Re: [exim] CVE-2019-10149: 4.87 to 4.91 are vulnerable

Páxina inicial
Borrar esta mensaxe
Responder a esta mensaxe
Autor: Heiko Schlittermann
Data:  
Para: exim-users
Asunto: Re: [exim] CVE-2019-10149: 4.87 to 4.91 are vulnerable
Hi,

Russell King <rmk+exim@???> (Di 11 Jun 2019 15:33:47 CEST):
> Hi,
>
> While looking for the fix on the web version of git.exim.org, I find that
> although I can get a listing based on the branch, I'm unable to get commit
> or commitdiffs.
>
> For example, the page at:
>
> https://git.exim.org/exim.git/shortlog/refs/heads/exim-4_91+fixes
>
> gives links such as:
>
> <td class="link"><a href="/exim.git/shortlog/refs/heads/exim-4_91 fixes/exim.git/commit/d740d2111f189760593a303124ff6b9b1f83453d">commit</a> | <a href="/exim.git/shortlog/refs/heads/exim-4_91 fixes/exim.git/commitdiff/d740d2111f189760593a303124ff6b9b1f83453d">commitdiff</a>


The behaviour you describe seems to depend on the browser. FF is
reported to work, while Chromium doesn't. Probably this varies with the
versions.

If in the above URL you substitute + by %2B, it works. I'm not sure if
this is gitweb's fault. But gitweb could easily avoid this issue by not
using unescaped plus signs.

https://git.exim.org/exim.git/shortlog/refs/heads/exim-4_91%2Bfixes

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
--
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -