2012-3356\", \"CVE-2012-3357\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_xref(name:\"FEDORA\", value:\"2012-9433\");\n script_name(\"Fedora Update for viewvc FEDORA-2012-9433\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'viewvc'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC17\");\n script_tag(name:\"affected\", value:\"viewvc on Fedora 17\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC17\")\n{\n\n if ((res = isrpmvuln(pkg:\"viewvc\", rpm:\"viewvc~1.1.15~1.fc17\", rls:\"FC17\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2018-01-06T13:07:17", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-3356", "CVE-2012-3357"], "description": "Check for the Version of viewvc", "modified": "2018-01-05T00:00:00", "published": "2012-07-16T00:00:00", "id": "OPENVAS:864541", "href": "http://plugins.openvas.org/nasl.php?oid=864541", "type": "openvas", "title": "Fedora Update for viewvc FEDORA-2012-9371", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for viewvc FEDORA-2012-9371\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"viewvc on Fedora 16\";\ntag_insight = \"ViewVC is a browser interface for CVS and Subversion version control\n repositories. It generates templatized HTML to present navigable directory,\n revision, and change log listings. It can display specific versions of files\n as well as diffs between those versions. Basically, ViewVC provides the bulk\n of the report-like functionality you expect out of your version control tool,\n but much more prettily than the average textual command-line program output.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2012-July/083727.html\");\n script_id(864541);\n script_version(\"$Revision: 8295 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-05 07:29:18 +0100 (Fri, 05 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-07-16 11:51:38 +0530 (Mon, 16 Jul 2012)\");\n script_cve_id(\"CVE-2012-3356\", \"CVE-2012-3357\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_xref(name: \"FEDORA\", value: \"2012-9371\");\n script_name(\"Fedora Update for viewvc FEDORA-2012-9371\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of viewvc\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC16\")\n{\n\n if ((res = isrpmvuln(pkg:\"viewvc\", rpm:\"viewvc~1.1.15~1.fc16\", rls:\"FC16\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2019-05-29T18:38:49", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-3356", "CVE-2012-3357"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2012-07-16T00:00:00", "id": "OPENVAS:1361412562310864541", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310864541", "type": "openvas", "title": "Fedora Update for viewvc FEDORA-2012-9371", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for viewvc FEDORA-2012-9371\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2012-July/083727.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.864541\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2012-07-16 11:51:38 +0530 (Mon, 16 Jul 2012)\");\n script_cve_id(\"CVE-2012-3356\", \"CVE-2012-3357\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_xref(name:\"FEDORA\", value:\"2012-9371\");\n script_name(\"Fedora Update for viewvc FEDORA-2012-9371\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'viewvc'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC16\");\n script_tag(name:\"affected\", value:\"viewvc on Fedora 16\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC16\")\n{\n\n if ((res = isrpmvuln(pkg:\"viewvc\", rpm:\"viewvc~1.1.15~1.fc16\", rls:\"FC16\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2018-01-02T10:57:56", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-3356", "CVE-2012-3357"], "description": "Check for the Version of viewvc", "modified": "2017-12-26T00:00:00", "published": "2012-08-30T00:00:00", "id": "OPENVAS:864545", "href": "http://plugins.openvas.org/nasl.php?oid=864545", "type": "openvas", "title": "Fedora Update for viewvc FEDORA-2012-9433", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for viewvc FEDORA-2012-9433\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"viewvc on Fedora 17\";\ntag_insight = \"ViewVC is a browser interface for CVS and Subversion version control\n repositories. It generates templatized HTML to present navigable directory,\n revision, and change log listings. It can display specific versions of files\n as well as diffs between those versions. Basically, ViewVC provides the bulk\n of the report-like functionality you expect out of your version control tool,\n but much more prettily than the average textual command-line program output.