65 lines
2.3 KiB
XML
65 lines
2.3 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
|
|
<glsa id="200312-04">
|
|
<title>CVS: malformed module request vulnerability</title>
|
|
<synopsis>
|
|
A bug in cvs could allow attempts to create files and directories outside a
|
|
repository.
|
|
</synopsis>
|
|
<product type="ebuild">CVS</product>
|
|
<announced>2003-12-08</announced>
|
|
<revised count="01">2003-12-08</revised>
|
|
<bug>35371</bug>
|
|
<access>unknown</access>
|
|
<affected>
|
|
<package name="dev-util/cvs" auto="yes" arch="*">
|
|
<unaffected range="ge">1.11.10</unaffected>
|
|
<vulnerable range="le">1.11.9</vulnerable>
|
|
</package>
|
|
</affected>
|
|
<background>
|
|
<p>
|
|
CVS, which stands for Concurrent Versions System, is a client/server
|
|
application which tracks changes to sets of files. It allows multiple users
|
|
to work concurrently on files, and then merge their changes back into the
|
|
main tree (which can be on a remote system). It also allows branching, or
|
|
maintaining separate versions for files.
|
|
</p>
|
|
</background>
|
|
<description>
|
|
<p>
|
|
Quote from ccvs.cvshome.org/servlets/NewsItemView?newsID=84:
|
|
"Stable CVS 1.11.10 has been released. Stable releases contain only bug
|
|
fixes from previous versions of CVS. This release fixes a security issue
|
|
with no known exploits that could cause previous versions of CVS to attempt
|
|
to create files and directories in the filesystem root. This release also
|
|
fixes several issues relevant to case insensitive filesystems and some other
|
|
bugs. We recommend this upgrade for all CVS clients and servers!"
|
|
</p>
|
|
</description>
|
|
<impact type="minimal">
|
|
<p>
|
|
Attempts to create files and directories outside the repository may be
|
|
possible.
|
|
</p>
|
|
</impact>
|
|
<workaround>
|
|
<p>
|
|
There is no known workaround at this time.
|
|
</p>
|
|
</workaround>
|
|
<resolution>
|
|
<p>
|
|
All Gentoo Linux machines with cvs installed should be updated to use
|
|
dev-util/cvs-1.11.10 or higher:
|
|
</p>
|
|
<code>
|
|
# emerge sync
|
|
# emerge -pv '>=dev-util/cvs-1.11.10'
|
|
# emerge '>=dev-util/cvs-1.11.10'
|
|
# emerge clean</code>
|
|
</resolution>
|
|
<references>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0977">CAN-2003-0977</uri>
|
|
</references>
|
|
</glsa>
|