OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Michael Schloh
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-web Date: 17-Dec-2003 12:16:04
Branch: HEAD Handle: 2003121711160400
Modified files:
openpkg-web/security OpenPKG-SA-2003.052-cvs.txt
Log:
add CAN number CAN-2003-0977
Summary:
Revision Changes Path
1.2 +17 -14 openpkg-web/security/OpenPKG-SA-2003.052-cvs.txt
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-web/security/OpenPKG-SA-2003.052-cvs.txt
============================================================================
$ cvs diff -u -r1.1 -r1.2 OpenPKG-SA-2003.052-cvs.txt
--- openpkg-web/security/OpenPKG-SA-2003.052-cvs.txt 12 Dec 2003 16:37:47 -0000
1.1
+++ openpkg-web/security/OpenPKG-SA-2003.052-cvs.txt 17 Dec 2003 11:16:04 -0000
1.2
@@ -3,7 +3,7 @@
OpenPKG Security Advisory The OpenPKG Project
http://www.openpkg.org/security.html http://www.openpkg.org
[EMAIL PROTECTED] [EMAIL PROTECTED]
-OpenPKG-SA-2003.052 12-Dec-2003
+OpenPKG-SA-2003.052 17-Dec-2003
________________________________________________________________________
Package: cvs
@@ -23,19 +23,21 @@
files at the root of the filesystem holding the CVS repository. Even
though filesystem permissions usually prevent the creation of these
misplaced directories, the corrected OpenPKG packages include a CVS
- server which rejects such malformed requests.
+ server which rejects such malformed requests. The Common Vulnerabilities
+ and Exposures (CVE) project assigned the id CAN-2003-0977 [2] to the
+ problem.
Please check whether you are affected by running "<prefix>/bin/rpm -q
cvs". If the "cvs" package is indeed installed and its version is
affected (see above), please upgrade it immediately according to
- OpenPKG recommendations (see Solution). [2][3]
+ OpenPKG recommendations (see Solution). [3][4]
Solution:
Select the updated source RPM appropriate for your OpenPKG release
- [4][5], fetch it from the OpenPKG FTP service [6][7] or a mirror
- location, verify its integrity [8], build a corresponding binary RPM
- from it [2] and update your OpenPKG installation by applying the binary
- RPM [3]. For the current release OpenPKG 1.3, perform the following
+ [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror
+ location, verify its integrity [9], build a corresponding binary RPM
+ from it [3] and update your OpenPKG installation by applying the binary
+ RPM [4]. For the current release OpenPKG 1.3, perform the following
operations to permanently fix the security problem (for other releases
adjust accordingly).
@@ -53,13 +55,14 @@
References:
[0] http://ccvs.cvshome.org/servlets/NewsItemView?newsID=85
[1] http://www.cvshome.org/
- [2] http://www.openpkg.org/tutorial.html#regular-source
- [3] http://www.openpkg.org/tutorial.html#regular-binary
- [4] ftp://ftp.openpkg.org/release/1.2/UPD/cvs-1.11.5-1.2.3.src.rpm
- [5] ftp://ftp.openpkg.org/release/1.3/UPD/cvs-1.12.1-1.3.1.src.rpm
- [6] ftp://ftp.openpkg.org/release/1.2/UPD/
- [7] ftp://ftp.openpkg.org/release/1.3/UPD/
- [8] http://www.openpkg.org/security.html#signature
+ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0977
+ [3] http://www.openpkg.org/tutorial.html#regular-source
+ [4] http://www.openpkg.org/tutorial.html#regular-binary
+ [5] ftp://ftp.openpkg.org/release/1.2/UPD/cvs-1.11.5-1.2.3.src.rpm
+ [6] ftp://ftp.openpkg.org/release/1.3/UPD/cvs-1.12.1-1.3.1.src.rpm
+ [7] ftp://ftp.openpkg.org/release/1.2/UPD/
+ [8] ftp://ftp.openpkg.org/release/1.3/UPD/
+ [9] http://www.openpkg.org/security.html#signature
________________________________________________________________________
For security reasons, this advisory was digitally signed with the
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