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2012-July/083728.html\");\n script_id(864545);\n script_version(\"$Revision: 8245 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-26 07:29:59 +0100 (Tue, 26 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-08-30 11:52:03 +0530 (Thu, 30 Aug 2012)\");\n script_cve_id(\"CVE-2012-3356\", \"CVE-2012-3357\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_xref(name: \"FEDORA\", value: \"2012-9433\");\n script_name(\"Fedora Update for viewvc FEDORA-2012-9433\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of viewvc\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC17\")\n{\n\n if ((res = isrpmvuln(pkg:\"viewvc\", rpm:\"viewvc~1.1.15~1.fc17\", rls:\"FC17\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-07-24T12:50:26", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-3356", "CVE-2012-3357", "CVE-2012-4533", "CVE-2009-5024"], "description": "The remote host is missing an update to viewvc\nannounced via advisory DSA 2563-1.", "modified": "2017-07-07T00:00:00", "published": "2012-10-29T00:00:00", "id": "OPENVAS:72534", "href": "http://plugins.openvas.org/nasl.php?oid=72534", "type": "openvas", "title": "Debian Security Advisory DSA 2563-1 (viewvc)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2563_1.nasl 6612 2017-07-07 12:08:03Z cfischer $\n# Description: Auto-generated from advisory DSA 2563-1 (viewvc)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Several vulnerabilities were found in ViewVC, a web interface for CVS\nand Subversion repositories.\n\nCVE-2009-5024: remote attackers can bypass the cvsdb row_limit\nconfiguration setting, and consequently conduct resource-consumption\nattacks via the limit parameter.\n\nCVE-2012-3356: the remote SVN views functionality does not properly\nperform authorization, which allows remote attackers to bypass intended\naccess restrictions.\n\nCVE-2012-3357: the SVN revision view does not properly handle log\nmessages when a readable path is copied from an unreadable path, which\nallows remote attackers to obtain sensitive information.\n\nCVE-2012-4533: function name lines returned by diff are not properly\nescaped, allowing attackers with commit access to perform cross site\nscripting.\n\nFor the stable distribution (squeeze), these problems have been fixed in\nversion 1.1.5-1.1+squeeze2.\n\nFor the testing distribution (wheezy), these problems will be fixed soon.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 1.1.5-1.4.\n\nWe recommend that you upgrade your viewvc packages.\";\ntag_summary = \"The remote host is missing an update to viewvc\nannounced via advisory DSA 2563-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%202563-1\";\n\nif(description)\n{\n script_id(72534);\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_cve_id(\"CVE-2009-5024\", \"CVE-2012-3356\", \"CVE-2012-3357\", \"CVE-2012-4533\");\n script_version(\"$Revision: 6612 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:08:03 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-10-29 10:19:52 -0400 (Mon, 29 Oct 2012)\");\n script_name(\"Debian Security Advisory DSA 2563-1 (viewvc)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"viewvc\", ver:\"1.1.5-1.1+squeeze2\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"viewvc-query\", ver:\"1.1.5-1.1+squeeze2\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2019-05-29T18:39:11", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-3356", "CVE-2012-3357", "CVE-2012-4533", "CVE-2009-5024"], "description": "The remote host is missing an update to viewvc\nannounced via advisory DSA 2563-1.", "modified": "2019-03-18T00:00:00", "published": "2012-10-29T00:00:00", "id": "OPENVAS:136141256231072534", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231072534", "type": "openvas", "title": "Debian Security Advisory DSA 2563-1 (viewvc)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2563_1.nasl 14275 2019-03-18 14:39:45Z cfischer $\n# Description: Auto-generated from advisory DSA 2563-1 (viewvc)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.72534\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_cve_id(\"CVE-2009-5024\", \"CVE-2012-3356\", \"CVE-2012-3357\", \"CVE-2012-4533\");\n script_version(\"$Revision: 14275 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:39:45 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2012-10-29 10:19:52 -0400 (Mon, 29 Oct 2012)\");\n script_name(\"Debian Security Advisory DSA 2563-1 (viewvc)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB6\");\n script_xref(name:\"URL\", value:\"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%202563-1\");\n script_tag(name:\"insight\", value:\"Several vulnerabilities were found in ViewVC, a web interface for CVS\nand Subversion repositories.\n\nCVE-2009-5024: remote attackers can bypass the cvsdb row_limit\nconfiguration setting, and consequently conduct resource-consumption\nattacks via the limit parameter.\n\nCVE-2012-3356: the remote SVN views functionality does not properly\nperform authorization, which allows remote attackers to bypass intended\naccess restrictions.