Fedora Legacy Test Update Notification: cvs
Jason Edgecombe
jedgecombe at carolina.rr.com
Sun Jan 25 03:42:23 UTC 2004
Should these notifications be sent to security lists such as bugtraq?
Jason Edgecombe
Jesse Keating wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>- ---------------------------------------------------------------------
>Fedora Legacy Test Update Notification
>FEDORA-2004-1207
>2004-01-24
>- ---------------------------------------------------------------------
>
>Name : cvs
>Version 7.2 : 1.11.1p1-9.7.legacy
>Version 7.3 : 1.11.1p1-9.7.legacy
>Version 7.2 : 1.11.2-9.legacy
>Summary : A version control system.
>Description :
>CVS (Concurrent Version System) is a version control system that can
>record the history of your files (usually, but not always, source
>code). CVS only stores the differences between versions, instead of
>every version of every file you have ever created. CVS also keeps a log
>of who, when, and why changes occurred.
>
>CVS is very helpful for managing releases and controlling the
>concurrent editing of source files among multiple authors. Instead of
>providing version control for a collection of files in a single
>directory, CVS provides version control for a hierarchical collection
>of directories consisting of revision controlled files. These
>directories and files can then be combined together to form a software
>release.
>
>- ---------------------------------------------------------------------
>Update Information:
>
>CAN-2003-0977:
>CVS server before 1.11.10 may allow attackers to cause the CVS server to
>create directories and files in the file system root directory via
>malformed module requests.
>
>2003-12-18: Stable CVS Version 1.11.11 Released! (security update)
>
>Contributed by: Derek Price
>
>Stable CVS 1.11.11 has been released. Stable releases contain only bug
>fixes from previous versions of CVS. This release adds code to the CVS
>server to prevent it from continuing as root after a user login, as an
>extra failsafe against a compromise of the CVSROOT/passwd file.
>Previously, any user with the ability to write the CVSROOT/passwd file
>could execute arbitrary code as the root user on systems with CVS pserver
>access enabled. We recommend this upgrade for all CVS servers!
>
>- ---------------------------------------------------------------------
>Changelog:
>
>* Mon Jan 12 2004 Jason Rohwedder <rohwedde at codegrinder.com>
>1.11.1p1-9.7.legacy
>
>- - applied cvs-1.11.9-absolute-modules.patch
>- - to make Seth's previous changelog true :)
>- - He actually patched
>- - http://ccvs.cvshome.org/servlets/NewsItemView?newsID=88
>
>* Mon Jan 12 2004 Seth Vidal <skvidal at phy.duke.edu>
>
>- - apply security patch for CAN-2003-0977
>
>* Tue Dec 30 2003 Seth Vidal <skvidal at phy.duke.edu> 1.11.1p1-8.7.duke.1
>
>- - apply security patch for:
>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0977
>- - second patch to make the above build
>
>- ---------------------------------------------------------------------
>This update can be downloaded from:
> http://download.fedoralegacy.org/redhat/
>
>46da2ca673b3af8a08eab8b1d4322e0d6a9d08ad
>7.2/updates-testing/SRPMS/cvs-1.11.1p1-9.7.legacy.src.rpm
>469e08276fd61a06f816d4d7df68bc6c85a98560
>7.2/updates-testing/i386/cvs-1.11.1p1-9.7.legacy.i386.rpm
>
>46da2ca673b3af8a08eab8b1d4322e0d6a9d08ad
>7.3/updates-testing/SRPMS/cvs-1.11.1p1-9.7.legacy.src.rpm
>1dfba0ce740a20bd0977eede82f606ea2f907b00
>7.3/updates-testing/i386/cvs-1.11.1p1-9.7.legacy.i386.rpm
>
>31e98f14255c132d3f548a51096b0c444a45797a
>8.0/updates-testing/SRPMS/cvs-1.11.2-9.legacy.src.rpm
>e415df08fdfd35216c68651aa5214e7ecdb04268
>8.0/updates-testing/i386/cvs-1.11.2-9.legacy.i386.rpm
>
>Please note that this update is also available via yum and apt. Many
>people find this an easier way to apply updates. To use yum issue:
>
>yum update
>
>or to use apt:
>
>apt-get update; apt-get upgrade
>
>This will start an interactive process that will result in the appropriate
>RPMs being upgraded on your system. This assumes that you have yum or
>apt-get configured for obtaining Fedora Legacy content. Please visit
>http://www.fedoralegacy.org/download for directions on how to configure
>yum and apt-get.
>- ---------------------------------------------------------------------
>
>Please test and comment.
>
>- --
>Jesse Keating RHCE (http://geek.j2solutions.net)
>Fedora Legacy Team (http://www.fedoralegacy.org)
>Mondo DevTeam (www.mondorescue.org)
>GPG Public Key (http://geek.j2solutions.net/jkeating.j2solutions.pub)
>
>Was I helpful? Let others know:
> http://svcs.affero.net/rm.php?r=jkeating
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.3 (GNU/Linux)
>
>iD8DBQFAEjkN4v2HLvE71NURAiFHAJ91TtcDliZTgLkVp5ZAQcVGJXU54gCfRgsQ
>CcxdIc3lZNe4NY7cA/68cYY=
>=m7BJ
>-----END PGP SIGNATURE-----
>
>
>--
>fedora-legacy-list mailing list
>fedora-legacy-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-legacy-list
>
>
>
More information about the fedora-legacy-list
mailing list