Re: [exim] CVE-2019-10149: 4.87 to 4.91 are vulnerable

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Russell King
Dátum:  
Címzett: exim-users
Tárgy: Re: [exim] CVE-2019-10149: 4.87 to 4.91 are vulnerable
On Tue, Jun 11, 2019 at 03:42:09PM +0200, Heiko Schlittermann via Exim-users wrote:
> Hi,
>
> Russell King <rmk+exim@???> (Di 11 Jun 2019 15:33:47 CEST):
> > Hi,
> >
> > While looking for the fix on the web version of git.exim.org, I find that
> > although I can get a listing based on the branch, I'm unable to get commit
> > or commitdiffs.
> >
> > For example, the page at:
> >
> > https://git.exim.org/exim.git/shortlog/refs/heads/exim-4_91+fixes
> >
> > gives links such as:
> >
> > <td class="link"><a href="/exim.git/shortlog/refs/heads/exim-4_91 fixes/exim.git/commit/d740d2111f189760593a303124ff6b9b1f83453d">commit</a> | <a href="/exim.git/shortlog/refs/heads/exim-4_91 fixes/exim.git/commitdiff/d740d2111f189760593a303124ff6b9b1f83453d">commitdiff</a>
>
> The behaviour you describe seems to depend on the browser. FF is
> reported to work, while Chromium doesn't. Probably this varies with the
> versions.


I think you've misunderstood my email. Please look carefully at those
links I've quoted...

> If in the above URL you substitute + by %2B, it works. I'm not sure if
> this is gitweb's fault. But gitweb could easily avoid this issue by not
> using unescaped plus signs.


As I stated in my original post, I've tried subsituting the " " with
both + and %2b. I was using Firefox, I've also used elinks as well.
Nothing works to get a commitdiff.

>    https://git.exim.org/exim.git/shortlog/refs/heads/exim-4_91%2Bfixes


That URL is not a problem - getting the shortlog is not a problem.
Following any of the links from the shortlog _is_ a problem as my
original post stated.

--
Russell King