\n\nCVE-2012-3357: the SVN revision view does not properly handle log\nmessages when a readable path is copied from an unreadable path, which\nallows remote attackers to obtain sensitive information.\n\nCVE-2012-4533: function name lines returned by diff are not properly\nescaped, allowing attackers with commit access to perform cross site\nscripting.\n\nFor the stable distribution (squeeze), these problems have been fixed in\nversion 1.1.5-1.1+squeeze2.\n\nFor the testing distribution (wheezy), these problems will be fixed soon.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 1.1.5-1.4.\");\n\n script_tag(name:\"solution\", value:\"We recommend that you upgrade your viewvc packages.\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update to viewvc\nannounced via advisory DSA 2563-1.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"viewvc\", ver:\"1.1.5-1.1+squeeze2\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"viewvc-query\", ver:\"1.1.5-1.1+squeeze2\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "nessus": [{"lastseen": "2021-01-12T10:10:43", "description": "Version 1.1.14 (released 12-Jun-2012)\n\n - fix annotation of svn files with non-URI-safe paths\n (issue #504)\n\n - handle file:/// Subversion rootpaths as local roots\n (issue #446)\n\n - fix bug caused by trying to case-normalize anon\n usernames (issue #505)\n\n - speed up log handling by reusing tokenization results\n (issue #506)\n\n - add support for custom review log markup rules (issue\n #429)\n\nVersion 1.1.15 (released 22-Jun-2012)\n\n - security fix: complete authz support for remote SVN\n views (issue #353)\n\n - security fix: log msg leak in SVN revision view with\n unreadable copy source\n\n - fix several instances of incorrect information in\n remote SVN views\n\n - increase performance of some revision metadata lookups\n in remote SVN views\n\n - fix RSS feed regression introduced in 1.1.14\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 14, "published": "2012-07-12T00:00:00", "title": "Fedora 17 : viewvc-1.1.15-1.fc17 (2012-9433)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-3356", "CVE-2012-3357"], "modified": "2012-07-12T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:17", "p-cpe:/a:fedoraproject:fedora:viewvc"], "id": "FEDORA_2012-9433.NASL", "href": "https://www.tenable.com/plugins/nessus/59951", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2012-9433.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(59951);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2012-3356\", \"CVE-2012-3357\");\n script_bugtraq_id(54197, 54199);\n script_xref(name:\"FEDORA\", value:\"2012-9433\");\n\n script_name(english:\"Fedora 17 : viewvc-1.1.15-1.fc17 (2012-9433)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Version 1.1.14 (released 12-Jun-2012)\n\n - fix annotation of svn files with non-URI-safe paths\n (issue #504)\n\n - handle file:/// Subversion rootpaths as local roots\n (issue #446)\n\n - fix bug caused by trying to case-normalize anon\n usernames (issue #505)\n\n - speed up log handling by reusing tokenization results\n (issue #506)\n\n - add support for custom review log markup rules (issue\n #429)\n\nVersion 1.1.15 (released 22-Jun-2012)\n\n - security fix: complete authz support for remote SVN\n views (issue #353)\n\n - security fix: log msg leak in SVN revision view with\n unreadable copy source\n\n - fix several instances of incorrect information in\n remote SVN views\n\n - increase performance of some revision metadata lookups\n in remote SVN views\n\n - fix RSS feed regression introduced in 1.1.14\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=835293\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2012-July/083728.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f2f572fd\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected viewvc package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:viewvc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:17\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/06/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/07/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^17([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 17.