| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | pgsql-www(at)postgresql(dot)org |
| Subject: | Re: gitweb security hole (CVE-2010-3906) |
| Date: | 2011-01-03 20:11:41 |
| Message-ID: | AANLkTikstDX-cL17KzG9KM5KffeRf6hCibAmmNY+U9vY@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-www |
On Mon, Jan 3, 2011 at 21:07, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Just read this on the Fedora update feed:
>
>> Update to 1.7.3.4 release which fixes various issues, notably:
>>
>> * cross-site scripting (XSS) flaw was found in the web interface of Git distributed revision control system. A remote attacker could use this flaw to execute arbitrary HTML or scripting code by providing a certain URL with specially-crafted values of f and fp variables. (CVE-2010-3906)
>
> Not sure if that impacts the PG gitweb server, but seems like it merits
> prompt investigation.
Probably does, will investigate and upgrade.
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Magnus Hagander | 2011-01-03 20:39:27 | Re: gitweb security hole (CVE-2010-3906) |
| Previous Message | Tom Lane | 2011-01-03 20:07:47 | gitweb security hole (CVE-2010-3906) |