ELA-768-1 viewvc security update

XSS vulnerability

Version1.1.26-1+deb9u1 (stretch)
Related CVEs CVE-2023-22456 CVE-2023-22464

It was discovered that there were two issues in viewvc, a web-based interface for browsing Subversion and CVS repositories. The attack vectors involved files with unsafe names; names that, when embedded into an HTML stream, could cause the browser to run unwanted code.

For Debian 9 stretch, these problems have been fixed in version 1.1.26-1+deb9u1.

We recommend that you upgrade your viewvc packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.