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC17\", reference:\"viewvc-1.1.15-1.fc17\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"viewvc\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-20T12:25:15", "description": " - update to 1.1.15 (bnc#768680) :\n\n - security fix: complete authz support for remote SVN\n views (CVE-2012-3356)\n\n - security fix: log msg leak in SVN revision view with\n unreadable copy source (CVE-2012-3357)\n\nAdditionally the following non-security issues have been addressed :\n\n - fix several instances of incorrect information in remote\n SVN views\n\n - increase performance of some revision metadata lookups\n in remote SVN views\n\n - fix RSS feed regression introduced in 1.1.14\n\n - fix annotation of svn files with non-URI-safe paths\n\n - handle file:/// Subversion rootpaths as local roots\n\n - fix bug caused by trying to case-normalize anon\n usernames\n\n - speed up log handling by reusing tokenization results\n\n - add support for custom review log markup rules\n\n - fix svndbadmin failure on deleted paths under Subversion\n 1.7\n\n - fix annotation of files in svn roots with non-URI-safe\n paths\n\n - fix stray annotation warning in markup display of images\n\n - more gracefully handle attempts to display binary\n content\n\n - fix path display in patch and certain diff views\n\n - fix broken cvsdb glob searching\n\n - allow svn revision specifiers to have leading r's\n\n - allow environmental override of configuration location\n\n - fix exception HTML-escaping non-string data under WSGI\n\n - add links to root logs from roots view\n\n - use Pygments lexer-guessing functionality\n\n - add supplements for apache2/subversion-server", "edition": 19, "published": "2014-06-13T00:00:00", "title": "openSUSE Security Update : viewvc (openSUSE-SU-2012:0831-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-3356", "CVE-2012-3357"], "modified": "2014-06-13T00:00:00", "cpe": ["cpe:/o:novell:opensuse:12.1", "p-cpe:/a:novell:opensuse:viewvc"], "id": "OPENSUSE-2012-363.NASL", "href": "https://www.tenable.com/plugins/nessus/74665", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2012-363.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(74665);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2012-3356\", \"CVE-2012-3357\");\n\n script_name(english:\"openSUSE Security Update : viewvc (openSUSE-SU-2012:0831-1)\");\n script_summary(english:\"Check for the openSUSE-2012-363 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - update to 1.1.15 (bnc#768680) :\n\n - security fix: complete authz support for remote SVN\n views (CVE-2012-3356)\n\n - security fix: log msg leak in SVN revision view with\n unreadable copy source (CVE-2012-3357)\n\nAdditionally the following non-security issues have been addressed :\n\n - fix several instances of incorrect information in remote\n SVN views\n\n - increase performance of some revision metadata lookups\n in remote SVN views\n\n - fix RSS feed regression introduced in 1.1.14\n\n - fix annotation of svn files with non-URI-safe paths\n\n - handle file:/// Subversion rootpaths as local roots\n\n - fix bug caused by trying to case-normalize anon\n usernames\n\n - speed up log handling by reusing tokenization results\n\n - add support for custom review log markup rules\n\n - fix svndbadmin failure on deleted paths under Subversion\n 1.7\n\n - fix annotation of files in svn roots with non-URI-safe\n paths\n\n - fix stray annotation warning in markup display of images\n\n - more gracefully handle attempts to display binary\n content\n\n - fix path display in patch and certain diff views\n\n - fix broken cvsdb glob searching\n\n - allow svn revision specifiers to have leading r's\n\n - allow environmental override of configuration location\n\n - fix exception HTML-escaping non-string data under WSGI\n\n - add links to root logs from roots view\n\n - use Pygments lexer-guessing functionality\n\n - add supplements for apache2/subversion-server\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=768680\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2012-07/msg00011.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected viewvc package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:viewvc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:12.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/07/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/06/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE12\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"12.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE12.1\", reference:\"viewvc-1.1.15-4.4.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"viewvc\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-12T10:10:43", "description": "Version 1.1.14 (released 12-Jun-2012)\n\n - fix annotation of svn files with non-URI-safe paths\n (issue #504)\n\n - handle file:/// Subversion rootpaths as local roots\n (issue #446)\n\n - fix bug caused by trying to case-normalize anon\n usernames (issue #505)\n\n - speed up log handling by reusing tokenization results\n (issue #506)\n\n - add support for custom review log markup rules (issue\n #429)\n\nVersion 1.1.15 (released 22-Jun-2012)\n\n - security fix: complete authz support for remote SVN\n views (issue #353)\n\n - security fix: log msg leak in SVN revision view with\n unreadable copy source\n\n - fix several instances of incorrect information in\n remote SVN views\n\n - increase performance of some revision metadata lookups\n in remote SVN views\n\n - fix RSS feed regression introduced in 1.1.14\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 14, "published": "2012-07-12T00:00:00", "title": "Fedora 16 : viewvc-1.1.15-1.fc16 (2012-9371)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-3356", "CVE-2012-3357"], "modified": "2012-07-12T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:16", "p-cpe:/a:fedoraproject:fedora:viewvc"], "id": "FEDORA_2012-9371.NASL", "href": "https://www.tenable.com/plugins/nessus/59950", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2012-9371.