CVS Review needed
Jim Popovitch
jimpop at yahoo.com
Tue Jun 1 19:29:51 UTC 2004
Well, for starters, CAN-2004-0414/0416/0417/0418 haven't been published
yet. CAN-2004-0396 is the most serious as it allows remote users to
attack cvs servers. CAN-2004-0180 is the reverse, it allows a malicious
server to attack a user.
RedHat's response to CAN-2004-0396
http://rhn.redhat.com/errata/RHSA-2004-190.html
RedHat's response to CAN-2004-0180 (which also mentions CAN-2004-0405)
http://rhn.redhat.com/errata/RHSA-2004-154.html
CAN-2004-0405(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0405) is probably just as bad as CAN-2004-0396 and therefore both fixes need to be implemented in legacy.
So, according to Comment #19 (Daniel Drown) 2004-05-21, for bug 1620,
cvs-1.11.1p1-9.7.legacy.src.rpm includes fixes for both CAN-2004-0396
and CVE-2004-0180 (although Daniels' comments should be CAN-2004-0180
not CVE-2004-0180). Presumably this was carried forward into the
cvs-1.11.1p1-14.legacy.3.i386.rpm that exists in testing. ;)
hth,
-Jim P.
On Tue, 2004-06-01 at 14:47, Jesse Keating wrote:
> There is a sudden influx of CVS issues, and I'm not sure what all CVEs
> our packages address. Can some of you check
> https://bugzilla.fedora.us/show_bug.cgi?id=1620 for the following CVE
> coverage:
>
> CAN-2004-0180 CAN-2004-0396 CAN-2004-0414 CAN-2004-0416 CAN-2004-0417
> CAN-2004-0418
>
> Thanks.
More information about the fedora-legacy-list
mailing list