drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Ausführen beliebiger Kommandos in ReviewBoard
Name: |
Ausführen beliebiger Kommandos in ReviewBoard |
|
ID: |
FEDORA-2011-15933 |
|
Distribution: |
Fedora |
|
Plattformen: |
Fedora 15 |
|
Datum: |
Di, 29. November 2011, 08:04 |
|
Referenzen: |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4312 |
|
Applikationen: |
Review Board |
|
Originalnachricht |
Name : ReviewBoard Product : Fedora 15 Version : 1.5.7 Release : 1.fc15 URL : http://www.review-board.org Summary : Web-based code review tool Description : Review Board is a powerful web-based code review tool that offers developers an easy way to handle code reviews. It scales well from small projects to large companies and offers a variety of tools to take much of the stress and time out of the code review process.
------------------------------------------------------------------------------- - Update Information:
- New upstream security release 1.5.7
- Security Fixes:
- A script injection vulnerability was discovered in the commenting system. This affected the diff viewer and screenshot pages, and allowed a commenter to break the page and execute JavaScript ------------------------------------------------------------------------------- - ChangeLog:
* Tue Nov 15 2011 Stephen Gallagher <sgallagh@redhat.com> - 1.5.7-1 - New upstream security release 1.5.7 - Security Fixes: - A script injection vulnerability was discovered in the commenting system. This affected the diff viewer and screenshot pages, and allowed a commenter to break the page and execute JavaScript * Mon Aug 22 2011 Stephen Gallagher <sgallagh@redhat.com> - 1.5.6-1 - New upstream release 1.5.6 - http://www.reviewboard.org/docs/releasenotes/dev/reviewboard/1.5.6/ - New Features: - The PATH environment variable is now shown in the error when patch.exe can't be found, in order to help figure out where it needs to go - rb-site more clearly informs that an existing database with valid permissions is needed for installation - rb-site now lists recommendations for different services, and lists options that aren’t officially supported - Tabs in the diff viewer are now marked up, allowing custom stylesheets to display them differently. By default, they don’t look any different - Added Fedora Hosted to the hosting provider options - Editing a field and then canceling it on a review request now prompts for confirmation before discarding the new text - Control-S now saves the current text in review request fields - We now support storing lots of text in the Description and Testing Done fields on MySQL - Performance Improvements: - Review Board now requires Pygments 1.4 or higher. Older installations running older versions of Pygments should get a performance increase when rendering diffs - Bug Fixes: - Using Review Board with wsgi without mod_python installed on the system no longer prevents Review Board from breaking - Screenshot draft captions are now always displayed correctly. Previously, only the main caption would display, making them appear blank on new uploads - Changing screenshot draft captions now invalidates the cache, allowing them to be seen when reloading the page - When sending an e-mail, we no longer crash if the sender has no e-mail address - Caching really long files or diffs now works more consistently. Previously, it was possible for the data to not be stored correctly - Fixed a date range calculation sometimes causing the log viewer to fail on the first of the month - Failing to load the Review Board News feed in the administration UI due to a proxy will no longer cause an HTTP 500 error to display - Invalid bug tracker URLs (those containing more than one %s, for example) in the administration UI no longer breaks review requests - The Mercurial support no longer overrides the SSH client configuration if one is already provided - The recaptcha_client dependency has been renamed to recaptcha-client. Both technically work, but the former is more correct and makes packaging easier - Fixed a few occasional errors that could show up on the dashboard under certain conditions * Fri Jun 17 2011 Stephen Gallagher <sgallagh@redhat.com> - 1.5.5-2 - Resolves: rhbz#598463 - rb-site suggest that I use an unsafe temporary - directory ------------------------------------------------------------------------------- - References:
[ 1 ] Bug #754130 - CVE-2011-4312 ReviewBoard: XSS in the commenting system (diff viewer and screenshot pages) [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=754130 ------------------------------------------------------------------------------- -
This update can be installed with the "yum" update program. Use su -c 'yum update ReviewBoard' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys ------------------------------------------------------------------------------- - _______________________________________________ package-announce mailing list package-announce@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/package-announce
|
|
|
|