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(59950);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2012-3356\", \"CVE-2012-3357\");\n script_bugtraq_id(54197, 54199);\n script_xref(name:\"FEDORA\", value:\"2012-9371\");\n\n script_name(english:\"Fedora 16 : viewvc-1.1.15-1.fc16 (2012-9371)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Version 1.1.14 (released 12-Jun-2012)\n\n - fix annotation of svn files with non-URI-safe paths\n (issue #504)\n\n - handle file:/// Subversion rootpaths as local roots\n (issue #446)\n\n - fix bug caused by trying to case-normalize anon\n usernames (issue #505)\n\n - speed up log handling by reusing tokenization results\n (issue #506)\n\n - add support for custom review log markup rules (issue\n #429)\n\nVersion 1.1.15 (released 22-Jun-2012)\n\n - security fix: complete authz support for remote SVN\n views (issue #353)\n\n - security fix: log msg leak in SVN revision view with\n unreadable copy source\n\n - fix several instances of incorrect information in\n remote SVN views\n\n - increase performance of some revision metadata lookups\n in remote SVN views\n\n - fix RSS feed regression introduced in 1.1.14\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=835293\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2012-July/083727.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?6b70c6f4\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected viewvc package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:viewvc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:16\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/06/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/07/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^16([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 16.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC16\", reference:\"viewvc-1.1.15-1.fc16\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"viewvc\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-07T11:54:09", "description": "Updated viewvc packages fix security vulnerabilities :\n\ncomplete authz support for remote SVN views (CVE-2012-3356).\n\nlog msg leak in SVN revision view with unreadable copy source\n(CVE-2012-3357).\n\nfunction name lines returned by diff are not properly escaped,\nallowing attackers with commit access to perform cross site scripting\n(CVE-2012-4533).\n\nSeveral other bugs were fixed as well.", "edition": 25, "published": "2013-04-20T00:00:00", "title": "Mandriva Linux Security Advisory : viewvc (MDVSA-2013:134)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-3356", "CVE-2012-3357", "CVE-2012-4533"], "modified": "2013-04-20T00:00:00", "cpe": ["cpe:/o:mandriva:business_server:1", "p-cpe:/a:mandriva:linux:viewvc"], "id": "MANDRIVA_MDVSA-2013-134.NASL", "href": "https://www.tenable.com/plugins/nessus/66146", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2013:134. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(66146);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2012-3356\", \"CVE-2012-3357\", \"CVE-2012-4533\");\n script_bugtraq_id(54197, 54199, 56161);\n script_xref(name:\"MDVSA\", value:\"2013:134\");\n script_xref(name:\"MGASA\", value:\"2012-0175\");\n script_xref(name:\"MGASA\", value:\"2012-0313\");\n\n script_name(english:\"Mandriva Linux Security Advisory : viewvc (MDVSA-2013:134)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Mandriva Linux host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated viewvc packages fix security vulnerabilities :\n\ncomplete authz support for remote SVN views (CVE-2012-3356).\n\nlog msg leak in SVN revision view with unreadable copy source\n(CVE-2012-3357).\n\nfunction name lines returned by diff are not properly escaped,\nallowing attackers with commit access to perform cross site scripting\n(CVE-2012-4533).\n\nSeveral other bugs were fixed as well.\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected viewvc package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:viewvc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:business_server:1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/04/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/04/20\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"viewvc-1.1.15-1.mbs1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-12T09:47:38", "description": "Several vulnerabilities were found in ViewVC, a web interface for CVS\nand Subversion repositories.