vuln needs investigation and need a new form
Jason
rohwedde at codegrinder.com
Mon Jan 12 16:53:18 UTC 2004
On Mon, Jan 12, 2004 at 08:45:47AM -0800, Jesse Keating wrote:
> So, I just saw this morning that RH issued an update for CVS, and in the
> information there was this line:
>
> A flaw was found in versions of CVS prior to 1.11.10 where a malformed
> module request could cause the CVS server to attempt to create files or
> directories at the root level of the file system. However, normal file
> system permissions would prevent the creation of these misplaced
> directories. The Common Vulnerabilities and Exposures project
> (cve.mitre.org) has assigned the name CAN-2003-0977 to this issue.
>
> Since RHL 8/7.x presumably have a CVS version that is prior to 1.11.10,
> we need to investigate and possibly backport the fix. Any volunteers ?
>
Seth posted a src.rpm to the list a week or so ago for cvs to fix a more
serious root exploit vuln. I was in the process of verifying it to
submit to the bugzilla, so I can check this out as well and patch it in.
-j
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-legacy-list/attachments/20040112/184a0898/attachment.sig>
More information about the fedora-legacy-list
mailing list