viewvc security update
cvsdb.py in viewvc did not honor an admin defined row limit
which could cause high load on the database server. viewvc
was updated to version 1.1.11 which fixes the issue
(CVE-2009-5024).
-
Submitted by
Adrian Schröter (adrianSuSE)
- Version 4599
Fixed bugs
bnc#694785
VUL-0: viewvc: cvsdb does not honor row_limit DoS
CVE#CVE-2009-5024
ViewVC before 1.1.11 allows remote attackers to bypass the cvsdb row_limit configuration setting, and consequently conduct resource-consumption attacks, via the limit parameter, as demonstrated by a "query revision history" request.
