[CLA-2003:561] Conectiva Linux Security Announcement - cvs
Date: Thu, 23 Jan 2003 14:06:07 -0200
From: secure@conectiva.com.br
To: conectiva-updates@papaleguas.conectiva.com.br, lwn@lwn.net,
Subject: [CLA-2003:561] Conectiva Linux Security Announcement - cvs
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------------
PACKAGE : cvs
SUMMARY : Update: cvs remote double free() vulnerability
DATE : 2003-01-23 10:54:00
ID : CLA-2003:561
RELEVANT
RELEASES : 6.0, 7.0, 8
- -------------------------------------------------------------------------
DESCRIPTION
CVS is a version control system largely used in software projects.
During a code audit, Stefan Esser discovered a double free()
vulnerability[2][3] in the CVS code. This vulnerability can be
exploited by remote users, authenticated or anonymous, to execute
arbitrary commands on the server.
Please note that users with write access to CVS (the so called
"commiters") usually already have shell access on the server, or can
easily get shell access as has already been discussed elsewhere[4].
Besides fixing the double free vulnerability, the new packages
provided with this update now have the Checkin-prog and Update-prog
commands disabled.
UPDATE
The previous CVS update (CLSA-2003:560), while indeed fixing the
security vulnerability, introduced problems which prevented it from
being used due to the way the Checkin-prog and Update-prog commands
where disabled. This has now been fixed.
SOLUTION
It is recommended that all CVS administrators upgrade their packages
immediately.
REFERENCES
1. http://www.cvshome.org/
2. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0015
3. http://security.e-matters.de/advisories/012003.html
4. http://online.securityfocus.com/archive/1/72584
5. http://bugzilla.conectiva.com/show_bug.cgi?id=7507
UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/cvs-1.10.8-5U60_4cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/cvs-1.10.8-5U60_4cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/cvs-doc-1.10.8-5U60_4cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/cvs-1.11-7U70_3cl.src.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/cvs-1.11-7U70_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/cvs-doc-1.11-7U70_3cl.i386.r
ftp://atualizacoes.conectiva.com.br/8/SRPMS/cvs-1.11-9U80_3cl.src.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/cvs-1.11-9U80_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/cvs-doc-1.11-9U80_3cl.i386.rpm
ADDITIONAL INSTRUCTIONS
Users of Conectiva Linux version 6.0 or higher may use apt to perform
upgrades of RPM packages:
- run: apt-get update
- after that, execute: apt-get upgrade
Detailed instructions reagarding the use of apt and upgrade examples
can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en
- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en
- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE+MBLu42jd0JmAcZARApo8AKDKkKCiakoMGN50SmS26obBUn2/VgCg4vAB
g4r9oSn0j9g4KTo3q2LQH98=
=rn0z
-----END PGP SIGNATURE-----
