-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
************************************************************************************
Netwosix Linux Security Advisory #2004-0011 <http://www.netwosix.org>
- -----------------------------------------------------------------------------------
Package name: � �cvs
Summary: � � � � �client and server vulnerabilities
Date: � � � � � � � 2004-04-18
Affected versions: Netwosix 1.0
� � � � � � � � � � �Netwosix 1.1
************************************************************************************
- - -> Package description:
- - ------------------------
CVS is the Concurrent Versions System, the dominant open-source
network-transparent version control system. CVS is useful for everyone from
individual developers to large, distributed teams:
* Its client-server access method lets developers access the latest code
from anywhere there's an Internet connection.
* Its unreserved check-out model to version control avoids artificial
conflicts common with the exclusive check-out model.
* Its client tools are available on most platforms.
- - -> Problem description:
- - ------------------------
SERVER SECURITY ISSUES
* Piped checkouts of paths above $CVSROOT no longer work. Previously, clients
could have requested the contents of RCS archive files anywhere on a CVS
server.
CLIENT SECURITY ISSUES
* Clients now check paths from the server to verify that they are within one
of the sandboxes the user requested be updated. Previously, a trojan server
could have written or overwritten files anywhere the user had access,
presenting a serious security risk.
- - -> Action:
- - ------------------------
� We recommend that all systems with this package installed be upgraded.
� Please note that if you do not need the functionality provided by this
� package, you may want to remove it from your system.
- - -> Location:
- - ---------------------
� You can download the latest version of this package in NEPOTE format from:
� <http://www.netwosix.org/0011/nepote>
- - -> Nepote Update:
- - ---------------------
See this instructions to update the port of this package:
� � � � # wget http://www.netwosix.org/0011/nepote
� � � � # sh nepote (to install the new and updated package)
- - -> References
- - ---------------------
� � � � Specific references for this advisory:
� � � � � �
�http://ccvs.cvshome.org/source/browse/ccvs/NEWS?rev=1.116.2.92&content-type=text/x-cvsweb-markup
- - -> About Linux Netwosix:
- - ---------------------------------
Linux Netwosix is a powerful and optimized Linux distribution for servers
and Network Security related jobs. �It can also be used for special operations
such as penetration testing with its big collection of security oriented
software and sources. It's a light distribution created for the requirements
of every SysAdmin and it's very portable and highly configurable. Our
philosophy is to give greater liberty for �configuration to the SysAdmin.
Only in this way can he/she configure a powerful and stable server machine.
Linux Netwosix also has a powerful ports system (Nepote) similar to the xBSD
systems but more flexible and usable.
- - -> Questions?
- - ---------------------
� Check out our mailing lists:
� <http://www.netwosix.org/mailing.html>
� The advisory itself is available at
� <http://www.netwosix.org/adv11.html>
- - --------------------------------------------------
MD5sums of the packages:
- - - --------------------------------------------------------------------------
ae866e2b76bb6322846679019209247d �0011/nepote
63873ed6ae942b298cf1db15c85ea22e 0011/cvs-1.11.15.tar.bz2
- - - --------------------------------------------------------------------------
- --
Vincenzo Ciaglia
Linux Netwosix Team - [ Keyid: 0x6BB3E24A]
Key fingerprint = 4B3E A25F 2A7A 0C19 1A97 616B EA3C FDA4 6BB3 E24A
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFAgpWy6jz9pGuz4koRArsXAKCHcDyfPhzbeOJylTPaMd7VC0jzCgCbBdzg
ORZ5Bky2FKor8iA599tII+Y=
=CYXC
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