\n\n - CVE-2009-5024\n Remote attackers can bypass the cvsdb row_limit\n configuration setting, and consequently conduct\n resource-consumption attacks via the limit parameter.\n\n - CVE-2012-3356\n The remote Subversion views functionality does not\n properly perform authorization, which allows remote\n attackers to bypass intended access restrictions.\n\n - CVE-2012-3357\n The Subversion revision view does not properly handle\n log messages when a readable path is copied from an\n unreadable path, which allows remote attackers to obtain\n sensitive information.\n\n - CVE-2012-4533\n 'function name' lines returned by diff are not properly\n escaped, allowing attackers with commit access to\n perform cross site scripting.", "edition": 17, "published": "2012-10-24T00:00:00", "title": "Debian DSA-2563-1 : viewvc - several vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-3356", "CVE-2012-3357", "CVE-2012-4533", "CVE-2009-5024"], "modified": "2012-10-24T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:6.0", "p-cpe:/a:debian:debian_linux:viewvc"], "id": "DEBIAN_DSA-2563.NASL", "href": "https://www.tenable.com/plugins/nessus/62665", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-2563. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(62665);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2009-5024\", \"CVE-2012-3356\", \"CVE-2012-3357\", \"CVE-2012-4533\");\n script_bugtraq_id(47928, 54197, 54199, 56161);\n script_xref(name:\"DSA\", value:\"2563\");\n\n script_name(english:\"Debian DSA-2563-1 : viewvc - several vulnerabilities\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several vulnerabilities were found in ViewVC, a web interface for CVS\nand Subversion repositories.\n\n - CVE-2009-5024\n Remote attackers can bypass the cvsdb row_limit\n configuration setting, and consequently conduct\n resource-consumption attacks via the limit parameter.\n\n - CVE-2012-3356\n The remote Subversion views functionality does not\n properly perform authorization, which allows remote\n attackers to bypass intended access restrictions.\n\n - CVE-2012-3357\n The Subversion revision view does not properly handle\n log messages when a readable path is copied from an\n unreadable path, which allows remote attackers to obtain\n sensitive information.\n\n - CVE-2012-4533\n 'function name' lines returned by diff are not properly\n escaped, allowing attackers with commit access to\n perform cross site scripting.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2009-5024\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2012-3356\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2012-3357\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2012-4533\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/squeeze/viewvc\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2012/dsa-2563\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the viewvc packages.\n\nFor the stable distribution (squeeze), these problems have been fixed\nin version 1.1.5-1.1+squeeze2.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:viewvc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:6.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/10/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/10/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"6.0\", prefix:\"viewvc\", reference:\"1.1.5-1.1+squeeze2\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"viewvc-query\", reference:\"1.1.5-1.1+squeeze2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "fedora": [{"lastseen": "2020-12-21T08:17:51", "bulletinFamily": "unix", "cvelist": ["CVE-2012-3356", "CVE-2012-3357"], "description": "ViewVC is a browser interface for CVS and Subversion version control repositories. It generates templatized HTML to present navigable directory, revision, and change log listings. It can display specific versions of files as well as diffs between those versions. Basically, ViewVC provides the bulk of the report-like functionality you expect out of your version control too l, but much more prettily than the average textual command-line program output. ", "modified": "2012-07-11T23:58:27", "published": "2012-07-11T23:58:27", "id": "FEDORA:ACB5821316", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 17 Update: viewvc-1.1.15-1.fc17", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "debian": [{"lastseen": "2020-11-11T13:19:59", "bulletinFamily": "unix", "cvelist": ["CVE-2012-3356", "CVE-2012-3357", "CVE-2012-4533", "CVE-2009-5024"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2563-1 security@debian.org\nhttp://www.debian.org/security/ Thijs Kinkhorst\nOctober 23, 2012 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : viewvc\nVulnerability : several\nProblem type : remote\nDebian-specific: no\nCVE ID : CVE-2009-5024 CVE-2012-3356 CVE-2012-3357 CVE-2012-4533\n\nSeveral vulnerabilities were found in ViewVC, a web interface for CVS\nand Subversion repositories.