CVS security update [ was Re: Please follow the KISS principle ]
seth vidal
skvidal at phy.duke.edu
Wed Dec 31 03:58:46 UTC 2003
On Tue, 2003-12-30 at 21:31, Jason wrote:
> The main changes concerning that seem to be in src/server.c in the
> switch_to_user function. I think you'd still be able to run the cvs
> daemon as root. In fact, I think it would still have to run as a
> privileged user in order to switch UID's to the proper user upon login.
> However, when the cvs user tries to authenticate it would refuse to
> switch to the root user, and then syslog it.
>
> If someone is logging into their repository as root.. they've got issues
> anyway. But, I don't see a problem with having this patched in.
>
Yah it looks like:
this is the patch that is needed
http://ccvs.cvshome.org/source/browse/ccvs/src/server.c.diff?r1=1.284.2.9&r2=1.284.2.12&f=u
need to take a look to see how far off that is from 1.11.1p1+patches
that is in 7.x.
-sv
More information about the fedora-legacy-list
mailing list