Home > mailing lists

Re: gitweb security hole (CVE-2010-3906) - Mailing list pgsql-www

From	Magnus Hagander
Subject	Re: gitweb security hole (CVE-2010-3906)
Date	January 3, 2011 19:11:49
Msg-id	AANLkTikstDX-cL17KzG9KM5KffeRf6hCibAmmNY+U9vY@mail.gmail.com Whole thread Raw
In response to	gitweb security hole (CVE-2010-3906) (Tom Lane <tgl@sss.pgh.pa.us>)
Responses	Re: gitweb security hole (CVE-2010-3906)
List	pgsql-www

Tree view

On Mon, Jan 3, 2011 at 21:07, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> Just read this on the Fedora update feed:
>
>> Update to 1.7.3.4 release which fixes various issues, notably:
>>
>> * cross-site scripting (XSS) flaw was found in the web interface of Git distributed revision control system. A
remoteattacker could use this flaw to execute arbitrary HTML or scripting code by providing a certain URL with
specially-craftedvalues of f and fp variables. (CVE-2010-3906) 
>
> Not sure if that impacts the PG gitweb server, but seems like it merits
> prompt investigation.

Probably does, will investigate and upgrade.

--
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/

pgsql-www by date:

From: Tom Lane
Date: 03 January 2011, 19:07:55
Subject: gitweb security hole (CVE-2010-3906)

From: Magnus Hagander
Date: 03 January 2011, 19:39:36
Subject: Re: gitweb security hole (CVE-2010-3906)

Re: gitweb security hole (CVE-2010-3906) - Mailing list pgsql-www

Previous

Next