CVS Review needed
Howard Owen
hbo at egbok.com
Tue Jun 1 22:37:07 UTC 2004
That's interesting. Red Hat hasn't seen fit to patch for CAN-2004-0405
yet. (The latest sources for RHEL3 don't contain the code produced by the
patch at
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-04:07/cvs.patch). The
client.c code in the legacy srpm doesn't contain the fix, either.
(src/client.c, call_in_directory() function, starting at line 997)
On Tue, 1 Jun 2004, Jim Popovitch wrote:
>
> Well, for starters, CAN-2004-0414/0416/0417/0418 haven't been published
> yet. CAN-2004-0396 is the most serious as it allows remote users to
> attack cvs servers. CAN-2004-0180 is the reverse, it allows a malicious
> server to attack a user.
>
> RedHat's response to CAN-2004-0396
> http://rhn.redhat.com/errata/RHSA-2004-190.html
>
> RedHat's response to CAN-2004-0180 (which also mentions CAN-2004-0405)
> http://rhn.redhat.com/errata/RHSA-2004-154.html
>
> CAN-2004-0405(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0405) is probably just as bad as CAN-2004-0396 and therefore both fixes need to be implemented in legacy.
>
> So, according to Comment #19 (Daniel Drown) 2004-05-21, for bug 1620,
> cvs-1.11.1p1-9.7.legacy.src.rpm includes fixes for both CAN-2004-0396
> and CVE-2004-0180 (although Daniels' comments should be CAN-2004-0180
> not CVE-2004-0180). Presumably this was carried forward into the
> cvs-1.11.1p1-14.legacy.3.i386.rpm that exists in testing. ;)
>
> hth,
>
> -Jim P.
>
>
> On Tue, 2004-06-01 at 14:47, Jesse Keating wrote:
> > There is a sudden influx of CVS issues, and I'm not sure what all CVEs
> > our packages address. Can some of you check
> > https://bugzilla.fedora.us/show_bug.cgi?id=1620 for the following CVE
> > coverage:
> >
> > CAN-2004-0180 CAN-2004-0396 CAN-2004-0414 CAN-2004-0416 CAN-2004-0417
> > CAN-2004-0418
> >
> > Thanks.
>
>
> --
> fedora-legacy-list mailing list
> fedora-legacy-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-legacy-list
>
>
--
Howard Owen "Even if you are on the right
EGBOK Consultants track, you'll get run over if you
hbo at egbok.com +1-650-218-2216 just sit there." - Will Rogers
More information about the fedora-legacy-list
mailing list