\n\nCVE-2009-5024: remote attackers can bypass the cvsdb row_limit\nconfiguration setting, and consequently conduct resource-consumption\nattacks via the limit parameter.\n\nCVE-2012-3356: the remote SVN views functionality does not properly\nperform authorization, which allows remote attackers to bypass intended\naccess restrictions.\n\nCVE-2012-3357: the SVN revision view does not properly handle log\nmessages when a readable path is copied from an unreadable path, which\nallows remote attackers to obtain sensitive information.\n\nCVE-2012-4533: "function name" lines returned by diff are not properly\nescaped, allowing attackers with commit access to perform cross site\nscripting.\n\nFor the stable distribution (squeeze), these problems have been fixed in\nversion 1.1.5-1.1+squeeze2.\n\nFor the testing distribution (wheezy), these problems will be fixed soon.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 1.1.5-1.4.\n\nWe recommend that you upgrade your viewvc packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 3, "modified": "2012-10-23T16:59:55", "published": "2012-10-23T16:59:55", "id": "DEBIAN:DSA-2563-1:F7A08", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2012/msg00207.html", "title": "[SECURITY] [DSA 2563-1] viewvc security update", "type": "debian", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:46", "bulletinFamily": "software", "cvelist": ["CVE-2012-3356", "CVE-2012-3357", "CVE-2012-4533", "CVE-2009-5024"], "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n- -------------------------------------------------------------------------\r\nDebian Security Advisory DSA-2563-1 security@debian.org\r\nhttp://www.debian.org/security/ Thijs Kinkhorst\r\nOctober 23, 2012 http://www.debian.org/security/faq\r\n- -------------------------------------------------------------------------\r\n\r\nPackage : viewvc\r\nVulnerability : several\r\nProblem type : remote\r\nDebian-specific: no\r\nCVE ID : CVE-2009-5024 CVE-2012-3356 CVE-2012-3357 CVE-2012-4533\r\n\r\nSeveral vulnerabilities were found in ViewVC, a web interface for CVS\r\nand Subversion repositories.\r\n\r\nCVE-2009-5024: remote attackers can bypass the cvsdb row_limit\r\nconfiguration setting, and consequently conduct resource-consumption\r\nattacks via the limit parameter.\r\n\r\nCVE-2012-3356: the remote SVN views functionality does not properly\r\nperform authorization, which allows remote attackers to bypass intended\r\naccess restrictions.\r\n\r\nCVE-2012-3357: the SVN revision view does not properly handle log\r\nmessages when a readable path is copied from an unreadable path, which\r\nallows remote attackers to obtain sensitive information.\r\n\r\nCVE-2012-4533: "function name" lines returned by diff are not properly\r\nescaped, allowing attackers with commit access to perform cross site\r\nscripting.\r\n\r\nFor the stable distribution (squeeze), these problems have been fixed in\r\nversion 1.1.5-1.1+squeeze2.\r\n\r\nFor the testing distribution (wheezy), these problems will be fixed soon.\r\n\r\nFor the unstable distribution (sid), these problems have been fixed in\r\nversion 1.1.5-1.4.\r\n\r\nWe recommend that you upgrade your viewvc packages.\r\n\r\nFurther information about Debian Security Advisories, how to apply\r\nthese updates to your system and frequently asked questions can be\r\nfound at: http://www.debian.org/security/\r\n\r\nMailing list: debian-security-announce@lists.debian.org\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.12 (GNU/Linux)\r\n\r\niQEcBAEBAgAGBQJQhsyYAAoJEFb2GnlAHawE7j8H/3ia37jApEd5Ezu0M6thMAlL\r\nguzjGVyDkyVivRerwZdDVE7Q9HDSDq/MFFg17XqWymg+yhlkeFnVxG3AcLbvR+z6\r\nOh+Pb18Khnl8mWuGoQjWDVEC6P6Ii5eiscg5C1bEHrnNUsMPWYYR9JEb976E2r5K\r\nVpk4SVWRo46i/PSMwvr2CZcGWN76hFTVref5DePDiO+Jkb+iVbba6wob5Ln+920g\r\nry+QcFG0Fogf181tQWpz/7SXv9msuth5H4EBm6kOlzTYzK7cI02TtsC1JWc/9pGe\r\niXMgaNzGhTwsOKy9Fdckw4HiPasYUaMRJUSKu2sdZSDngxmAwQxmPUyJNl710PE=\r\n=cHnT\r\n-----END PGP SIGNATURE-----\r\n", "edition": 1, "modified": "2012-10-29T00:00:00", "published": "2012-10-29T00:00:00", "id": "SECURITYVULNS:DOC:28690", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28690", "title": "[SECURITY] [DSA 2563-1] viewvc security update", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:09:49", "bulletinFamily": "software", "cvelist": ["CVE-2012-3356", "CVE-2012-4768", "CVE-2012-3357", "CVE-2012-4975", "CVE-2012-4973", "CVE-2012-4974", "CVE-2012-4977", "CVE-2012-4976", "CVE-2012-4972", "CVE-2012-4971", "CVE-2012-4533", "CVE-2009-5024"], "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 1, "modified": "2012-10-29T00:00:00", "published": "2012-10-29T00:00:00", "id": "SECURITYVULNS:VULN:12674", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12674", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
