Have the security issues identified in
http://www.mail-archive.com/bug-cvs%40gnu.org/msg00384.html
been resolved yet?
They were: "CVS/Checkin.prog and CVS/Update.prog can be
replaced with an arbitrary binary, which will be blindly
executed on the server"
and "the client trusts paths sent from the server too much,
so a malicious server can overwrite arbitrary files on client".
I just checked the latest dev sources via anonymous CVS,
and the quick and dirty fix suggested by that post for the first issue
hasn't been applied. Has a more subtle fix been applied, or
is this still outstanding?
- Dan
_______________________________________________
Info-cvs mailing list
[EMAIL PROTECTED]
http://mail.gnu.org/mailman/listinfo/info-cvs
