Fedora Legacy Test Update Notification: cvs

Sun Jan 25 03:42:23 UTC 2004

Should these notifications be sent to security lists such as bugtraq?

Jason Edgecombe

Jesse Keating wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>- ---------------------------------------------------------------------
>Fedora Legacy Test Update Notification
>FEDORA-2004-1207
>2004-01-24
>- ---------------------------------------------------------------------
> 
>Name        : cvs
>Version 7.2 : 1.11.1p1-9.7.legacy
>Version 7.3 : 1.11.1p1-9.7.legacy
>Version 7.2 : 1.11.2-9.legacy
>Summary     : A version control system.
>Description :
>CVS (Concurrent Version System) is a version control system that can
>record the history of your files (usually, but not always, source
>code). CVS only stores the differences between versions, instead of
>every version of every file you have ever created. CVS also keeps a log
>of who, when, and why changes occurred.
> 
>CVS is very helpful for managing releases and controlling the
>concurrent editing of source files among multiple authors. Instead of
>providing version control for a collection of files in a single
>directory, CVS provides version control for a hierarchical collection
>of directories consisting of revision controlled files. These
>directories and files can then be combined together to form a software
>release.
> 
>- ---------------------------------------------------------------------
>Update Information:
> 
>CAN-2003-0977:
>CVS server before 1.11.10 may allow attackers to cause the CVS server to 
>create directories and files in the file system root directory via 
>malformed module requests.
> 
>2003-12-18: Stable CVS Version 1.11.11 Released! (security update)
> 
>Contributed by: Derek Price
> 
>Stable CVS 1.11.11 has been released. Stable releases contain only bug 
>fixes from previous versions of CVS. This release adds code to the CVS 
>server to prevent it from continuing as root after a user login, as an 
>extra failsafe against a compromise of the CVSROOT/passwd file. 
>Previously, any user with the ability to write the CVSROOT/passwd file 
>could execute arbitrary code as the root user on systems with CVS pserver 
>access enabled. We recommend this upgrade for all CVS servers!
>
>- ---------------------------------------------------------------------
>Changelog:
>
>* Mon Jan 12 2004 Jason Rohwedder <rohwedde at codegrinder.com> 
>1.11.1p1-9.7.legacy
> 
>- - applied cvs-1.11.9-absolute-modules.patch
>- - to make Seth's previous changelog true :)
>- - He actually patched
>- - http://ccvs.cvshome.org/servlets/NewsItemView?newsID=88
> 
>* Mon Jan 12 2004 Seth Vidal <skvidal at phy.duke.edu>
> 
>- - apply security patch for CAN-2003-0977
> 
>* Tue Dec 30 2003 Seth Vidal <skvidal at phy.duke.edu> 1.11.1p1-8.7.duke.1
> 
>- - apply security patch for: 
>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0977
>- - second patch to make the above build
> 
>- ---------------------------------------------------------------------
>This update can be downloaded from:
>  http://download.fedoralegacy.org/redhat/
> 
>46da2ca673b3af8a08eab8b1d4322e0d6a9d08ad  
>7.2/updates-testing/SRPMS/cvs-1.11.1p1-9.7.legacy.src.rpm
>469e08276fd61a06f816d4d7df68bc6c85a98560  
>7.2/updates-testing/i386/cvs-1.11.1p1-9.7.legacy.i386.rpm
>
>46da2ca673b3af8a08eab8b1d4322e0d6a9d08ad  
>7.3/updates-testing/SRPMS/cvs-1.11.1p1-9.7.legacy.src.rpm
>1dfba0ce740a20bd0977eede82f606ea2f907b00  
>7.3/updates-testing/i386/cvs-1.11.1p1-9.7.legacy.i386.rpm
> 
>31e98f14255c132d3f548a51096b0c444a45797a  
>8.0/updates-testing/SRPMS/cvs-1.11.2-9.legacy.src.rpm
>e415df08fdfd35216c68651aa5214e7ecdb04268  
>8.0/updates-testing/i386/cvs-1.11.2-9.legacy.i386.rpm
> 
>Please note that this update is also available via yum and apt.  Many
>people find this an easier way to apply updates.  To use yum issue:
>
>yum update
>
>or to use apt:
>
>apt-get update; apt-get upgrade
>
>This will start an interactive process that will result in the appropriate
>RPMs being upgraded on your system.  This assumes that you have yum or
>apt-get configured for obtaining Fedora Legacy content.  Please visit
>http://www.fedoralegacy.org/download for directions on how to configure
>yum and apt-get.
>- ---------------------------------------------------------------------
>
>Please test and comment.
>
>- -- 
>Jesse Keating RHCE	(http://geek.j2solutions.net)
>Fedora Legacy Team	(http://www.fedoralegacy.org)
>Mondo DevTeam		(www.mondorescue.org)
>GPG Public Key		(http://geek.j2solutions.net/jkeating.j2solutions.pub)
>
>Was I helpful?  Let others know:
> http://svcs.affero.net/rm.php?r=jkeating
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.3 (GNU/Linux)
>
>iD8DBQFAEjkN4v2HLvE71NURAiFHAJ91TtcDliZTgLkVp5ZAQcVGJXU54gCfRgsQ
>CcxdIc3lZNe4NY7cA/68cYY=
>=m7BJ
>-----END PGP SIGNATURE-----
>
>
>--
>fedora-legacy-list mailing list
>fedora-legacy-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-legacy-list
>
>  
>